From 7e0474b3bb7375342289a06c41318d9864007b40 Mon Sep 17 00:00:00 2001
From: Nima Kaviani <17132353+nimakaviani@users.noreply.github.com>
Date: Thu, 15 Aug 2024 16:46:47 -0700
Subject: [PATCH 01/20] update package-dir -> package (#29)

Signed-off-by: Nima Kaviani <nkaviani@amazon.com>
---
 crossplane-integrations/README.md                  |  6 +++---
 local-backup/README.md                             | 10 +++++-----
 localstack-integration/README.md                   |  4 ++--
 ref-implementation/README.md                       |  7 +------
 ref-implementation/codespaces.md                   |  6 ++++--
 .../external-secrets/generate-manifests.sh         |  6 +++---
 ref-implementation/replace.sh                      | 14 +++++++-------
 terraform-integrations/README.md                   |  4 ++--
 8 files changed, 27 insertions(+), 30 deletions(-)

diff --git a/crossplane-integrations/README.md b/crossplane-integrations/README.md
index 4d1e182..86dc284 100755
--- a/crossplane-integrations/README.md
+++ b/crossplane-integrations/README.md
@@ -7,8 +7,8 @@ Please use the below command to deploy an IDP reference implementation with an A
 ```bash
 idpbuilder create \
   --use-path-routing \
-  --package-dir https://github.com/cnoe-io/stacks//ref-implementation \
-  --package-dir https://github.com/cnoe-io/stacks//crossplane-integrations
+  --package https://github.com/cnoe-io/stacks//ref-implementation \
+  --package https://github.com/cnoe-io/stacks//crossplane-integrations
 ```
 ## What is installed?
 
@@ -30,7 +30,7 @@ Once you click the create button, you will have a very similar setup as the basi
 The only difference is we now have a resource for a S3 Bucket which is managed by Crossplane.
 
 Note that Bucket is **not** created because Crossplane doesn't have necessary credentials to do so.
-If you'd like it to actually create a bucket, update [the credentials secret file](crossplane-providers/provider-secret.yaml), then run `idpbuilder create --package-dir examples/ref-implementation`.
+If you'd like it to actually create a bucket, update [the credentials secret file](crossplane-providers/provider-secret.yaml), then run `idpbuilder create --package https://github.com/cnoe-io/stacks//ref-implementation`.
 
 In this example, we used Crossplane to provision resources, but you can use other cloud resource management tools such as Terraform instead.
 
diff --git a/local-backup/README.md b/local-backup/README.md
index 8a08dfc..193c27f 100644
--- a/local-backup/README.md
+++ b/local-backup/README.md
@@ -1,7 +1,7 @@
 # Local Backup with Velero and Minio
 
 This example creates a configuration that allows you to back up Kubernetes objects
-to your laptop (or wherever you are running idpbuilder from).
+to your laptop (or wherever you are running idpbuilder from). It assumes that idpBuilder is on the path and that you have cloned this repository.
 
 In short, it:
 1. Creates a [MinIO](https://min.io/) installation that mounts a local directory.
@@ -34,7 +34,7 @@ Once you've made the change, run this command from the root of this repository.
 # example: mkdir /Users/my-name/backup
 mkdir <path/to/directory> 
 
-idpbuilder create --kind-config examples/local-backup/kind.yaml --package-dir examples/local-backup/
+idpbuilder create --kind-config local-backup/kind.yaml --package local-backup/
 ```
 
 This command:
@@ -81,7 +81,7 @@ kubectl apply -f https://raw.githubusercontent.com/vmware-tanzu/velero/main/exam
 Once they are created and running, create a backup.
 
 ```bash
-kubectl apply -f examples/local-backup/demo/backup.yaml
+kubectl apply -f local-backup/demo/backup.yaml
 ```
 
 This command is equivalent to this Velero command:  `velero backup create nginx-backup --selector app=nginx`
@@ -119,7 +119,7 @@ kind delete clusters localdev && docker system prune -f
 Once it is destroyed, create it again.
 
 ```bash
-idpbuilder create --kind-config examples/local-backup/kind.yaml --package-dir examples/local-backup/
+idpbuilder create --kind-config local-backup/kind.yaml --package local-backup/
 ```
 
 Make sure everything looks good:
@@ -153,7 +153,7 @@ nginx-backup   1m
 Target this backup to restore objects.
 
 ```bash
-kubectl apply -f examples/local-backup/demo/restore.yaml
+kubectl apply -f local-backup/demo/restore.yaml
 ```
 
 This command is equivalent to `velero restore create --from-backup nginx-backup`.
diff --git a/localstack-integration/README.md b/localstack-integration/README.md
index 0f53185..e24a947 100644
--- a/localstack-integration/README.md
+++ b/localstack-integration/README.md
@@ -5,8 +5,8 @@ Please use the below command to deploy an IDP reference implementation with an A
 ```bash
 idpbuilder create \
   --use-path-routing \
-  --package-dir https://github.com/cnoe-io/stacks//ref-implementation \
-  --package-dir https://github.com/cnoe-io/stacks//localstack-integration
+  --package https://github.com/cnoe-io/stacks//ref-implementation \
+  --package https://github.com/cnoe-io/stacks//localstack-integration
 ```
 
 As you see above, this add-on to `idpbuilder` has a dependency on the [reference implementation](../ref-implementation/). This command primarily does the following:
diff --git a/ref-implementation/README.md b/ref-implementation/README.md
index 8f4705e..7c42689 100644
--- a/ref-implementation/README.md
+++ b/ref-implementation/README.md
@@ -27,7 +27,7 @@ and be configured with the new host and port. you can use the [replace.sh](repla
 
 ```bash
 idpbuilder create --use-path-routing \
-  --package-dir https://github.com/cnoe-io/stacks//ref-implementation
+  --package https://github.com/cnoe-io/stacks//ref-implementation
 ```
 
 This will take ~6 minutes for everything to come up. To track the progress, you can go to the [ArgoCD UI](https://cnoe.localtest.me:8443/argocd/applications).
@@ -43,11 +43,6 @@ This will take ~6 minutes for everything to come up. To track the progress, you
 If you don't want to install a package above, you can remove the ArgoCD Application file corresponding to the package you want to remove.
 For example, if you want to remove Spark Operator, you can delete [this file](./spark-operator.yaml).
 
-```bash
-# remove spark operator from this installation.
-rm examples/ref-implementation/spark-operator.yaml
-```
-
 The only package that cannot be removed this way is Keycloak because other packages rely on it. 
 
 
diff --git a/ref-implementation/codespaces.md b/ref-implementation/codespaces.md
index 06857ec..ba49bbb 100644
--- a/ref-implementation/codespaces.md
+++ b/ref-implementation/codespaces.md
@@ -30,9 +30,11 @@ Codespaces assigns random hostname to your specific instance. You need to make s
 Instance host name is available as an environment variable (`CODESPACE_NAME`). Let's use it to setup our host names. 
 Run the following commands to update host name and ports. Port is set to 443 because this is the port used by the browser to access your instance.
 
+Clone the [stacks](https://github.com/cnoe-io/stacks) repo.
+
 
 ```bash
-cd examples/ref-implementation 
+cd ref-implementation 
 
 ./replace.sh ${CODESPACE_NAME}-8080.${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN} 443
 
@@ -44,7 +46,7 @@ Now you are ready to run idpbuilder with reference implementation.
 ```bash
 idpbuilder create --protocol http  \
   --host ${CODESPACE_NAME}-8080.${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN} \
-  --port 8080 --use-path-routing --package-dir examples/ref-implementation
+  --port 8080 --use-path-routing --package ref-implementation
 ```
 Once idpbuilder finishes bootstrapping, you should have port 8080 forward in the port tab within Codespaces.
 
diff --git a/ref-implementation/external-secrets/generate-manifests.sh b/ref-implementation/external-secrets/generate-manifests.sh
index 1a26292..64f2f2e 100755
--- a/ref-implementation/external-secrets/generate-manifests.sh
+++ b/ref-implementation/external-secrets/generate-manifests.sh
@@ -4,9 +4,9 @@ set -e
 INSTALL_YAML="manifests/install.yaml"
 CHART_VERSION="0.9.11"
 
-echo "# EXTERNAL SECRETS INSTALL RESOURCES" > ${INSTALL_YAML}
-echo "# This file is auto-generated with 'examples/ref-impelmentation/external-secrets/generate-manifests.sh'" >> ${INSTALL_YAML}
+echo "# EXTERNAL SECRETS INSTALL RESOURCES" >${INSTALL_YAML}
+echo "# This file is auto-generated with 'ref-impelmentation/external-secrets/generate-manifests.sh'" >>${INSTALL_YAML}
 
 helm repo add external-secrets --force-update https://charts.external-secrets.io
 helm repo update
-helm template --namespace external-secrets external-secrets external-secrets/external-secrets -f values.yaml --version ${CHART_VERSION} >> ${INSTALL_YAML}
+helm template --namespace external-secrets external-secrets external-secrets/external-secrets -f values.yaml --version ${CHART_VERSION} >>${INSTALL_YAML}
diff --git a/ref-implementation/replace.sh b/ref-implementation/replace.sh
index 365a0c9..e1834e1 100755
--- a/ref-implementation/replace.sh
+++ b/ref-implementation/replace.sh
@@ -5,8 +5,8 @@
 set -e
 # Check if the new port number is provided as an argument
 if [ "$#" -ne 2 ]; then
-    echo "Usage: NEW_HOST NEW_PORT"
-    exit 1
+	echo "Usage: NEW_HOST NEW_PORT"
+	exit 1
 fi
 
 # Assign the first script argument to NEW_PORT
@@ -16,8 +16,8 @@ NEW_PORT="$2"
 # Base directory to start from, "." means the current directory
 CURRENT_DIR=$(echo "${PWD##*/}")
 if [[ ${CURRENT_DIR} != "ref-implementation" ]]; then
-  echo "please run this script from the examples/ref-implementation directory"
-  exit 10
+	echo "please run this script from the ref-implementation directory"
+	exit 10
 fi
 BASE_DIRECTORY="."
 
@@ -28,9 +28,9 @@ find "$BASE_DIRECTORY" -type f -name "*.yaml" -exec sed -i "s/cnoe\.localtest\.m
 
 # Remove hostname-port configuration if the new port is 443. Browsers strip 443 but keycloak still expects 443 in url.
 if [[ ${NEW_PORT} == "443" ]]; then
-  sed -i "/hostname-port/d" keycloak/manifests/install.yaml
-  sed -i "/hostname-admin/d" keycloak/manifests/install.yaml
-  sed -i '0,/:443/{s/:443//}' argo-workflows/manifests/dev/patches/cm-argo-workflows.yaml
+	sed -i "/hostname-port/d" keycloak/manifests/install.yaml
+	sed -i "/hostname-admin/d" keycloak/manifests/install.yaml
+	sed -i '0,/:443/{s/:443//}' argo-workflows/manifests/dev/patches/cm-argo-workflows.yaml
 fi
 
 echo "Replacement complete."
diff --git a/terraform-integrations/README.md b/terraform-integrations/README.md
index 864b5ae..ce8f561 100644
--- a/terraform-integrations/README.md
+++ b/terraform-integrations/README.md
@@ -7,8 +7,8 @@ Please use the below command to deploy an IDP reference implementation with an A
 ```bash
 idpbuilder create \
   --use-path-routing \
-  --package-dir https://github.com/cnoe-io/stacks//ref-implementation \
-  --package-dir https://github.com/cnoe-io/stacks//terraform-integrations
+  --package https://github.com/cnoe-io/stacks//ref-implementation \
+  --package https://github.com/cnoe-io/stacks//terraform-integrations
 ```
 
 As you see above, this add-on to `idpbuilder` has a dependency to the [reference implementation](../ref-implementation/). This command primarily does the following:

From 8a38e3c94b893e896b5543ee3b3112749c830cb0 Mon Sep 17 00:00:00 2001
From: omrishiv <327609+omrishiv@users.noreply.github.com>
Date: Mon, 26 Aug 2024 10:18:51 -0700
Subject: [PATCH 02/20] Jupyterhub stack (#21)

Signed-off-by: omrishiv <327609+omrishiv@users.noreply.github.com>
---
 jupyterhub/README.md                          |  17 +++
 jupyterhub/jupyterhub.yaml                    |  54 ++++++++
 .../manifests/jupyterhub-config.yaml          | 127 ++++++++++++++++++
 .../jupyterhub-external-secrets.yaml          |  20 +++
 .../manifests/jupyterhub-ingress.yaml         |  32 +++++
 5 files changed, 250 insertions(+)
 create mode 100644 jupyterhub/README.md
 create mode 100644 jupyterhub/jupyterhub.yaml
 create mode 100644 jupyterhub/jupyterhub/manifests/jupyterhub-config.yaml
 create mode 100644 jupyterhub/jupyterhub/manifests/jupyterhub-external-secrets.yaml
 create mode 100644 jupyterhub/jupyterhub/manifests/jupyterhub-ingress.yaml

diff --git a/jupyterhub/README.md b/jupyterhub/README.md
new file mode 100644
index 0000000..b1bc25f
--- /dev/null
+++ b/jupyterhub/README.md
@@ -0,0 +1,17 @@
+# Jupyterhub Stack
+
+This directory contains a Jupyterhub deployment that's integrated with Keycloak
+
+## Caveats
+1) Reliance on `ref-implementation` for SSO
+    - This is possible to work around by setting `authenticator_class` in the `jupyterhub.yaml` to `dummy`.
+
+## Components
+- Jupyterhub
+
+## Installation
+Note: The stack is configured to use Keycloak for SSO; therefore, the ref-implementation is required for this to work.
+
+`idpbuilder create --use-path-routing  -p https://github.com/cnoe-io/stacks//ref-implementation -p https://github.com/cnoe-io/stacks//jupyterhub`
+
+A `jupyterhub-config` job will be deployed into the keycloak namespace to create/patch some of the keycloak components. If deployed at the same time as the `ref-implementation`, this job will fail until the `config` job succeeds. This is normal
diff --git a/jupyterhub/jupyterhub.yaml b/jupyterhub/jupyterhub.yaml
new file mode 100644
index 0000000..4ae67c3
--- /dev/null
+++ b/jupyterhub/jupyterhub.yaml
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jupyterhub
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+    - repoURL: 'https://jupyterhub.github.io/helm-chart/'
+      targetRevision: 3.3.7
+      helm:
+        releaseName: jupyterhub
+        values: |
+          hub:
+            baseUrl: /jupyterhub
+            extraEnv:
+              - name: OAUTH_TLS_VERIFY # for getting around self signed certificate issue
+                value: "0"
+              - name: OAUTH_CLIENT_SECRET
+                valueFrom:
+                  secretKeyRef:
+                    name: jupyterhub-oidc
+                    key: JUPYTERHUB_OAUTH_CLIENT_SECRET
+            config:
+              GenericOAuthenticator:
+                oauth_callback_url: https://cnoe.localtest.me:8443/jupyterhub/hub/oauth_callback
+                client_id: jupyterhub
+                authorize_url: https://cnoe.localtest.me:8443/keycloak/realms/cnoe/protocol/openid-connect/auth
+                token_url: https://cnoe.localtest.me:8443/keycloak/realms/cnoe/protocol/openid-connect/token
+                userdata_url: https://cnoe.localtest.me:8443/keycloak/realms/cnoe/protocol/openid-connect/userinfo
+                scope:
+                  - openid
+                  - profile
+                username_key: "preferred_username"
+                login_service: "keycloak"
+                allow_all: true # Allows all oauth authenticated users to use Jupyterhub. For finer grained control, you can use `allowed_users`: https://jupyterhub.readthedocs.io/en/stable/tutorial/getting-started/authenticators-users-basics.html#deciding-who-is-allowed
+              JupyterHub:
+                authenticator_class: generic-oauth
+      chart: jupyterhub
+    - repoURL: cnoe://jupyterhub
+      targetRevision: HEAD
+      path: "manifests"
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: jupyterhub
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+    automated:
+      selfHeal: true
diff --git a/jupyterhub/jupyterhub/manifests/jupyterhub-config.yaml b/jupyterhub/jupyterhub/manifests/jupyterhub-config.yaml
new file mode 100644
index 0000000..1a3b330
--- /dev/null
+++ b/jupyterhub/jupyterhub/manifests/jupyterhub-config.yaml
@@ -0,0 +1,127 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jupyterhub-config-job
+  namespace: keycloak
+data:
+  jupyterhub-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "jupyterhub",
+      "name": "Jupyterhub Client",
+      "description": "Used for Jupyterhub SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://cnoe.localtest.me:8443/jupyterhub/hub/oauth_callback"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: jupyterhub-config
+  namespace: keycloak
+spec:
+  template:
+    metadata:
+      generateName: jupyterhub-config
+    spec:
+      serviceAccountName: keycloak-config
+      restartPolicy: Never
+      volumes:
+        - name: keycloak-config
+          secret:
+            secretName: keycloak-config
+        - name: config-payloads
+          configMap:
+            name: jupyterhub-config-job
+      containers:
+        - name: kubectl
+          image: docker.io/library/ubuntu:22.04
+          volumeMounts:
+            - name: keycloak-config
+              readOnly: true
+              mountPath: "/var/secrets/"
+            - name: config-payloads
+              readOnly: true
+              mountPath: "/var/config/"
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+              set -ex -o pipefail
+              apt -qq update && apt -qq install curl jq gettext-base -y
+              
+              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              chmod +x kubectl
+              
+              echo "checking if we're ready to start"
+              set +e
+              ./kubectl get secret -n keycloak keycloak-clients &> /dev/null
+              if [ $? -ne 0 ]; then
+                exit 1
+              fi
+              set -e
+              
+              ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
+              KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak
+              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+                --data-urlencode "username=cnoe-admin" \
+                --data-urlencode "password=${ADMIN_PASSWORD}" \
+                --data-urlencode "grant_type=password" \
+                --data-urlencode "client_id=admin-cli" \
+                ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token')
+              
+              set +e
+              
+              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
+              if [ $? -ne 0 ]; then
+                exit 0
+              fi
+              set -e
+              
+              echo "creating Jupyterhub client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/jupyterhub-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "jupyterhub") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              JUPYTERHUB_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+              ./kubectl patch secret -n keycloak keycloak-clients --type=json \
+                -p='[{
+                "op" : "add" ,
+                "path" : "/data/JUPYTERHUB_CLIENT_SECRET" ,
+                "value" : "'$(echo -n "$JUPYTERHUB_CLIENT_SECRET" | base64 -w 0)'"
+                },{
+                  "op" : "add" ,
+                  "path" : "/data/JUPYTERHUB_CLIENT_ID" ,
+                  "value" : "'$(echo -n "jupyterhub" | base64 -w 0)'"
+                }]'
diff --git a/jupyterhub/jupyterhub/manifests/jupyterhub-external-secrets.yaml b/jupyterhub/jupyterhub/manifests/jupyterhub-external-secrets.yaml
new file mode 100644
index 0000000..a300333
--- /dev/null
+++ b/jupyterhub/jupyterhub/manifests/jupyterhub-external-secrets.yaml
@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-oidc
+  namespace: jupyterhub
+spec:
+  secretStoreRef:
+    name: keycloak
+    kind: ClusterSecretStore
+  target:
+    name: jupyterhub-oidc
+  data:
+    - secretKey: JUPYTERHUB_OAUTH_CLIENT_ID
+      remoteRef:
+        key: keycloak-clients
+        property: JUPYTERHUB_CLIENT_ID
+    - secretKey: JUPYTERHUB_OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: keycloak-clients
+        property: JUPYTERHUB_CLIENT_SECRET
diff --git a/jupyterhub/jupyterhub/manifests/jupyterhub-ingress.yaml b/jupyterhub/jupyterhub/manifests/jupyterhub-ingress.yaml
new file mode 100644
index 0000000..94f39e3
--- /dev/null
+++ b/jupyterhub/jupyterhub/manifests/jupyterhub-ingress.yaml
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jupyterhub-ingress
+  namespace: jupyterhub
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/rewrite-target: /jupyterhub/$2
+    nginx.ingress.kubernetes.io/use-regex: 'true'
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /jupyterhub(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: proxy-public
+                port:
+                  number: 80
+    - host: localhost
+      http:
+        paths:
+          - path: /jupyterhub(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: proxy-public
+                port:
+                  number: 80

From 54500c9c8a3ede11961a5475f69e8c095827bc1d Mon Sep 17 00:00:00 2001
From: Manabu McCloskey <manabu.mccloskey@gmail.com>
Date: Wed, 11 Sep 2024 10:00:19 -0700
Subject: [PATCH 03/20] add back crossplane compositions (#33)

Signed-off-by: Manabu McCloskey <manabu.mccloskey@gmail.com>
---
 .../crossplane-compositions.yaml              | 22 +++++
 .../s3/definition.yaml                        | 76 ++++++++++++++++++
 .../s3/general-purpose.yaml                   | 80 +++++++++++++++++++
 3 files changed, 178 insertions(+)
 create mode 100755 crossplane-integrations/crossplane-compositions.yaml
 create mode 100644 crossplane-integrations/crossplane-compositions/s3/definition.yaml
 create mode 100644 crossplane-integrations/crossplane-compositions/s3/general-purpose.yaml

diff --git a/crossplane-integrations/crossplane-compositions.yaml b/crossplane-integrations/crossplane-compositions.yaml
new file mode 100755
index 0000000..51deb74
--- /dev/null
+++ b/crossplane-integrations/crossplane-compositions.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-compositions
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: cnoe://crossplane-compositions
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: crossplane-system
+  syncPolicy:
+    automated: {}
diff --git a/crossplane-integrations/crossplane-compositions/s3/definition.yaml b/crossplane-integrations/crossplane-compositions/s3/definition.yaml
new file mode 100644
index 0000000..b812896
--- /dev/null
+++ b/crossplane-integrations/crossplane-compositions/s3/definition.yaml
@@ -0,0 +1,76 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apiextensions.crossplane.io/v1
+kind: CompositeResourceDefinition
+metadata:
+  name: xobjectstorages.awsblueprints.io
+spec:
+  claimNames:
+    kind: ObjectStorage
+    plural: objectstorages
+  group: awsblueprints.io
+  names:
+    kind: XObjectStorage
+    plural: xobjectstorages
+  connectionSecretKeys:
+    - region
+    - bucket-name
+    - s3-put-policy
+  versions:
+    - name: v1alpha1
+      served: true
+      referenceable: true
+      schema:
+        openAPIV3Schema:
+          properties:
+            spec:
+              description: ObjectStorageSpec defines the desired state of ObjectStorage
+              properties:
+                resourceConfig:
+                  description: ResourceConfig defines general properties of this AWS
+                    resource.
+                  properties:
+                    deletionPolicy:
+                      description: Defaults to Delete
+                      enum:
+                        - Delete
+                        - Orphan
+                      type: string
+                    name:
+                      description: Set the name of this resource in AWS to the value
+                        provided by this field.
+                      type: string
+                    providerConfigName:
+                      type: string
+                    region:
+                      type: string
+                    tags:
+                      items:
+                        properties:
+                          key:
+                            type: string
+                          value:
+                            type: string
+                        required:
+                          - key
+                          - value
+                        type: object
+                      type: array
+                  required:
+                    - providerConfigName
+                    - region
+                    - tags
+                  type: object
+              required:
+                - resourceConfig
+              type: object
+            status:
+              description: ObjectStorageStatus defines the observed state of ObjectStorage
+              properties:
+                bucketName:
+                  type: string
+                bucketArn:
+                  type: string
+              type: object
+          type: object
diff --git a/crossplane-integrations/crossplane-compositions/s3/general-purpose.yaml b/crossplane-integrations/crossplane-compositions/s3/general-purpose.yaml
new file mode 100644
index 0000000..abee25e
--- /dev/null
+++ b/crossplane-integrations/crossplane-compositions/s3/general-purpose.yaml
@@ -0,0 +1,80 @@
+apiVersion: apiextensions.crossplane.io/v1
+kind: Composition
+metadata:
+  name: s3bucket.awsblueprints.io
+  labels:
+    awsblueprints.io/provider: aws
+    awsblueprints.io/environment: dev
+    s3.awsblueprints.io/configuration: standard
+spec:
+  writeConnectionSecretsToNamespace: crossplane-system
+  compositeTypeRef:
+    apiVersion: awsblueprints.io/v1alpha1
+    kind: XObjectStorage
+  patchSets:
+    - name: common-fields
+      patches:
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.providerConfigName
+          toFieldPath: spec.providerConfigRef.name
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.deletionPolicy
+          toFieldPath: spec.deletionPolicy
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.region
+          toFieldPath: spec.forProvider.region
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.name
+          toFieldPath: metadata.annotations[crossplane.io/external-name]
+  resources:
+    - name: s3-bucket
+      connectionDetails:
+        - name: bucket-name
+          fromConnectionSecretKey: endpoint
+        - name: region
+          fromConnectionSecretKey: region
+      base:
+        apiVersion: s3.aws.crossplane.io/v1beta1
+        kind: Bucket
+        spec:
+          deletionPolicy: Delete
+          forProvider:
+            objectOwnership: BucketOwnerEnforced
+            publicAccessBlockConfiguration:
+              blockPublicPolicy: true
+              restrictPublicBuckets: true
+            serverSideEncryptionConfiguration:
+              rules:
+                - applyServerSideEncryptionByDefault:
+                    sseAlgorithm: AES256
+            tagging:
+              tagSet:
+                - key: cnoe
+                  value: "1"
+      patches:
+        - type: PatchSet
+          patchSetName: common-fields
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.tags
+          toFieldPath: spec.forProvider.tagging.tagSet
+          policy:
+            mergeOptions:
+              appendSlice: true
+              keepMapValues: true
+        - type: FromCompositeFieldPath
+          fromFieldPath: spec.resourceConfig.region
+          toFieldPath: spec.forProvider.locationConstraint
+        - fromFieldPath: spec.writeConnectionSecretToRef.namespace
+          toFieldPath: spec.writeConnectionSecretToRef.namespace
+        - type: ToCompositeFieldPath
+          fromFieldPath: metadata.annotations[crossplane.io/external-name]
+          toFieldPath: status.bucketName
+        - type: ToCompositeFieldPath
+          fromFieldPath: status.atProvider.arn
+          toFieldPath: status.bucketArn
+        - fromFieldPath: metadata.uid
+          toFieldPath: spec.writeConnectionSecretToRef.name
+          transforms:
+            - type: string
+              string:
+                fmt: "%s-bucket"

From ec7a5f6dc377a75123a9eafd2c798ebd8219cde8 Mon Sep 17 00:00:00 2001
From: Greg Haynes <greg@greghaynes.net>
Date: Thu, 19 Sep 2024 17:02:01 -0700
Subject: [PATCH 04/20] Remove coredns config from ref-implementation (#37)

Signed-off-by: Greg Haynes <greg.haynes@autodesk.com>
---
 ref-implementation/coredns.yaml               | 21 ------------
 .../coredns/manifests/cm-coredns.yaml         | 33 -------------------
 2 files changed, 54 deletions(-)
 delete mode 100644 ref-implementation/coredns.yaml
 delete mode 100644 ref-implementation/coredns/manifests/cm-coredns.yaml

diff --git a/ref-implementation/coredns.yaml b/ref-implementation/coredns.yaml
deleted file mode 100644
index ca46cd9..0000000
--- a/ref-implementation/coredns.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: coredns
-  namespace: argocd
-  labels:
-    env: dev
-spec:
-  project: default
-  source:
-    repoURL: cnoe://coredns/manifests
-    targetRevision: HEAD
-    path: "."
-  destination:
-    server: "https://kubernetes.default.svc"
-    namespace: kube-system
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-    automated:
-      selfHeal: true
diff --git a/ref-implementation/coredns/manifests/cm-coredns.yaml b/ref-implementation/coredns/manifests/cm-coredns.yaml
deleted file mode 100644
index 9cf733a..0000000
--- a/ref-implementation/coredns/manifests/cm-coredns.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-# the only purpose of this is to resolve external DNS entries such as `redesigned-bassoon-r4jjwpvv99vhx9gp-8080.app.github.dev` to a cluster IP
-# normally, `redesigned-bassoon-r4jjwpvv99vhx9gp-8080.app.github.dev` resolves to 127.0.0.1 and thus oidc endpoint configurations cannot be obtained.
-# in addition, we need to ensure traffic do not go out of cluster when not necessary.
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: coredns
-  namespace: kube-system
-data:
-  Corefile: |
-    .:53 {
-        errors
-        health {
-           lameduck 5s
-        }
-        ready
-    
-        rewrite name cnoe.localtest.me ingress-nginx-controller.ingress-nginx.svc.cluster.local
-    
-        kubernetes cluster.local in-addr.arpa ip6.arpa {
-           pods insecure
-           fallthrough in-addr.arpa ip6.arpa
-           ttl 30
-        }
-        prometheus :9153
-        forward . /etc/resolv.conf {
-           max_concurrent 1000
-        }
-        cache 30
-        loop
-        reload
-        loadbalance
-    }

From 148f518526368aaa8a5b70892d5efd62712aa890 Mon Sep 17 00:00:00 2001
From: Manabu McCloskey <manabu.mccloskey@gmail.com>
Date: Thu, 19 Sep 2024 17:02:47 -0700
Subject: [PATCH 05/20] add techdocs (#36)

Signed-off-by: Manabu McCloskey <manabu.mccloskey@gmail.com>
---
 .../skeleton/catalog-info.yaml                |  18 ++
 .../skeleton/docs/idpbuilder.md               |  46 +++++
 .../skeleton/docs/images/cnoe-logo.png        | Bin 0 -> 58052 bytes
 .../app-with-bucket/skeleton/docs/index.md    |  16 ++
 .../app-with-bucket/skeleton/mkdocs.yml       |   6 +
 .../argo-workflows/skeleton/catalog-info.yaml |  20 ++-
 .../skeleton/docs/argo-workflows.md           | 160 ++++++++++++++++++
 .../skeleton/docs/images/cnoe-logo.png        | Bin 0 -> 58052 bytes
 .../argo-workflows/skeleton/docs/index.md     |   9 +
 .../skeleton/docs/spark-operator.md           |  86 ++++++++++
 .../argo-workflows/skeleton/mkdocs.yml        |   8 +
 .../entities/basic/mkdocs.yml                 |   6 +
 .../entities/basic/skeleton/catalog-info.yaml |  20 ++-
 .../basic/skeleton/docs/idpbuilder.md         |  46 +++++
 .../basic/skeleton/docs/images/cnoe-logo.png  | Bin 0 -> 58052 bytes
 .../entities/basic/skeleton/docs/index.md     |  11 ++
 .../backstage/manifests/install.yaml          |   5 +-
 17 files changed, 452 insertions(+), 5 deletions(-)
 create mode 100644 ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/idpbuilder.md
 create mode 100644 ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/images/cnoe-logo.png
 create mode 100644 ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/index.md
 create mode 100644 ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/mkdocs.yml
 create mode 100644 ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/argo-workflows.md
 create mode 100644 ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/images/cnoe-logo.png
 create mode 100644 ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/index.md
 create mode 100644 ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/spark-operator.md
 create mode 100644 ref-implementation/backstage-templates/entities/argo-workflows/skeleton/mkdocs.yml
 create mode 100644 ref-implementation/backstage-templates/entities/basic/mkdocs.yml
 create mode 100644 ref-implementation/backstage-templates/entities/basic/skeleton/docs/idpbuilder.md
 create mode 100644 ref-implementation/backstage-templates/entities/basic/skeleton/docs/images/cnoe-logo.png
 create mode 100644 ref-implementation/backstage-templates/entities/basic/skeleton/docs/index.md

diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
index 90c4e32..72d80a3 100644
--- a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
@@ -15,6 +15,7 @@ metadata:
   name: ${{values.name | dump}}
   description: This is for testing purposes
   annotations:
+    backstage.io/techdocs-ref: dir:.
     backstage.io/kubernetes-label-selector: 'entity-id=${{values.name}}'
     backstage.io/kubernetes-namespace: default
     argocd/app-name: ${{values.name | dump}}
@@ -26,5 +27,22 @@ spec:
   owner: guest
   lifecycle: experimental
   type: service
+  system: ${{values.name | dump}}
   dependsOn:
     - resource:default/${{values.name}}-bucket
+---
+apiVersion: backstage.io/v1alpha1
+kind: System
+metadata:
+  name: ${{values.name | dump}}
+  description: An example system for demonstration purposes
+  annotations:
+    backstage.io/techdocs-ref: dir:.
+  links:
+    - url: https://github.com/cnoe-io/stacks/tree/main/ref-implementation
+      title: CNOE Repo
+      icon: github
+spec:
+  owner: guest
+  lifecycle: experimental
+  type: service
diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/idpbuilder.md b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/idpbuilder.md
new file mode 100644
index 0000000..3ec74fb
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/idpbuilder.md
@@ -0,0 +1,46 @@
+[![Codespell][codespell-badge]][codespell-link]
+[![E2E][e2e-badge]][e2e-link]
+[![Go Report Card][report-badge]][report-link]
+[![Commit Activity][commit-activity-badge]][commit-activity-link]
+
+# IDP Builder
+
+Internal development platform binary launcher.
+
+> **WORK IN PROGRESS**: This tool is in a pre-release stage and is under active development.
+
+## About
+
+Spin up a complete internal developer platform using industry standard technologies like Kubernetes, Argo, and backstage with only Docker required as a dependency.
+
+This can be useful in several ways:
+* Create a single binary which can demonstrate an IDP reference implementation.
+* Use within CI to perform integration testing.
+* Use as a local development environment for platform engineers.
+
+## Getting Started
+
+Checkout our [documentation website](https://cnoe.io/docs/reference-implementation/installations/idpbuilder) for getting started with idpbuilder.
+
+## Community
+
+- If you have questions or concerns about this tool, please feel free to reach out to us on the [CNCF Slack Channel](https://cloud-native.slack.com/archives/C05TN9WFN5S).
+- You can also join our community meetings to meet the team and ask any questions. Checkout [this calendar](https://calendar.google.com/calendar/embed?src=064a2adfce866ccb02e61663a09f99147f22f06374e7a8994066bdc81e066986%40group.calendar.google.com&ctz=America%2FLos_Angeles) for more information.
+
+## Contribution
+
+Checkout the [contribution doc](./CONTRIBUTING.md) for contribution guidelines and more information on how to set up your local environment.
+
+
+<!-- JUST BADGES & LINKS -->
+[codespell-badge]: https://github.com/cnoe-io/idpbuilder/actions/workflows/codespell.yaml/badge.svg
+[codespell-link]: https://github.com/cnoe-io/idpbuilder/actions/workflows/codespell.yaml
+
+[e2e-badge]: https://github.com/cnoe-io/idpbuilder/actions/workflows/e2e.yaml/badge.svg
+[e2e-link]: https://github.com/cnoe-io/idpbuilder/actions/workflows/e2e.yaml
+
+[report-badge]: https://goreportcard.com/badge/github.com/cnoe-io/idpbuilder
+[report-link]: https://goreportcard.com/report/github.com/cnoe-io/idpbuilder
+
+[commit-activity-badge]: https://img.shields.io/github/commit-activity/m/cnoe-io/idpbuilder
+[commit-activity-link]: https://github.com/cnoe-io/idpbuilder/pulse
diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/images/cnoe-logo.png b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/images/cnoe-logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..63b8f228ef58a42a758e570331053afc547df964
GIT binary patch
literal 58052
zcmeFZ`9G9v{68*{rH~?`;&6(H5g|JjN+C3sFl5PYWFKpjQ_5N?`&L5P_pyzovSr`*
zv9E)%jeYoDw@$s!`F`G?Kj8Ctocf`=d%2d^@_en=yt=QZOh?N`OGZXUcjxvkO)@fy
zbuzM}CDg~jo%lXaEpUV0>gLV+HaC@TB5je5S`Lp)&6UmV%^j^wHI;9WkzEfCh8tR*
zgEPs-l;rdO+2YrglJb^*U-Vspt!DdQ1GD?)`F2BB!fXo^UN<ZZ$5~wxnb`Yeby=24
z;bisa(Xi12{c4^+tkV|*1wIzs|48A-yVbU%{Go$|245nQUlvwugKZqzo{lB>%;21s
zaK~R4U(pZ8T_nH4mL)LNIi6oP{r$V7bG3IHop+l6f5>~j_m_^aPkgN$SR`=P;(9kQ
zn+F#7tozDGUJgI+%eel7Yuub{pSdQ_@F|7DZaqz}$rjCbDce}i@l)Rl$#hub8J6=}
zquvO=G*Z06n-;YHeefmK4EM%E3M!}N!4PTD&zYCG8WkJF(xcV5JF$MdzD0_|Hs1&R
z)I;-yyqQLh7H>rGIfjq<pG<&H4mrQf7PQK*IeB1SVnwsUO=ehD{@jsvMfSTX+_U`L
ztn-&N@%AeI)UGItlOulaF4fXMYL{;96<#%prFHSqj6E^UaDi-eoKGOfW0U(rj;a;k
z%f?_GOR>7ums`ctXC9M#F9}#!N%po$BtH&NxUv*DvC62OD*IjMOMJu)l92$0srI7G
z3q<S*=XxQRJ>rh5PFxiA_*)5<<7`0}VcLZ&H|l+L3VA-AG%9lT4ILk<R~-!daU`KK
zfo<x37)RKmf$VqY$lwO~>c3D6%tFSeZ@uPZu=3J3PD-U^o3;Efn{4@Et9x`|<m=__
zeKO1g>-~ECY`f5nlmqVNwzRJVOE`D=2_KYYx=S0)V+Zc8t9M{`-ui8w;|iM;I{QZw
z=UbizEwdoAc1aa_(YkOhC$qJZ_Ab;BZp{So!1BOZH-*}L3$w`4g4P<91o4x7t$nRF
zKi>D+BP6};bpp$jv=hpDoaUVWv|zIqaIPQdigRo|_-ZuMn`1O1{_w;;mCsRM{Gc{Q
z6o0Kro7TG&ssCMhO-9X3Hdz2}`zSx@qn@bt4mn37nRkhM8MVbR{k_S}2D!I34V!N{
zF8NO2CS}K3oDv)po{T)LHyjmoG;%b0!r_#lY~6(-T(eoqPRga7wu;agO1SZ`Pe7X2
z?77U>Z(q&ss?RdN_>1Nd%)?bY{d6#kVcD^|9Hd#gcg9neFHQ^g8Tmb9au1ZkkMVe=
zOb|qls@YHc#eGNaEZ1|pGLOF&i7Bo=cVz~$(X~!1w$hX)UPfNmWSQi?I{2L(39Qgq
zSm|<{%WI?`53-6YD2$#D_|`BvVM3cN%y;I*R8=A`zI3+iTzd+AVT9!rS&pah^{>b~
z`y`e@RI<5K!m;anJW`tvizFCEGmf_HS~iM3wV1#X$TDP8+&47cdA^&BkYDfi`&O-^
z&eodFfhX#_+h4?y^?6|t2fHK>@3o^{BV@&i2S*Psx*xAG?P&x6am!ry&SO<oGCpuk
zO-6p?6xmU5bp-q+^S2_SIJ_n!y9E9vBO^~F|8<9AJ@M$T>!T&m!vb|GN$?7#)dO8;
zUDbP%rbs)%M`lP9b3u1I2j~SdX?IC*X=m>Ih|}H9*4|0dU54xM4M}hf-G*^-9=_si
zBg3VudY|(q($Sn#Oi)Nrh)b51lao{0(d@CL<}IbaKL`Jl;j(mgc94X@+}zv*-9!YD
zjux=15)u+HAz_%XumE^NzzJpV{K#Fv-iiC?Aiu`BW$t9^XyxE+g|z2{#(iXhba9s9
z;({jn{paU8ovj}K&rJ4Ce{TzH5C%PgT@@69{coR{yIcKVK7*e8{OoXFKc|z129s2G
zv@!<^hL$CJRr+v(f8G0^<w--MNZz+{H@DTjWo2h>?{xT$u-J8J*#G+IfBjVNe?FBE
z75V3v|9JBEm(nnZQ2!v@Pp%x^1#FR}m4^Lhu`I3Z(#0AwGI_E)w-g?@A6XcdvpuI%
z%Dbhddc;P;JzQ+K%B$)a`xQ>y7Ugt};If#A%+cFl{~Z4m6Uina9(R|U&AsHy_tz9n
zFX<5l$A{u=!~FS8#VegR#B^_~{3$1ISU57L9r*6M+;BI1xO=#g+)}J8O)YLM{Zi)s
zj?~QE2BoKDN60CtPjbrtckv$){*#3NwBSE2_)iP|(}MrB;6E++PYeFjg8wJAfdAtC
zj4sO)FaG7)mvZOqE<f~;=~Kg+;0;qlwC0JO6J;yIhY^4aCB^#u4~fu!ebI7;m2#Ed
zWF{`3;dW@p47=yt@=~MIhG#VNmf*>gZDnM2g8w2=q~@qP1E#~+;a%GL)J2O56&<mn
z&Q`YsBgfcbD9BiT^YkfBnbYUbe?}YVXmSY=f@;4y+{N_cnSgcu($d_ET1YMdDn?HE
zQLH?H#Le*U0Hx{*c{UZ*X{xnV7soRrG1k7}cO@ghqVT+&iI@<#;YgZ)2yR<J)go0{
z`y|R{I?lH+t!bto8qApX$Pw)2oO3GwQgRFGNtd-Bd@R+U^S$5L%ME2YeRKkE=VXzS
zd*D50f@A(kA64k(V^fc=5fw?(KNfdpB*UOJ@Hm*0Uf6#BS4`CwDUT3`B{u{Z$GWxi
z*~MWR*AB_?<>?8mx~lZee=Q=6y30_UFj16ly*rV*cMp0tbDU|0kmvu;*(s=FxnK7-
zdrHmL;m)QE#9NnPRtSKhb*b?yub~%P7+-&IqYp~`CoSYh&!Lrins<xs@Uz}m#w`Hz
zVtF_d-Qt60{{5OQT3mx7DebX7SV(yKS4j_!n5`&iA=K2faYrYt{>Am{H%EK?u+-Du
z-nH@l@o9WVu>BNqs!yxfXsBm1+ndE6{PXRmKOJ_*Tq)Krv~<;$@aP!Dl{L~s&$r~|
z<q1dW<^I7r`KMJ;<QNY76h{Z=>57#2rsra|5ZN5Q04YkoMgPy3wJQ4fBo`|@$`952
zpg<-x{|e=LOa6*9po1EXfdsMd=0Dc}1o2B1zFI-L-<B~*J^St3udEhd+(W?r5~%Cj
zcK`Z*`d{2zMsTuJ-=1sPO&Ih_6jF*Q9k?WK{G5VfU3>O18|^>CXEtWbLh4#Q893|2
z73Nk*d`*Fvg)08!;_pE(Pmwd*u~c7g)O!?^|3F&#DH)mp3@1CfeDt5AQGYU^Fui}_
z#jP?$p_Y%@zsEcZ#$>p@_fH)<LO!QTv6hxb;$pSXLdKH{EFgXwU*Sv?4_}V^m)vNU
zqU5O7DiExSQAI4Sb}W|wnco7o3N!?FsQ!~m1%eK{)%FIavdng^?DsV6;{TRfp;Nr_
z|KbuE`W^p3xSy|;(#I`jzK+6yPFJ~+;&^&Og>4G#;U8f9d7An*eXOVTt=}X77m;d-
z4FN@pD>ggjnA6qeGo3EuUG0^rnObtF+mO(60P*pr7+3!1nlj#3<$PQm<*gmMr8uZ#
zm4uOM%EB|(6`oJml+PB6KTUH|mkP~~7rJfw8)7UqIH``xHl;|Yg%U1c+!a+%bGE&c
z-zRx%ZD_r(u>IUHyuLQ<7KOt4sQ3}^h5EKVQmuMmdAbaM%*5hWr8|FXrzL_@y`BBt
z?i_Kn(>fBfbP%pd;Ds~tZh0jk1u~|$3vVYfqI>=PEN7Is?T7&!9TT1soyhX@p&a)}
z*fg_Q)!=Cga*Cci@)|)drGvG<kjGMmQ|IfI^n^=D`(pWhje9lt1T(@tpCWFWla>mj
z)1+^fM75g&aw_VTgQQQHF`Mb?@i7apblP!+4fHNdKwf&(<>is2r4q)|e=Ee}(~;Oy
z)9JHS8uQGg`f+?rywu>LgBbcDxfazFtXM_x*^@$y_v1@T%~Yg!Y1x9;clQkWhU1Z@
z3`fXqV8%Zd2P!GZesMU3>GLsvt@xFdG1M4I>dhESl!D(odzmfKWa_1<xf1nCDH%h;
z#2S!r`P1a8$JR7GT<nFAeZBM7E4q)*2KP)aFvP5I{I42r!0WKKujUsx6DkOY=lbaE
ztBj<?Y;qUr?41hTO_@Qs^DO*%U!61Cd)swc3mYaUfrppoJ#l@E+iEkIE6S*qQ{Bc6
z#jaBLgN+;80R`%r)@JAZTZ0mhpg&^HM>*47b5=MFC%P<<B%jg0!LrndrX4OkLGexS
zw=x*)dM7Ypf~Qz1*LGOW3wKu_a^1G0Bd=ywxF!!4NWgv10RTpeo;um4pA=*F`EU6}
zM^R22qViOXloFIXos5*V+uc3vHO|!xc#@*(l7JE5ayZr0sD-l_2^hBrcoduXVS*+^
zV)wPMT>|!7J~T=q?~C5wdRa9|o`1zbZX13{W)*&~b+N9R^x)P84xo8h{Oomdn~R60
z`?Spi`c#a#@M=E)Kzy(BunMN6uQtq6e?}CK0tC*;2iC-;Vz*Z9Z-LddN5i<}uSUn~
z(_N@Yh>zi)^{HqVmvJjWX5qyDY;zaN-ct7PK)R*jrm76$j7{R4QsyK50C41#lVhhA
zOXGhD6!ppL7lq>EV><HJJ(jsrW@Obd91E$^-EB(7=P9G<r>ClhX0UNzE~l?M&O6oe
z4EYpG_{>T{jEDtzDwVtZ^4Cs{-%~ics=v4Y<hbnpp!K|Js{ofLtcHt}GLzL2Cl<a&
zfqUm)C_K?(Pk@&Wlofwm?4PO0Hn<lE>(rT9teD(x?(_9(xatZqd=X;!QaHQN-wZbv
zpj7H~O8*=mgM+uK<}M+a@c~isW#O=w?>W|+cO@btQa_33Vu4FCPr0_*ZPCz{{v-C$
zU~6+9<PVJA0_NxYSMFb6gLYwLRcjTf3?B1g?{v~C-5%w*Y(cOCOabmp_Hn-_S)b*>
z#^>8q?Ia?_8wrZ-p7Cj0GU@rua}VP>V}V6S!&!jP5T$Ir{uY`e<fo}07%84<*O{}U
zU#eLjGSE$m;Gb1`+PXeOvv;oJEIP#xg&l7dp<GiEsw?#VQDC@hz;g<0^*Qj)w6~_&
z*#6$?Q+WY2Y&=8iO9t1s%j&J(%Qh;ELyetI2|g?~%l*{O4-$ioaTA{YBB5ebHAq}S
z$yqu`ovU5}yZP$5^6&Lf$THX0h-&T!%#}#+YA{uPpQxBCNzg<+Mgz0E5b~@om^h|k
z%@rxWq?YwsYR`~O?&{oTeS9G>Y)`9rfKQb0+Wpxt)+RndbCJ%x$<b9#9|$ROIySUw
zpLFA>5ku+>uJl0vUiTun@;Rd@2F!v14n4QsK^yc8B`4Z<p!_DdbkNwd<jW30#*G89
zR@S{d+;;8=`CZukgV6a7hG8;@L5DIued#`P-P{~DZj1=LGqo>6A@abT4T>uv?yMfC
z3$!VZiQn~D?%bU#QGCK=Lm<MCRg4smnRH(m;}R~|Cu61#bUi--6LTG7wCi<9T1tqt
z%PDN9e!)g3d6K-2+)i<V<8(8=+Ep6&iZ5THe$!kUfwPmA!LX^ddNX%A?Ou)a;p6gD
ze-b=}%{E*_byk;43v5^;v)jjTKE-GIGf0+emFdIw62;no^H33*XuX#0%r9}hOrfOp
zAoOGQHh*$#gUHJT>^nct?%wS$7jYHt;xDqbMBO86JDt{a<wj;>ZWMoaD>`n7<cY)#
z&*Fut7DnD}yLlE_ZD39K2UtnLv(K=yfJTW&0Z+~s)0F;p4VKkLXUbY9H1;J~Wy4Zu
zw7b<*ayJl}l*Ez3!RN?{xssA+OL(_#r$B1WbuLfjwI#uIO^$E{<Fn6D{VOi?({#sw
zT=7ejg@o`6(6{h;*SRadHqcC=mNJtvwmvk{825Ry<UB3oWXx5(Mf*DmdA(%zFXy~C
zx}5+zIz5FEcT#2qccz`Uc7mzaJ{mW7Bl4qAQ3PPysHa7>J`@E78L~s8dU0|lZXWUH
z_|0!gexc}iPgYW+5f2#XNpK1|)wdTcs|oGvLwq&YCStKH-A-C&OK|g%^`YlOq4tP^
zIb(!Mc1LZkT2iNN{!nJ+h3__-YT}H<03fF6f85Wg6$<(-vBrYr;vDOE%GLniTki)K
zwRhdue3*J>Yecn;J(hUxk45Bfig9@Y?NoQ}8Gj}A3<aVYc3&CMk=FJ_@13~KESr@Z
z;<w2uE-}CUApYgu#P4O73M{XeMP}{TkL?X==!qyk3690;(523{6!9K>RlcCblD-aq
zaJ*UTtPx#Ze<QQAYOCQ^W|T5jG{al0N+VNKjDM~TV5e~dh1ZW<Gx2+Fznt^q%(IR!
zaEd}D9`;eaBaJpsL<_Qd6?<c5Dn9-)$VrLQ(%DN7?T!z5<gh5r`O_g%;*1gd=Ru&L
zEH_9KZ`8k)TANS9eybbu9i|09`4Bgr1zgadY!&iFhs~EHjk9G_4JOT%Fix_=6XJXm
zqD#kfb_h9dXEDHp=3>VqEK89d_F7fPZFyM2Kc`*l{ixq!jHsYAFD<H)8tVWEGaLK#
zDPqR{6+HwNVDMn-y%`pxl!NdKiuwnC;7%s&i?_y5yYI;{e&3cLcC4*86MeXQJL^}e
zg92=VQfHQufwl!yAp#b#@W^<5xP~rwfXyTj*kUE-YOJ)(W<GD;Rkq#Lp>&s}xf~VS
zc^@I<=2+o+X-!l4W;WV!jdb%cYUB*>Im9byf7+^}1lYdTi8<fU(I&Hlp0jFtL8Ay}
zBZ>Nm7wC$J^xBSk_i&dVi`V=rNe;VRJD%bx5`}AZA*nNGYBW5&FeBUhSvFJ=mm@bX
zrFbyp-_ozp!;br}Z{d6zb=sj=BV5Ti&v#O=*}?hUPkQRwpe<lUT)YvfpG8mpb=fB{
zRJKl`!l!uJR#u_H1;kSO7un1??CP{M6vQo-lVR!v#A;nOmwq9K>1^Hl#JN!^#Og|h
z(kA6vOGPNTheertI2pQ-85ov9edOpNkb_7h9$S0{9ZsU2^d4OLOtIZjO1UoUqcHXS
zfJ#Hg?V60Zx}9NM=54^v63yiqcJEH787~{B<t^1Hx!0DfF5NBBsHo{4zoZwt9yIPN
zq3i3ojf+(Ms=$O5GJ=_6^z9OV&ZI~gkL^=6cR87~YjTy_AfI!jlnTuB2Ka&S!Z6ME
zl_Oj3o0<o)fL@G4c*PCe=g;+;45^)Q9KgGxt9&tVd|EU?@p|<lV_OVa!ymw9f${-t
z!?rgs9?A&+MWJYf=Sk$#%6VMz3x$e_dbS`F3PSIs)Dl9@X8pE2!K>ihyKR{On|Hw8
zX*si;F_Wzf6j?Z{+S+`iq6>0#{U+;DX{WufIBv8`_^mg%#aIy5A;kK(lZ>7^6FIm(
zP#fha|7UgsW=KKy2)4n972qM9e#zzPvh?<SSqWh(9Zi5O8Yim(0=QrDF<EDmFo<p{
z*Y^!((D;GmxnR^uB};1A?M+cFRDN33LA&KwT!2xlJ5<&xHd<-VH~9(lrjy5`5rf6s
ztCZUy#ZpOaj|=_EhFzpyvJ*d7^<^Zrwk2rpwS*^<J8$z|Yur6isx=(_&J%|)-`0Vc
z$DX?i2;69D!?E5D4RQ~GYHPrKb0)x(+Om|^pF9}`-0ur&DvGV?sGcjN8wvWjg}mBx
zz*hZcVrxe(iFnZUWxkZ$qj_j~kU?B4V4O|DGn-AV-A?#(=RFQQW|dDZxNy^v(y-I1
z)r_f0Dr~BQC);)}?CDCf3J9=`RUt2HQi=W2Aw1}+prx@z_dGAdM_}d$>~qc<wOa?F
z>vaeFzBZpq^w<Gk;mZqaPES*t@Py>W;*oUb;uhdxP;9QQ52cROuzA^36o$<eNk^f!
ziT5#2?;$4=Oi8u-(Us3mBmj-MiRM4|3q|9YSk<yssTha0^1?_l`l)FMgL%1>O6=Cb
z$Ew<cQ~e&TGp<%F(Fs+S(etyoX)c;yh?U;qctC%`Py8Eg)$e#Bhg29FU$#_Tel0fI
zn>BkbVS2N1N(E3*SM|tQk93q#Fk~PosIO#KNvdXNx<r8RjU$`TD_Qs|%xqTl!*xS;
zl!rYt8q3u0nJy+H&eF?zCg9bHiq?<ywPV8(onu$p+r<eSN=U-Bfr$l7Zf@s~Yh8m3
z7%hpdh}xYPk+rOiqE5o)JPn(o!N5x2P{N{k4-XxHM&nn&F9_e7o|F7Z;LArkZFnl<
zwu7I%ab<a%$&)C)?QM;(KW8bS=Sxu1kI=ha2BcK+Nr9#ozdp@0_W0{UMhZKR;L0aL
zuuYe6`43NVH+%#P-;ts1X(Js6n|D9z{FD<ckdv49Uh{h7Zh#re7g4mP@ApMh#stOm
zkzbc2GajMa*-S{5E^@)CGby}T8j~j~n4{wL0Sb%jpj##uexgxGU1Q<Y?%Jgu`i!#2
zL#QN~^PEzI$kJBv^G$c>x`jjte=fTlU~F2rfj*;81Jd%Gx$w6ESUbb2nl1BEyv(R|
zw}amai?YBswBa}I@=%!`JA^5>LZ58l@i<Wqw~Ft?CB#dWviRF@G?nG$k{aHPg24A-
z<!uzHh6l)!6XY)RAmm@*eut`PN}9dJ8XvxNZ1E1u@%d_N1J~Hh%}o|Lr58Ou_r4hp
zi`HvTgcM2zgpIRNeLFri7Yt`U@|w@rXlbq_Y2jP>vEevgwznObRH*rFjd_4wmP3mJ
zYMmZydiE3Pasjp&toF00=FO7rA7$`Tu@{F)6}%wGH!fw9P4FDT*V>uc@$~@{UDQ?b
zpj=%~Mx)CW;R0J4@R5|XzB{dm$wK1JT1947uLe47uEgrP%;qMbvyuZ$z1?ubc!xLA
zo16BEmt1UojL4=3`|k0C=otR~it~G2U-`#1Ja&fdk1wWlc?rRi^M%)H<2cOqeI)kV
z-JpOa5&<#*9wHWhyU8vTwVgJNA!^y@DXVulPS`Pd8GPh4BAQcNJh)gGm8rwj%H6l!
zO{M0eOAna-*uTAhPn32X*j5030wkH{s0uf(VoaF5TwkEdXMfa7rxAO(`lz}QjKlC0
z?KCk!&L~n;kGXCoIz~28=Ru4>pY>ayJa;bxV!Xqs{!BPly``DV$jy^{iGcO4517-f
zf{7#2L#LlncG{z?KV|BZbEvmsQF634>qXpcrxYrZ<KlM}_cFIH3vVEl#0I^LoJ!u>
z=?z=$U78uy)j#q>On7Zzfsn`IZM9ePK>=`I56Ywbj&`U25TczXT?@TiBkB{H-I`LN
z9q+j7j~~=Z5SJb656pCD?Q|Yd?<HB6+l-9_e%vl3+RN1Id30vfZSV!K+7{(4^?pU`
z6dZ-pjq8Gk5NViY?3I-vncZuk|K4`(ZhG@*AD17hFcAM&Lnoo!zd4%@NTCf3I8cj5
z<cBdz;u`sOvk798FS$8Vtt8Il3rA?^L>$6*%tldBS#SuL=?y^<!q;!n{d#*RqZAKp
z3WyxhR>%PDijsZlkQO5zeVu1sc4m0H^;Nb<B-Vvb3h{>3<zW%En$jL#o7Z<xTT3?A
zWH10*Yeo{MA_2iXw3d_(7{=4F0#r4)6OKLe>z&H5rS5cH1_z$~+D({j#xzdx*qUR+
z+Cklqt~dr+YhlS?z^p)~<+)leqT$bkw!tNbevf+~6Q`mm2RHX!>TDFmd*TxK`%|=g
z!X!&}J}1^7n4Y;`u&H~l7+hHOxVcSguDK>u_QdM&s|rNf)?Y6+&(tLG?!3uFv<$6&
zI)WAx33`0tuVdCUlMH7O3`HOc;I8lW5=z&`$jV$6Mke3}_t&>y#5dHy2J}=Cx94+G
z{iWv!OLI<wo<o5Q4=#)hRxadh?!tC`2X~LQx;vOpBnTQL5Q4O%6`{ZyvVb*Z*7qP}
z%V8t$RJRFw!jN8gAvw4n$DSEls2f;W8R=?0eT@`+BAkmVm3}0li})0`8&d06>Mb*@
zgstlr(D^Ep=C<=CUkM!-d!+ER5r+j{X8u-9yVfu<=OP-4^d2)Jm0x>EWv#B*d`LcS
z)M1<TX=k#m`EE!W#xwkBm!eJ+M+Xx&Hp<Pb{ZZj&A!E~BtDR@(^S6j%`z3`<H3K<n
zAO~5sM|rO#uCjz5giv7Vjg<BzA}5Y>q<F6?H1y>{0bj~h?D<c+O#AQ!nSfDM-$$KJ
zsrnX+6V<T?PVD%vpke_Z3=2Fa9r$z{_9ipps3$R>s07z?^Ou*ne?P_M>iZ>go@Wi|
zuDzww@fypQsa)4|RDcX8JoL@39m##fpMQ`V&}-T`c>U$D(n{dDrm}%Sdpi#gooA@+
z_y;R)Uk|H4A|TV+{C&pkF!|B;Ox{PtfWE>maVqwrlf?s<tK?oF*?9(y)x}><nE@#z
z<f5wS(erYcSDl?Utupl?uPD;y@$OpQv5xI;FXa(SUo%R!SDo)Ft+E`(_!w9~7G?TM
z3s=ub41RrR9F=6+9Q6|UBgry9m~$#=eG+G%M3NcSjd+GCF;ax(VI~glia{&+EWnwl
z6VvkQ(0(OeMCT15lc&bm=Y*+fD}#yITz-UVxfjR7Ho5A15ki+NXr`;iGX_&TZ7l5C
zxAhWBY-QppT28T=Kbhv#-DhL&WxYil0wFfz1A8ZawiC0#vX%{|mg9te|0F>VxfCAX
z{@vw<W4`kbg^<%9-p7cDe}D{f##7*+(hl9adB{EHQ>+4cvZ+6OuL7fZ_6pSqNNJq8
zDvGH`mU=eBTbu1#c2b7d2R4jGRW0y^Bc?jK+URzFs@9}ks&9Wx%Im=wKRuWth_jv7
z)(FbFYLkSyuuwD7;GZw%G`;=p<5gb?X(yx8>RARt$d`Hj6v1MUcrSpEzR`z@2)RcT
z+RB{js-7Z!Mr}_kSdZb-n9hpOfh^Uy>TXUmTN0Zfy_~^>K;<^35XPyW?QN>Fr8{co
zVGnW^q@O;sR9V}PI*WvZwVe6+pywBB@l){bxHZ@VPj$2N$jNaQ(tv=0tI7V;*+ot&
z(U>N_*b1^*b5g<K+}1Ro9rXj7@BCy3C0Z|SzpyQiA^IF;ZwStuK$Poq>u2!wWyEi&
ziWUl{%$?bt3++v9&HAD*A(q{|39vYVF1ejV+}#nA9^AiQv@c`HbjQ?2;B|f@a1Qx&
zG(v*L8!-KTYDqR6V)3Gpb+6M2_P2zxvB~rwh3-(S{g_W}Xt*Tl=-S&EQG%+JBu#t|
z^{*cA+&#@fkcU|HS$^<<)j&h+8`q&VraL}a)6-au_?9WwYY<PXGxdB_UA0y9a>{J&
zj%N~W#EcQYj;89jFPJC$7xguy1H{WbMc@eR<f*%rWoi3&`2r3k&0jkYJW^ItCkpY6
zP2V_HVp+RVKzBX9s_Adzg$Ttiy4%?&oV9F3=ke|PNRtF*y&@kq_M)V&2c3y-vSoMq
zyr@#N&DVIciQQ@o21!&C$Z?1tjn_Ji668(ErySDk){qz2@uO69!62UkV%?fjO>u%;
zKw63CjCM0=dZ+QaCqD`JHsy@13XSS@5^0Ds4s?>w0><#q`%IO}Vq<C#Qk%6-GfcFp
z%fKXkqrKr~itxGZWn6bdWbE|Akc$pcRlN7bX?vy^6f_5d(uVaJhosbW#6s8`+-=0Q
zN{3a7`jO|Kq2PN5-w*L%B`O^<5`fdX8C9P>#w)KBofa`7!OK73D%R<U`7FKTDuWt9
zrh6|IrgA!##CsE3hx~@*Nmdz+*QPc;W%uW+_zPIzgYBDnXZiHA->{@9N%9C8z_O(S
z7|y3e4M=SZfxNhfBf)s}wDq|X+v@UCEqkpiZ<g0_u5^E-LaC2r3bWbFuElGthpSLQ
zr`c|*;=Jxx-1e*1xME%DVxNLos^is%;jYbCmlj1)D#hm!AHV3TdU$-20gk8}$#%^%
zG?n=gS+qZiDDz#j$H@f+4NK9D)IIKPvMF|o1`cXf>GAcR^Hp0v<Fy-<j!KG%1bgNp
zKJO?W*rxU)-n-&2kXanbh}^R_cv6Ssh^Ys`!4B(lZ+qBw`(ZRsTSZkSm1nMxRm*F8
zpLq`i3}zwNTADIqP789)9jlaUd7+0?v_4Kf+nwUXbx6=i4NmnHzI4B{`g1*VQx3u9
z_CzZ~kFb2=>VOA!JciY=h1MF`XoG*>ZE1(y$ognbzDP4!S&6wYNjt<aSaSQ`aqK{u
z*V$)!u!;<jb6n!X#=2~^0ROW}5=@i1HZ1P?H{W<;GPg5c*M!UmuBS%2+UUntdF2x;
zLS2q0C>O<hRuoGu{ph5ftkggrYt`5H%$p@$H<(ylw)Z@ee(rVob|S}3ql%_-D?-Es
zM4!=npcp2iC;hV)_V7$SGh5^QZhzLPvz)nnhF&rO!a9}BJ=%U25pxgyGOf}=s_qow
z<We6L><-jx)i%x>DZ_*C&OH(o)4Z=!`+!qxW9IMO{}pbe_+lZUGpur<ux;Z`m_+1e
z$^zzom8nEe6aSvv^kmH_BPga^N#w1S9Pu`Vyliw0%{2|`q~1aGP{M}kN#$?oNzO-n
zn2F$dHM4lzI;Zq-lK8olgL{80HxtWyhPBfINbag$QZ-Sc^uc7r5u=4$4iY+Fy%9-A
zQcqf{b5d0!l$i&m4a<WCd_U*q<~ms=6ZEp<4q7VDhD_9EsCql^J5sDUrs|jv_lMd)
z<p8u0$^<5%z$E0S&!0~_84xfvia#5JS{ICT>u3Tso0V^4W!cwacOHgIeYrO%VCMMU
z-1hDtLTP`Mv7oU@?gHm(Z9W7yePUGfNis|ZLCVdY2_h+ZxxJyA#S#->w?)_6I9QVN
z)$Q~TRNC^Of?Txq#<yr`#p1<`ua|1G=^+08vszxINh9r<D>Jh%8`_i<A!6jTu}~h_
zQ<&>(CFfHSlmAI6O7q*oyJ}ZHkHI%JEN8tk?}?Wc+@;q|d}@oO94}k{N&!6mP=@;z
z$i<yC+82e)pmOyW$H7#NC<h%>0g|@?CMdJrIue3}hm7tU;}0p4=uLh!$LV6y-`_Rp
zn;kLQJEcXtX`_C*2`}C(Y4};^+$~q!%5&15`;6t2jU;zT-^JvW^&!XWqHa9#HewSK
z6ZqW{cJj5>9(L7jfN)R5$<|HmC{{;``BGBC--r&hg!A7aC_UESj~Q5U1yyLXX;Rmg
z;*08XPyb+yl$D?2N_pYswy=%rClE-P98tXbD~9e-<IJYi)~@?zjQe=Z2yVo1oD5J$
z%7w)-+yK6)?v0x}y(+1iK%`fbgX5pjQ_F^kJA%?`aJJ3dk6O9pkHu24lG^DCJOc0K
zTYB)xnZ+}5MMDG_7nyJ0s^~TK(VOUVWc>bc+d-OX=9=skaVM#L*A|{g9qn|Mrbf4n
z&j=s)iM?A;#<LUDzG9Rbb0LG7a~<RX#kgPhgwi{6hh3?x_ShJ|E=+VxxHO16;fKm6
zR=ylRmSkJjkR>sv0dn2S)n7F(jeWbL?lyFawuxUK#_~sfwfl47@MXn3Gs6pTUzwl-
z9j{@NR*vL!ELMA;-gjs&W^+w<$!l-DNe(6{f}B2Ld6?79d-^oK_XvbNSNyAZ8!d{A
zbvwDwpJBZnb6PYe)%U$0l1Fl5$j@Yq7z-B<&77@y@VQz#YmzMxH2)-vC%vxmVQSi{
zc)#>c1BEJ&H|1w(n;kel`IQBE%s(@WK{8vu&$795Z%hSLKy<z}eQl?@ZgcSV2&Adz
zEJ9PR{e;AQs9JX(s{6I9&JCUEzQGgcp&#xq;&z~7_Pmd};Nt7_j*S3m;!bZZOk+}|
zQH)%GW@rbm;AOlD%LJu5O)8Y$Gn7}N@DJey|98fSyD*k!s2~9csVVI#H8v`+Ic>ef
z1qY$T=tQK1)1S@fUVFVWgJ-O!m$RETcA6YGc=MmZ?0jH9-*KFrg?jQwHs-=Du_qFy
z8*7xkya7fX-NBh9d!*(Gl-9<?(F}H$_0KJWQ7D(L!!lk7z*U#MV{;cE8lIrca_M`t
z)=>e!N@rWN2;cF#>58*`(Gste*ldfn+8NU&pP`v_ksYDmFMK}Q+raGfA(3a(bvh4$
zpr6K`zsAwjcou_|p!`#PQW|no&=S<TH<9%9f(j6`Y_16L39d}tBgc*#3nF<f=0An$
zs2M-_Zj#<zNYtipe)^DwHA|W8E^9%_iJS2zWx2T`5gFwt!qZowG(oW;{j}kt-R^<%
zL>?OmJ>+?S4Rsk8o25A9es0xDiFd2bAMkHKie@f2&V}sNuC8E7cSD`X&_xtx_`-|n
z!&a25RDVv5qK@8WjrE;EspU3fi%G_EeEqbbcS?Byv~rN4oxrHSTY!Y#$iE3`ky#>+
za&9zhM`2VzC(?1-x*>|%eh<hOd@ov2(L3~F?8aR_q0o%-cL+s=NK&Lp%z=HYMH%Wq
z=ow0trLx}JmuaFeu9ef^IRr6hE`pF+V>Rn8L=t|^`+MOPB|gs6@~a-VMRYD-*?$x7
z<L0_+f#?dOc*x@3zr$?sw8{#-Z8k+>gWF<e&NMal50*sMH64Urrz7sKByAnkF6}00
z6RUIjy3*)dih()`MS)UzL+m*aO@aw!nP-#Z)Dyfmn+8`$hrGj<iaQ2l*6-Ir>A7SI
zM{NYNuX6f4Ub_yy?sHFvTZ91G;Iy+v?7egwTtTPXwZVb3i48Sh4(63e(t%9s;QAp_
zO7e3i_V(*1nL_&C_6V)>MQ1_D6}Kh=%1rw$O*Ya~;!$!VGG!zY*!&$JS{W~^c=?fX
zN+N@ADOsG#1BT1y8jL~&WizU=66p(e6l(*lI@w!J85oZ~W2ETe%FlxeGk%M%Lk2Pl
zv+v{)rgOZ^R&vi!bu$|ox8J}WmvDDn%h?_W-E;h83ZW1m`I;U-tiVLVuhmn^sqshS
zrUla{ufDID0Su8Jxd;<wq%#9Oe?sEotSc{{{Y_lC7knlUdMOYqt#k##*5fgF(%nHe
z_?1{YJ~$%M8_`)Qc>eWKh@?~y3ly(p7fWFZS8HucwiLTnRswat6&{#5g(iDLF3Llw
zA*_2*Oc&bjhpImnic@q~Z_H#<d5VbYd>WbFf9#Y(F9r3PiBLE3^Jnw=sIp^+O9ahd
zA0#XT&p`96Wax}F($h|EZ~KbgTay<?QmLn)3_#jYR;~9n+CwrtgF3sMO^ZYm0)mGH
zPbfmw#J18Zp(NBYQY2f#Lr>ZNIm~0wiEesooF$v8E|X$y_1ze#bx!RH1d{S}uq3cJ
zG>{L`;)WN8jYv)>>jUE={G{>?FXKMxQCW%IumC+o-srteVVxX-boNYFF$?J#hC9<F
zH{yohFt5+mT`Fmd327B|!eTtO@vz+^M-3QJyfY^FJtT1hr+FJmQS5{oXCWw)sSP*2
zPFXk*${<%^=lxP~<*r%oVv9@|zQ>6BzFv_?1!CpqgS=tna0?~G4dcsDC3akF?kA%j
za$1<a>(&t=UR9^@^xAY!5sQUdR<dY^$}7Wgw|XAFf6UM3yuF2}`J*iN%v}4FznJ@X
z2fFT6USS4{UEgYy;XJc%h%s&qRVJej=>r~g1Y&$Phh9RCU!oP7Z?UOwGTm8}Z*Txi
zpJPp4GOHMm(1#l-3uO=6Y3QL)*m7~dbMm&_x?kSfm1VPKLV#}t<+V3@=B^(~lM-j8
zMw~f6SEL1+phppR_o+M!rII3S<D-pH!4S5_Y-&oOumpj~GSgpo{TNyIq|qn((A&ER
zrFy=`q%<BH(HrF3bc11@RQ%VtZvG)}JWM$aUpJXOSM%5EPEw$5USczGRq4I0n^#}{
zQsuo`uo?6kSVapa_h;v10qp*|<3<4FlsCeJ43q_X8e&SuH*YazYqr=UzEg48Wk*E3
zRVg}+r8oyHIGT6{OitKEt{+Z*8(oeA{gos|*Xlw*nYNdZ_diE8mK(74^soz%$HA^L
zyCDD2LrLr|6CJSSuC-sb6uDu_!4S*NLuHgPL3Zv#YG@_iZY}G-iUk&+>M!z%xkAwS
z`c>qygzXcXsVT%vqPc|o^+qzm>znX-yM>Hye`)hV6x!bqT80DE!*Nj_>VP@KE^ur4
zO_f(_Z%E#1R_#MnATQ^;x}6m1bK3Kymml76tUXL)zgm<)$m;i(u6b;YU4O#ucAFc5
zi%+0F%YzJ5`#U`k-TGW5o!XmH(3epzCo|;1(qzMP^r|`s;z43w5)3wcXs;T;MlLxy
zLbYQ^77wWe>NMvk?-jyk$Tc8<Oj@qt%3EC}L(283B9rQs_3`A>D>B=GUvGC-L^>)Z
z9R@{jpT@HsdL@U0Kpn22YbYvBSSOpbv**V)r1fb;GdH&^hd7B-=gC^Sc0H|AwZ;Rb
z$VA*~9Gl~jiNBwy0^^bHcm$TAYXyRn_Z8S<zpL2ti7E2*wj{*#jguq2wvTo?J!%-{
zfU%oXx19}IVH$k*FxrH@`bRLYPp&I|O4Ql++F=VW0Z0o@%l$WH0ekLqs*8IMk2`m&
zM+W+S;>Tj2A1fV*H;FL`((#l!9&=;wRS6G72;(S7-nW<Lr2dC8mndK0C#L{+rOsL>
zY!KmmCUNDUdhyUDuzw)IgdOgY8L`>WERYuYgVc~8e@ILkFv_LB99h92J({Eafs1GA
zykmj+8#39A2926z=sT3Fk|=W&Yo|?R^!mGFA)fDKNBZ<FYX=+xpti_W^P>|I=`{GM
zxa7A9=?_KZ2m$dB@~S|{`*%2fjdOWHasRuQTpBCx)rsI^Y~_isKv_+IIR0?NK(2h0
zw+z})q5wKJZX;zNR33-1GaL_dWiebg8Tz2lu<<cq@!Lvhuy5-`0Rl0R!AK)*|3O0)
z^2p{OU|I^FgIcm4GP!S<h(B{j4Ro>yAf_I4c1L`<Czo7V=Mq?O8ZGl4uQuln&=uW7
zQA-I!Fl>yoIqk$GI2H|5-v~sQwLLm1lE(;)ZjV>sc!Vwt>Gq-DKa<YBnr<^-f^xHJ
z3erFtz;?BvV{uT7LIssUUm4@nkI&tK*Dz&ssiOuE^+Zqz1AzAD>p;2kv$rm7oJ*CS
zCevY5gk2bsLGZdDxPhhy*m){6DeBA{^5z6WT2)mJb}@Z%Q4-RKyeg3F;EHrBZWEkN
zM6{f|MsodtsjdNSrjO8%ssj}=!dUv-*9J<3v0|Z{Jw{1=%IR8x+()07@;nPCp;iPJ
zU0&FT(T5l9N`j_5v><4+br}<!g}Qvtz;aF-TEg@nb*#L%lB1W2U3Y*Sj;B==<PxuS
z!clSM^)KQFdxGZ*QN<<8HJs|X0>}cf9nj|?e9}pXP+Vw}q5Ul;UG!WM)L^>@<YpSV
z6acL`UY;4>>tYg^@dj!=xJy9slqNw9&AN}#v6S%l68xFi!g1h=|5zUw!f1>IlH9v+
z{@RL!y7ftz=eA>!1ogZ3zT8dd{)=F+3V;%ugf|x;_Ff?GoqqC$Cc8bk;$EM*KUi(z
zP4c9<APH_li-Bi%@?7B>uh*N8^~&%1UK-=t4dQx9CfMKzyqfVIn7$quKm--IfCL>7
zKwH6>^?RBlCt*;6VFu0@KmwWI>ey`0jVXKF$g8g`{<--z8Rd~CWsGoJ--_M61vMa0
zps!<`v;pPPtIWZ85j6dWCTs1?a>H(UjbSJmsO;CH%SRfq)Fz8H@&m_B;xgBHy(@Af
z=m~=RNH<q^nd>j@i{hfTcnyOCu!gK_{hMZI<A)7isLeyzTnaj-d#B2hkPyA3(BtCx
znap8Tabt3ddD<)2UhC{}8@@`^))DS<919iymQfDFJE}P#1lMyTE{sUUj_UdsTwK=k
zz-f05fR2VLVW4#aox>eEkiSz=H8#)CP7P%clB&3lq5y~a7L!vqLmr<~bV?oBu@T&B
zU%F-rw~Z+?$}jp;#8F#e<}_yx7uY7hBR8ENpxIs6>yay@v7P;n&~H$|sVxN@ZP+~?
z{V*oKlb%b;uCjSdwR;2VbW=dFzV|}jbHNo*rJG1)_D$7ASnaO*ojVLOSirIjKbdlX
z{Zcn68%KiP#?7^AS7y+^qB#m2m<LnOSl}^QDy=CEM>5kj)<52j(vZjjO}M1~^Y#mR
za9j2y+l&uh>W9tvCn2^TgV>sL8@=U^GV`i$(w~%Zu!D%1(<YBtxeMW5om;5X&1)?`
z_|skUS2Z&jw@}DbErq6*p}!PeKjrw~xVAwp3atiK<}&X(djc#i{GRbUJ&aC%FO0eB
z^W~XqKw|Wb%asuDMZrJ0VO04ZSkUl7l%kYL$S7yh3iO@r>Ka!Y{wqaN%TBcWtt+&k
ze;(Utrk+eRsEkS}xB(PVl!cXQ6~VAdb<wEFkej8P*TmYcH?6pZpC1<LYigP*^4@c1
zpF9#zIdiZRk6$(j0>obgabO{Gf%bnSxP?X6nG=?*^GzNHoRS$gM+ML6_wRMSuY-D=
zp_VO+a{>?67DnWe={n3(xB$3<SAMJgZKc{&(Sj7Kj#C4z9#nD1&6@d@D95CJ{T2W}
zj7mgnKvjL|yvv$m-ZN||$wBJ9AM?4$KcKLr0#JR8=qmc#3cIirlN?0I*+6%?F%Rz<
zQR1@3j+be+6T1A|q}S<guMtqtIWQMC;CH}iDas9StUDTgP=Q5wl6gRG(lmg)==`o<
zO_1Qu8f7iI+|glX&+p;L8ZS}Iu{v;~C;QqWrQ>u@O!cF*j)=~9N#Y8v(LL3kKANe~
zhl@o4xV3>9$v1#h{Fi_SX(Ha`@LSm>F9}7Purk}QoUO+@hz(rl&yKyRjmT=LV6>Sc
zdFdEiYE)hVy^Lw%u=#l?@I$|cI*+3CtvG*^JMI+gvDF_?lT%@_58Y9e1b232v8;i^
zRLrKE$^6QrbM5<G6CXECOWELF420++RJFj|R@OwwrursWhLAX*eu+leNl54+2&#HW
zJ>-)Ulcr0Rb*@0pW!<1HglhFgXK3TMcWE1baf&+v%<QPl^8FG6*CzEu75ze3PtBL{
zLaK>dkk)_=ipM16Lmu)^H|$ni7w`14X9)|sJo2GF&7|RabTQEwsmo+`K@W9VMny+T
zcW;6#0Y0LWY?Cf~YXZtYOGAd{!vfpyEv8?7Ez+E34ND1LswEpt5c7yPX}OW!f$;Dk
z%$DCgv%hz!+Ge0=6D+Yl1vfAimmy`9U2u}0oxB*p=VLLyekD)M4jOJ5bOaD&p8o@G
zFEP#D`VcsacaXHoIKH`s8~aNp;o#B4M;7GF{dKO;EMA{Gz;k<ExH|2d%~LWioyMx(
z!B7YGXWRgJHhahBWq*_I9OdecySbT<KtY>gklR^u)OL|sHaPj<el2vNMnfAHMsIQX
zahMCv(P5LA7%#6Oo$dB9AFL`T8i?)xG~0l|6ECA5z0fORr#xq}h*8W6WjXpVS{`vv
zQP9-GPQw2q%eE{CQfY@rd=frzDrsOB_Q{CQ;ik3IC);8Y3i*Hgu2;gUa!%om<%9!V
zKMt<d3zf;IPQY#IWH?x;E>n$!CRlHmWt4}brMmW>`0sq=2PD!h29ESsB%1y=3!PQK
zX$$I6=8{u*oj^kGTZ&cT2d<u{J8fnPm7+7sYbvEvmlR55h?fcKv*#;)XAj-iKaa@3
z$bV_!5%Sd3Zu+B|g+Cm`W{Yp3%O71by_c<e73+Gzb|Rpn=ZDQQv4}#I`1Ug9u0xFT
z8#44Z0KDebf%k_Z2{uMidTBY;Uw>}VIGerGTBPL^<?6H?R?Hn#DAP5%btnh3NS9Q5
z5`^v4T}RI<le{*!&$fC%txGl_+kh#;;HrL!B*-OYY3~*t@3i*c9Mb@CL@I#bi1Dl@
zj0Z@xb|Am>_0c8lYi`X>_LD1?YKsJlWWTpOY}?TSOiC4!{(XQ3xH{6J*Axo}9Cb5Y
zs}%)tQZPME!kFuW?BN7`;y_auzt3%uPc@su`Zix7_@$L<WUoD6DEDw^;rc&Y*AuzP
z>y9si(Ca=EV?DbUw#_HjU=L35g+83`_WRV{ijZe4Q==^nLJxf&Fjb}m<LrgI^UP-@
zMCCl_y32GQk^Ua`J&;N5?IkuSdWLA1cn8gQUeT#j$45Z3vcdjdSI>3!>@-(@xK29i
zflcuz3)Fxm2+_K6W18kM!#+72)#X^$;qp8-BSkV-IhhhShgYA68~<GP97r1;=90<w
z&H_h?ICDM%Qt*42(gi}S0rRvK%frs62rnv^X;HWajC6?iGO!aGQFN{_cEa!uk}=W4
z3+Y2Yvwd%EuT5A{8$q19mfGxWtFd?LIcy{Ru|Rdyu`+v}h?qiU191GnZU$h9wl?V9
zF-K;if5|f2nJrNATVJR_P`LX<7f&Gu;<oxqsa&tJBd>>FOw;uo@X_7I1T7TLr$<ws
zP{WAzgFa~8WNiHpsptg?Wq}V>j~8WGWX^gNuEgGcT9rl%JpcJP(O(BO<=M$42ABE+
zuW8)R*4dNDTida7Htl<yRq#-$Drezd^1#Y{j%0pzs=JsCefpqqKhnBu2!7H$_Yhgn
z2Kl=gg&grVQb1e3xQw}cK0EQ{p*^|;&^2lcN<17AO7|vO<38cKaN33zvz`G5@|#sy
zE+GcrY|%ZrkgI@TK>|q%_)^K?mba3i{9I5oBXo0X>B&SUrr%gld)f1BRD_cu4@`;a
zY><wLN9IQsJKXS6fnl;up;W$YrB)%;JOsk`K=+k+$$M~4>TeLPB~NN9TdePCM0Q|m
z)$2BA80$Sz^E3S%A>?XO-!4ZXsl*>6bE?m*K4>?ndeq-j$9{V9N}U1LHO+;wj;D7&
z-Y+3n4fi(lvaV;b+Buq7#=V5UF6l@WL7e$Njyo8epf#4W<W^QX&qW3be=0bABvq<2
zRxH6Z!r8n0Y6}-FA}EUld7c&?i(5(=4V&%GOCEmklS%P0019<cfMD+{YmNa9sZdW|
zer$dZ{^dvJgGs_0y0Fx&6C66J`EW#yd#EOoTYY;z`+FbVGmwxtRgc_Dw}zdWYdniG
za<yHasLXxy24mJ~UH2L^eWd0Msjppef0G@TpP|%kv%9T4I6!0DbKwb$Xp?}4NS2WU
zwKI$u+~k%wrlC|yFh<rq_;fC3Fo1DVyhz*xy&6{ifQMlsG89uD-xa4zHK$fe?BxLU
zx$iM1kg7=vzE16`cqO{hkyBMO$8fo{eMLG`jG1cAIwKU5@tpkyy5qBfK7B>J$b9<P
zyGfo+`e`r22>d(w5}BKBAr{wrzd*>V2kjkOcueVOl_vEG7B`N4Za1mCi(JQ%LO+x)
z%LR9-%EYJbi4B+g3doS`-R7O*pvV_RJrqJ5OdESQfTD`J#BM0KqyhJzYj9Hzi)*V+
zQsQ7*WRRPUa@%~69fxsu%hu73Axia1W%*`_K$=_%SsqVha1e;XXeY0{>-Afl9cWp`
zFLGLR6_yO&!Eme#NaHT$7SWuHR530WMC?oHYTF&q#irR1=tF|?>c8`IaU=CoyQk5y
z53)!V^j~dfJ|m=JM)=|lZEL9_h{rbcm<DqH|Dqy59W+uUX!2+?Z6K8Ke31~}VVo?C
zekA5tIN0v8qGZaNwGz(t5;OT;rw(1->xX6S^E#T+h*)vU)5%Y=rs>LXi0MdAj+;g_
zHbAWxkp=)R9Ql=@cuW#4-F&$w`aZn;mEq*qrR{<3=Ji%L@2@h$=bf*iizq`T$c+lU
z-#jn$-9e5Hx;4^V$q)gj>K;sv|ER6*I0!Z{<AhNedc0}h(j&+(PYv}B>@2aW?q*5s
zf2}mM{vi=ehVF*WFp)fM{{lXbzVRD8bDVgO!5_U!PvtQb0iTC-6&YjZFiREH&Ata|
zpVbDt$IqDJ;k=GlFWlYtk?P^{0<9|b{>rGhY7OGRM5p0uWYuMKvsP%Tr!MuZD%G?l
zNORl)8;V;h%00!|mQ`ixU2dR|)55;)x|`wxtRb%hQ=H_>?70-hGvAy_MdHnA#)H3K
zNXFGZ$_VZy(2t&wX+W2kXWY>9mbl3;svhjJ3c`Z-xfx$Z3+_-n{^Fp2Ufq%M(2F?_
zEJn{t7Q4t1^5(;{5jBDvNn>-kNb!-=0w9Teg?z-oHwq*Xf{mN<8_Ep!UW2rY^!AFt
zd5LJ;Sw#WOb>Fr{t8eMy!4b$g5We*^*vv&(KaYt^{%Y5bw^v%F9TA4qN&?D(Ovuh%
zJVI{BTpx8A<Z8~I8uq!Fe#1b=NMWaN3Cts>;_JC`Q>A+|LX)W`Y26>c8*!nx=g2m}
zFyLMcUs`9y1+U>Ab2e)?m!4WFy1aV%c$ZbR5t`6cM&5wTEw_$q7P05>Be0*nwWHiX
zokHdJpk&G`N^mSHr0Jcsc@|y|6?#QecE!+z6TN+W@9Hz>R)ln@Ehf^(bGoa6T8(*^
zu?ZX*n<<;(#0h7-64ySflSayLE70`aJi}h!SbBKipWj^4r+EukArBw^jACTAxA_VQ
z1rZ$m*ALybeMdokP2ly2!F#`iX#1k)8y{CkYkiI{f^JasB}&H>go-j_-(Wx$&Q-cX
z%(jB%xkyC`jzc!S*Ed|?WrRpw0PYdr#~<^cV7_J&-RN@WLOpv{7^ciI%c%q<D9ps_
zy`^{hrb1A(gBl>~Kl;$=XhFra8<gd<Y;98$bQb9B{V<wZ6p}ok<UiA%x+glac=#g(
z#SY&4IUnuCn!R>o)6=!PA9?H;(!a>+DVmkX33cXTQb%j7u^DHCqtk}cyodMDFAfuv
zE#Pp4R75RwCO!6#oNLwPZhFkmP!>bC)EPO2m{^akqz&t`AbGIoy-Jw)B--9}JSt^7
zivng*P%$BOZu09<)EuVXIp{~>CVlE$ktt0q?7nTSCix7Z!ctwY`QTe{;Lc&>EeS%1
z-dy&NQc$hM_?q3PyHO~VVP?CWYv2~*0c>KV31&Lq|7K3(ywCYLHnbv?&OaT&;f+1-
z>`iLT?Xpx^RC>aCwl011nD2wD?yx*MZmHEKQKmY2J0FG#>Pg_!v`s4(U|*2K3*nw!
zpxft{4L}1Mz&2!d^G~R*v-bi|%pp@c8mu~a%WN=t{yH&W;++SnD==}Gui{Hwc+Cn$
zG_x*NUSs1dWuWVe_f{Y$_qgGqz1{oNuK1xC?3QmMVz2n~sC7m@n+=0ckCbjhP+hpu
z$LNGxi96PBlUk%}D_vU5R-jr%Ex=$?nh^lU4sWXPtGuq5gBR&9=hWaCXTwC6#JJpN
zIPzJBnRlsUFTOtN)LDtXawf-qSPzRFFX_aOVG(bM%eYV}7|Tg5Yn@D$#od(}zd;R&
z>+j2s(@!csb0gF_i{`CrKbc>(LWZ*N2<a;XZ3%TAHZ=Vs<B?b85HN5eLC7eL6=@v!
z+1@H`Az70i{HB2X8+tC@{l(-uZ}+P7&wqMujcMK8=yd0^V`O%WFqbL6`edJzTQR&Z
z?SQTcgvL1>MsBq?joLPqzs=92YcsklL<)MMtFBO9U8RaS>|ZRt4`Q$z7o@;`Pm(8*
zDdaQZSC19xiDohu8;r)_>*feBpCDrWC5Cxoz;Gk`QXiwl^#_Vq1DTGLcWPOshY;7w
zmrfiUtMy1oFBQbiJqgWwXW}i5F7Lc@AsbADpJApo$*AW4eiE204FIA_@~I$SG)^vo
zPgXG!6aOI{m%+kJLD-0~(Ygzrty}iTdop&Fok3?cihS^>N#K@(sed8-f9!qrTa;bb
zwvM2Lq9`RuE8U1R3@V|5bT^`ufOLZ+<xL1mH%fQsFn}T<9nvtAbPnBo`x@`(dEbBG
zJHGEXj^T=Z?Y;JjbFFpm^XLm2Qq+2EVa=WIU$0(pby+Vdw=tJ~_Mi&1!U(>jXk&Mf
zL2EkPk=S{B-r&F#%sfsGDIrn4O%YV`b(Fh3<mHC~r8l(nhKlVnOaLdSZ6fC+tZyKO
zJ;-n_^boC6_m8-^O&C7M^XZ$zE(22rKdF9LO4hz>IgV+zEzuaa!Pz+uUYX4p7H20c
zV&fJscy%r0gR5}(!7g$hFR`1z^+f9YLWbxMr_d5xxZrAm<N0-1nu&>^WtGv5nK4ID
zWozUGy?@bwiWO8{5QLob9`BWBdD(jw9ny=}S6%$t0pNP7K0?w!@+0BBbbyMg-c?nV
z9q$165#Z23t%dbXB~J9T{R}?m5~JIF`S#d$mHa1_`W<vI9BsqKj;LEU<nPuJKuis2
zoY713jA3Oe1~}IG&;MKkCQM^`&&Xq;WO3OuY?Hcs;?q@7yvohf{$q96Hno|5r@T|G
zMZ}f(r>Oqt$_0)JG7op{0q}wjhPlTe0V#?ZxEq%mQzB4fC}R*2KNhb}cV0L+N%AwB
zeNhZNTplcKmreD|Z8{!*xIvy}^s@B_H&r9i$i{fQ)8!cr%Ii~0EmJXUW;2{Zcn>2^
z^3+JqjH5PszBM+3&J_NNN_pl*_*?aj=CcIxV2=em!arT|*@y+)m!;pbY>{jy11W#5
zL#|;8Pz%SC4vc`?LIn|*TejydA9i6cw48AdG&cni{JCD3h|rYT;!@1;LjJy7=NU1?
ze}_9v%(iI{qeAp&l0v+s?SkMBr^-|X_nqt&#hP_%v4(u76UaNKdvIC22#S&unU&NM
zcyAP<ohwGLm_WW?Bj$O?w{E(Z*S4ZPsOtvO40q_zJS<2msZqQ?>eOx7ByFN+v%A&4
zFyT8j8-e5imm&B_?eb2o7Ru0dLwMmv^b$aIl8Ccay8OH5x`sp)#8*3S41AWsrI}jK
zN;q(!GpoJSQj5BaWO=W7a0MY_YueSa?Iq6}`bg1BH)f@rR(0N@VxA7><||6Osngj5
za|^a}8O*_z=^&8z8e8&v>};SQoJCAm><tvys!LC3>?OoL?s?HZ_Y48f0>e8J%{Z=D
zWs*RL<<W0krMZ{u*0f0)T6~Tz7&m5mT!s%6oU$?pi42#*`lCX9E9#kpkG)(bYhmL~
ziXl74{E4d&KT3WSn0}o}8{Y?T(3UEFoU&j~O-|oi*$8NNl--<|x%joC4T$i(hD6Pg
zx(?PCj>N$vR*$26BRVHvcQ;Zo68X9=^N@ZHt?C|_uurWFVy#e*%NlyQ?@miqd2j~B
z|3!OV7Cjmr)&ze(NIF%0tE#7E`Yqr9s#^XRbYQNSdYm$DrQ3n6)BAM6nn_(xy*rmn
zeoc6rq$?D?(XS}jGr$oj&7tBMcFADUDHWEVHh!#;DZUy2*{8UF+;rB5&DISX9n$s)
zaJR|en_oilI!nC`HsA&u-?97V4p=jVpMU7UN6SChl9YEU_r-VArc*>sgsx=_`zE@%
zpm)b*mn}_qILF663$y3ldn@fc=8Ush$@pYd=5%5nsa#|`)O6Bo4YhlE+#Pitv>}l=
z=BxLq_TiO8JqNWju`{)A8)Snq_Jf54ot55b$yyPPGmyRnNoSnhT35~8e=Z?D;gN99
zDV$g2h^l7vs2KQy^k7p?j}r`p2O+TQ$mRW}Gvj@o=Lt<V(Stj?M>0MZFp$|TWUKnN
zIgUYk@p)CU1vY6HTs*z(&p<6bWI8owwYjlY-PXKXNK*6Bd)~;(z=cmyoxDxA!0`JX
zb(iz{*Ms~N&2gxnJwF3lY_zj4*lP?322|);sJm{IcSuf959)Ja>tg;Vf{-CC(KYi;
zi8YPneRY|wLN<o?RX;{unA5xk)%k;TJjqsP@QFfA?H{2N>;(<3c+lqixXxC_%BH~$
z^1~K=Q<^6(X<927MepsXcwREb;yO^L8B?Y`9awReEkl#ei;|)0yp^dN!_*zCVFk_=
zZEYsy#9GCTt}Ac3Ke)`dT1^dxwsX76N9akAm$zxVqVT2*_NU^WJ(Lj33?6lDqLEoJ
zEs7!3-<4b|PJt@r_jWX<nJ8f(yM7;lQSvS?41r}Tf=8WiRvV$-qqDONulu?SZf<5~
zO;LAM?Wh{AyCq@<f19aiw#r*C_>JOp6QHAfmA`+o_xE+t<}`DfpQ=gbsN*+$dQ_nt
zC7RUHLglot3@AY8w%iwzcK+nzX-V3uZ=~CS`0hT~nlJ3r93w6vaPfBCFN8DAy#(i?
z98zbru_5fBNkiGdbdcjM#0T3f8Y}Kn-&)kX#mAkIZ6_J2jGV$Z?tT7xtM}?WZocBI
zJ0MvUUoyxTvr|m__HL7Bs7>@^NZlMJqW%uR!q&%Lm3bRjivaq7VhDy`_1Fwe1f3l?
z5-)lNRy&B|-}$I}C!o`lSfcy71R_8bk$8SS+nT*EB&`Gt()`Xs$$X=6Tz$&1iZpN0
z`&aedNvtOa?d3>SlR1G+6_N=G#RUDBPNeE};?pAm70mHxiy^}go#+Aal+8KgM+W)9
zn)7=YhFEmy^9n{^WAz!lS^ZF><cjNyC$;Y?nhDefhxbIMuM{3TcLU3)j~nDfU2O+d
zWH2CfZyGdHHTwwmmE58IJtGha#^n}r(30_lHAr?D*k*3=!e3XI*2kBv_Je#rrM|k@
zRV@&sdHv;VT+RA`f$sPaeXh2c|Kod&-1kijD=p5d{6~!MN&VTGT)PT>jPy|YT9ljR
zB%V!dRoqdv%p*b6an-+>we`p)!ZGQo_e$2cL-f@~U8s0ODmLuYm;a^f(F9F`f2p+)
zzi@JQi|nQ~BdEoe0ochKbzs<EaMB>nlcsyu!>77F>U`fs5*_L7(`{~IX<?dtI^%wi
zf3ZLgiII_*3j0-g&oNOJbU`vHW+Bg}dvfx<<BJ_Gw1SNcynSQZyLg0u)q0%Sppd+3
zF?@L~UX}+Q@=YPv>qx9-NR>N(sC9N!>_m={-0d#9=E5cEN-wKLYfHbzHO7j_ZEwgD
zsJeH(3LD**gEb!r5>AHT7?z;Kl6`e{-@^WwzJ0~zg)`q7kr!0W#>`~$7q4(ulTkt;
z7Ga_#co%O%#7lEbj_p8CU}n9y!`W-kl#6{RTq*kX;Z5_q$r4nJGpNRE!dsC(W#e<?
zGEm%9KCTm-s;{_#v70XZ*oizn=DKEW=yrEZ5`WtIXC&XCIWyACjbJ}@EYvVN@$<pF
zDRUPlJ5gKv=hPa=CuI(H_f2Mqa41<1ZzS&RSPlpSw0Vy#e5?+AFtvn#t6Cm#c8OK2
z&b$s3sPw7!))0xTaX>7Uk?UfvUQ8##S6O^{u00^H2p!%(=DEd7utI`axWG)Ff2(~o
z;MA)6I?tZH^dX~>rgethv`uD!=7#Czy4otoLu5qW?}fJ$TrYFFt_0sCbjJvaT-yRE
zi4dF>4pF<Y4NzlyR6O_aV=IJZK&}lRvn;Tzg|M<heEwivq7Bl|#KXZBZl&%LQJn}>
zqPP}O8J=q0uZ<q-p!F=2c9NM)(UDb7%y1>)6r28woD7b^L8Uv53G))k`N36pr0R;y
zEOMJ297tEw9AD2hPR)`<383mAI+K_6e||DId6KTaY`HMQrY`@dlH2GE#|B*_!n4#z
z)ox(m!JfIU?UHw;%JdnMr@Nf}T3V_;m;C3T!=Mmka27$UjV{ip4`I<FeV<}x?~spF
z$Z&H)y@=zP)k}|sC4)Q-(Sn4zVMQ>%X?J1UVGOBNNN;l)s3vO^x3ClKM+Sgo;HDob
zOwJC!J7$R7{K-6B!s40#BAU=L#Fs#N^QiyjoE|2o`$vGF-T;>&YJz6}t9;s~@W94i
zj?;R(UB3INmuvY&B3WBpsrsH6AKA%=<t$@MF$w(H^`E0hwmO<svN=`61C}w4?w*?J
zdsa@kZ+;b0pIhteQ!)Zm08aoSY`tO$60W4gZKFbiF-er2JdHwY1H(B%m%6%6`cPWq
ztmGKELA(6#%x%LtR6|B)+d9&$nRmnZ*X#$ft~fWPDB`Yf_f)dt1X!i-F}j|MdDZu6
zZW$5OmJzMH+XdUDv`TZSa9`X0)T(&$@_pk2z^Zcg;F^B9=o@M*-%e^YC@kQ7#0=J6
z16EUO6;)eXIgq1EJgPYtR5wRA#e*ysqABE#>9;ebpw8+s5d#r+vPfT3Azq^CkhM(A
z_VBXNq{iuP^R=i~Q)VMK!gf<EaAiiT&W!0Mc1JDtx+TvYZ*8up>e2>yPON@Ad~j|<
zlgT_q?N!$S8t3Kj7xVWin^8ydr{ebZe8B*=85}0S@s#lKmlQD1Rq*p&*R3-Z$`Jme
z_T9nki_bNCA~chADS6)|!uA>sS~Q8YS`OM)R-0XLh2l|zo4$@Uqb{mOd7v_$*#142
z&69j%!Q_7Z_I#@N@|~1ED+zMN&tAiITPnC1le_-kghFl#na&AZJnx;Y#V09Af1>Wv
z>&AKoo6PtP@Q1v=p1&-eS@}HOh^2Ljw|e(duvBQ-O$QCbyOKAvHd_v6#*CZZPq8cs
zQeI$qI=CebvZkl1!+*BXC89|qT`zX3i=T=qKUE*et>s1UNy$u}Fe{=?g!i`2Y;IEC
zauviywXIG`7we?fULFXG*UF?b*r<J57iN=6i{Hr-esQ()i$C)7mDRtEc<f5Q#rxbK
z=$0L!dk{8drd%-Cm_@NBbjkHNGVzAfP&9wKI~8}&*x;c9?X{_whSQFj6U&S0o@em1
z9mx<v%|8P73us3-)<vj)Qkg|pdNhyf^bF*xepOk28`RD8uCfsjwWQ~s?yn`qNSv_c
zjvF9%S*}5_eq#-cZ?`+61gd_>!evnEt@uHag&g*8%_{3}IdhX7bUFQ*v$>OK;J%^b
z&_DNb^7Fhai>u(piDRwE`nZ(ofwOn;^5C*u##r|hGqs*O!rm-^{$AI+LRD;B0>Z|+
z>tH+b#K9$rPTWhMP)omu^TV<-yB0ohfd-QV3r%)%g6mnatyFuZW1r@>srFyv%}NW-
z?e)J1TrNX@{vr9@m=Tm=<PTUo^!}yN{GVpZAsITwxelw&!O@`Ei%@|<iD1>3KMHn9
zQX+wk*I`+Cyo<{t0GBCn6ZADpQni(wxJPE4!|?vVy;zLa;Lq?U7`f9%wF5{t^SEmM
z$+2NivE5xwUI8&7-Yp7zttUO~2rw%V02ng#@m?6%3~~gG68TM42U6eto)xVN!PptM
zxK_E;TbuSa?EB&X*_q}W*N%tbiN>ljOa?@=Ndm9yk*|0&Dv<{=Jwwt!Umd3Is9nys
zXh|acEmjj#=7UWo^Z0^V*t=Va&)+x3<A)4w)GAy32FZq2$L~!-2RxzVQAO>OhuT91
zbR!zdbTAiT^I`T+Y4`0VWn!~BTV9Pn#%)=hA+_+xT!{>(cuE8#;Z^8~9Ftx`G9m6D
z68m(CR?a+Fs=oMy{e4*(@QgeCD1p1;g%jkB!(w@U#aT$;L3h|X#ADRp(Nu&<Sk2JM
zV!Qc6#)#z>Xl?nx3v<!;l1fZ|4oXrRHs73i&K)Rp&P$!sJ@C1u^0U?z_QQeRg%}n?
zcwI8Q?zDL4Q=60<cB^$l^oaalLA0(#g~(lN)oLgZK=YLvcaJ4|$6P3j9tT=?&*tSO
zX|=K`B2KpRo5W>}=wVH3zjyfvh<4|WTR+>mB+5tWw-v-LecQZ<eySX-U24u$t3`Ni
z-U*{pH^UutMXHX>Q{b7A1|oN?VCt!<t?rwz5-Ctd;@xwA4v_=|g2k*>O0B|(q3;>G
zwjGJ)6?IP?*z{z7Fq8BidqMkV5HvLz{)`EQd%&`Moz-zR?dd57OviU@O6S8a3?hAB
zpL$@}3>*S2(uCA*W&9!!ti*fB!DHp5J77&!PY?RsjFNCknza^@wrfD|alczVw_9JU
zLAOZCRzCAN4sN;I<aA&%W}|N1JjRdFziP<YS|Q0wp5FGomgOnEdDTQwfS7*6l64k|
zwyP6)reR%UcC~c33e9VF?s{2wutA$)Rp;*Exuxj0{uB1Lb5k94sMrw$D7a$-W&A3v
zt-xubBUEc*4Rl#CPSlaL9lI*Cx-lP;(^m=TXphCM0TJ50iQrA*r8|G9R`XX6TvkV$
zw`5gc?f9PGO0%JJb1l7ad_3)?B+1sF>2kM0ee|C~g;9K|I@a&^UZ(28N;u>uIn6%k
z5|$Mv?|`km1r^9L--pU68*yPMmJnr)J(&AqL7L0=`R+*p9iL3vlbvC6s%uBNd@#@E
z1)c=%Ysd1#)JGf#K8hclq%mTogB=vzb~tOF7+nwgNt);DYs~h~=Pb%?W9%u{UClqZ
zLKr4T8QdVH>|SSS%jOK<O+yIO>=gh&eBmVV89h984kkR8)9keS=I)ucRK1-?nvb91
z3sB$!`;yS~-jI0e^<Jny*^W5(xglw5Q*hW7CuUXSoq^WUy8$A37b(VY2|mO2*vAQ3
zgFXA1HG~EqT=lC7kD)BLeX*#jgXXIwd8`CKWHP#eYGDz0`o3`tkHeB0Rrx+J4sO8@
z!%KT_SpPD)MK{BWSgX47=c+@+17|5@39thNL2ETG-)je?MD99m`VSpT5ly3Lo^BOZ
zQ8&CBXW#Z<`dBr@ZRu<1h5*osvn%SGC@4sGx3@K$54{f6UO12dwkz4UF#z_H#(ASH
zTa>#k`Q{|)3q^sM!)c+S?Bc$)SjNHG<tBm4vXbi3M5orMsVG_w)vMFhKUSA7hXl(e
zdKcy=w|+o#D~dnx-2i)l9MAJ!qlb7kub8{=@OM#hC8@drN}4-b>WJ~1&Wyg*20Yve
z**3`BqU&?utq9<~5dL%l9JJADM$t~Y_DtQSHq5H-t&B?$)uy=O<>Z5XZ8c}=P-C>F
zGs=miEv{(ZXw~Z~dIe`|n`&pu<g6u4jYPJB-KA*G>PIZJmQjS;oyA^cKKxk6us0jt
zXKqCaT%|@4ybyHuh3@)S?|M6Zqnt`WG3uylB;+Jss?lmST`+bWDI6>yt(+P<t3(`a
zQ;)M31lr}w&XKK-<3l!~0iaOS77B2@E<!=TAOdp>S}8bD?xY*c+uirz@J#79PI@64
z2%!;wI0lTRmsyOIr5CK-atW*lKTC8^glgU4Q;c9|D0}lzz-NI>01SwaAQH*HSDQ;@
zCNlL4C=a@KnLyy<IFcc<f!8p%6}hAJ*Rn}9l4e_gUh3K0GZ-M!De@7_zfFC)PR)z-
za@|X3r<RwYLronW1b>$8GP8TymK|a23`*)q{*XWF?#D^XmHd}Ppgx5~0M#Th&q3sp
zdiRy0&PMdPQ)Axf1ulH^9tEJ_8Z4^}1gsuz;uNpvqS+(dT}&P(KerOEyK^TDP(~70
zyZL18hxjS8e{f@thiG6@mB9{?5f%W6-!VMT`o1v1Bd5R<>EnSW&Q+zsc?TNARov}O
z6K$J}+>b?iIc~4ZHedE`yKB^pRpyj4Gl56EOK$9T6J>Hg2N}$#t-@Gd$xKkDpAg@P
z4<-W-Ax65s;OldJ>U8)rYvAgVc#%UcU~tZ6<tY^N;B#_jM^P7fReczBd6j9WK9;Ec
zc4b_v8E~j@-J#$Ve79KI)IA9Tvs2GukhH)pg}jb3s6uC9@hw1NwduIY3^R%>iPf4c
zs!l4poj|=@3}GT^9Tj<@R&!1nZE)L<6Rn?+f5{F?!35V?X=x1Gx=(KXR0Lx)R|6e2
z$}dB)9xoNj+w|Z!mA(3;obYt2y{WjQ8L<%O)^ho1tjr15jt%t(mr;{CGJt*z6kQJk
zFp9KMr3nSA{yKHHz1t$T{<Rrw1M-s*s90_Xcl+TN-2<OIl$N7FqVwv&>W=?9{nl4_
z^7)=eP{qb}yo(zOY2qNXe&%K5<)78%%|iSnEa$CyzHbbBf9B!4?}1ln36J6~A+&Mc
za0YxX^HXn6o+lE5IJN%==El>b3!hTTQgiW&TNl!VbKiQ4BSB1IHknZ#*Iu3!WVz#2
zF?w*VNcj>diTvz89QO4<wVSAtYw$!90qW4o>6O-+uQBaW73MY_GmAo0**HwZEKI^}
zyjUsz1V6_S%`jVBL!B=72o|2;oY*tT<`=_>CQ#IGWiqu*C#CoGiKgdSmn(0voPTyd
zdg5z*)xZ;q$&H9$X##Q=1^ZF<S1}QrkE~KQp<;(yv2uVQ=&3x>@x>_82QBmorQAEH
zfE#`1`3Y`kguW3uPY*NCl&N63Cl?*@%ZJ^M_}#K69J%6lnYUPkQ*ja*g(nj3iHxuH
zYw1nD;ZCwH|8lznA%s%r|Mv97sUZI(|Ky<JmC^wIN%cLCT!p>U+FGa(3+S?1dkWbb
z`dc#s=<`>nBkNm~9%KISDqODT6G;+W<1sZGT<g;KbuZjJLGgzPjtn!>L0yfcspgXl
zmdaG`1^n@*j=VF}9D)n8@Q(Ee^ZvvbR9|Nl)-jcw?<`v9$((X~>0{%l@J7(P)ycF{
z^~1GE7~gFdGZ9tT=JkLWFxgUcXEYaQ_r<+<PWGSGNS=KE1eJ3kRte;m^flYP!Q@oS
zrQ-F>rG4OM+RY6O4%(AIXb>bat^Y9RtmKxUNg&Jl_zS7zg~{s6%~It~I-hJeBAaBv
zuageW14Y)XxCUWYF&_t6!$goLuT=j@oZo^-;k)qVmITc5Okp_gjDWYAXXjN_9(`BS
z!S44R^gI0WGnmDBdSpJ5&0_dmE_(FGL9iCdyt1DE{=2wPWkDbhh0IFU`nC;(`)ry4
z<esyjgcxjHZTRD&H%iUKbiGdyzUy;`BkM&D@_&4obDu5kZT;5PY0FAmlVPr63RWhm
znms~F7(9C<P9qvGEQKl$k2bK2$B`&-*Kdh3?}%+IBUtZ8J_X%su_{J8eRLtYJ(*%F
zXB*O(yae)1;W`K*9)R6;S0H3hxrC_4yZ$QGga2y6ZTCm8J^XZB78wlhh$TscqXiez
zlCv<jcAv}G#hE?^ljv-l61?ZSM&h-#j~P{VBI%zMvXD@KEOaf0l7B%>yrJLOf0kGN
z0o_+Y(wHR31w_D=TikYEzEN0mTib_e*!s}D6Dj3Fof((f)LA9Aa#?4ww`LA+esRP!
zBZrr-j91{kl$|1NR@V9_Y=p|o#acuZ6ipB#x=^7)A}2e-Iwx$Nw~PF-Cajp}GCs;*
zIq%~oL_Y3<*IFgZ)xK8$cSFp-9(+&wlufnCHx_%k=d3n)7<ef3Ha`7yt*v(V9EmfD
zB%ec_nQ<XB?H<l4v&_wv(KBsI;LFNPb<Hn>GWc3L9?JFZ!Oqf=1Ef8d)HMiLv;?op
z`E?HxFhbk_OvI?nvie{QeQ5pm2-?3o>1cZL!|g0i?}XGBlJ&a8&ZkZHpT!s?Q!B@K
zdsjXCjY>0LllF9c6k3-jW4D2fDtB$Rd!^0_^-x-q$O%TF6Fqqi2ij*mTSc)44`h;t
z_a<m`o?~U$sJ_+a$>A$UW-{@*Y}ZY0x#=`Nz1#zN6|S?xte+Eyp$CS394w#VI<+VT
zG^rh0lu)z0JnUicC4@g=o$zRUS$C^VKqu?cJ0NO+nd7VAmG~!+O)YG!3!BvVI_hT-
zPn$()-8?8SXmX-C)f}#ok@us+MKX(guJy*nZug(S@=NfV?M1Ji(e+8)GKs?2F_FD}
zss8mfOjhvYL@#a>*X*kT3-#f$1iuOG(879&osqXf(RHhqf|fwyLkZIpw9+C@90na;
zz4j@bqsA7{@#B;5Q-gdI_(CDWX>?j7Pr`c1xSC1LcFfqOeU_}7VOT(kzG3o|`R47V
zVz^E*LzkQ8&zcP;e6z4F=W0=bBmjaFPIw802y}n$4Q5P9*?7xQJ(!El0<akQB@aMl
zdQJqLCnMGZ-fNZhqLUG(Xk+;WF9WmKc8216h^ny8fE6K<*Uu-Yxw5D&K`#URD$FUQ
zo4sT5`h7oWp<e<`;#4~RFdlU9U>}6%OQGw9kCJQ&8+pD^vG3Pcyn|~p%k^NreO8D_
zS3Kn8-mrxI-f0jDGFaz$AupX52_A)pJHL9(^%yHfG(d{ncJKYQX91Y?Q5vKI<8r^H
z!^Mb%NW&5<S|M%6JH_MMDl1z#JHi6@{zfKgnIza_mc-ew91WD$hWg3;v6z88*u(rK
zSmz)H4}9eMGl7p8w)!efdlJWIri>fa?x>`7=~Q0CFBqwG{9>WI#ZUcL-2@O3{vNL7
z-J~l1I&c4dtir6ty}!FcrVjOfGlfl_i|sIw44U5}UQ}F)YIfJV5BIsH6%LP|;wp?z
zB+HTuYYX5LXY!~{ZCA(klMR#dh-}uX>_eDa9(a<@q&TJQd$<{H(3Y6mOvl~v2FgdY
zH+~>Qr}&SB^Y0?67}q7_#=LIdacx=`+U~}t%aU&Kh!owKO#ckY`*UC#*yvNBO-F`M
zY+tlHuRU{JdK*^vsU`T;b+eq~NnUmNx)D5iMnDYH^3?I(YfX8YFlu$#uX=74>5~sX
z?n6r%jN31UvVFPHGx*qHv8#CzY-_yVKrLy;q}xNnuR#~8ReQ4K=4sUuys#1+PV>*R
zu+8q;g2+J3H?N^I>X;0;jvs>!Ez?>^X-8=lF2u<dhJz02?`m<Y)TEy*FUJDq{osqE
z(YTc0jg_$ZcAk)hYC;2b-9DzXIO`Ye^Jp)UJ3_p|=BtRtaZ~;5PfxV(DawpR$<8%)
zy&m>GCx`e_3U7@}jDH+{u%mw`vbo-Ztnl4FFZh}4KHb+UI`csgb3H*sKCL;}s*2S*
zdYiels&y}o!)31dq`@qAN{W+Mh*~{{#-Ey7h<Mh7IYQRB<Iv#w1k}X}mRcQ_*0-UK
z)Wf(@CRO<~OGse*>u~W&2y<lxz+^9FH7=yZD&^HD2p^UnzS(Hz?T1mNtz^ZGPdC=$
zG6la#SD7jzNbnY+DY~9ukTJX?W+Tqp<OB3Nc=*%QPgV$#!e_e>IRV~pCNQ~F86Tj@
z{REG{X6v|}vgm2wRW-YmpCw8)JaIHT+5hU%;IDTJeILkUCKeUZ%nL09wzN)O%(oYL
zJR6?%qN=vA43%V@?>3F&gJ#O&@;HCk&iwMNhzoO}!@h(IyhJny1_rQ&Xhg~OJW=;L
z`i>mFz_hd*T6yI271#(;PTtj&$Q_!!RdTqv7JcODk(F1Sd_x!|p?`mN?IbI#BDsDM
zGo*^|10?J{JO*b&d@N{~-ors)bg8c95KD#6gmZrvlpI2Qpxp!$Ua_~$d%Eid=2u&1
zmVLiRw*E$XP|mmvJ`$-RC4Z&WU|AI>alupLtWB@+7A4<m2IiHnml^RLU9ffX%kH|H
z(?W4*cS2k@0{p{V1z7rL`me#er`3$mvicJGHP-4is`A*;0F5<#yZWHXJ6mSTz-lVk
znNMVs;qE516>?znDps1pU_{3ZO2CnNeD<nbU>HLLEhzNkgYX4Rl3*P9tX};!(I)Tj
z|3rhICvS!KuF6PSfI7V-a+W{`f1cd?y9+Q!tPgf;DX!7{VWQ}4=|mFpIxe)Na7Lh2
zLW|j;hC*7rdv9r5U1)r^HXceA26V~#S`Zau*`2`GsUk3^s2wiHD49iT+I=;p5$MxU
z@BIu`k#bk?Z?(y!>fP-oeWAYI?NkSm?L*r16u18|h4e^@Xm9DgPW=EFB%!IiKq0o6
zlR}Aun>hXY8{ZE1d|iqzUXe-=Mvyub`Gko7d$%`!x|_>@K$GYAoRG+-Ydym~z}<Tp
zrT|p5Ku#WrT<|<ucn+v{e(1T=#veoN^<YS`c<KH;GJ`G-_H_g)h1KZTJAE_INOiy>
zSQyVki;&-Fno+H3HWk0&lz7w3!S+?{t2OMCaqxB@r$+np1fB6rc#jftOM!qSwF%4*
z^@f-NGdwj7_PS0f*^DaGc~N)*%YOpqF90^zT(+QxmxkBi@0&Dv-N_HC;8+9VRJy8i
z8Mt@uK%*VqcK^<T8agPs3dJ~=K-n91l!?RSCEwLYbWF<zvBU>ugmOz=Hj99J8$w6j
zLgq1VuQiCbv!MP8DfqzB+pgl2Ev_1i!8wNy#JsjV>-ql9O7QLQUfsxYcW5tar0R`|
zpUmwRh4v?)JBh*P1FY%^;$fAIx|gtv>1*NGe;2>;2N))qOaTLUVIr~6hy;-|W+%=i
z)5jtbz5C`9G}Oy5Vf=Ji>%54W3Hqq!1A6_0zj+RRFfB>TY&Raj=|mA=1xELB-b3$s
z-^hS#poz3YBYPHd`8fS}4^HbHDjL5-g8-1LANsmE5$NoMbHc8T2h#sMvRoJq=}(aD
z`8%DdNZ6dLwd_<kHCzYp6<@>VgfuHw*vXiIY80{(02+Au6`;&JJM6MR^Twbb>OiU=
zj8Yr#_g=Pj{CU%33hl((AHc%-fDxXpI)LLtdYLY#?T-DX8UsCYU=C~Pm0Hs(>FWrj
zYX(E#S3o46I1(h`y(dagjC)I~98R6KyCG3mw)6%B1z4%l`T#!`Y{;Ea9{)B{ajWI_
zv0@asGW!`2DkiyR@YzOh5F#?mq{coA$JAJI1yKI@gihR&>c_i{7P97|nO~o*0&D0=
zp~asE;RI)oK^J&}D>u(33#$CbBuZ9ylW_MhS?{g3m(zRZ6t8rWL<^(rd0g%iU}Yu)
z$USG2;XHI3yHYC)DtGKggy@0Rzq@4ur#}>#du+c^+&+7<6}FyM)1izVJcl~`v2D&N
z8`Lj-7vUzmoFTgJ6B5!d`eX$t3GlSG$J48*z1Yt2B+=;I?Dg;6r}LeYx3Jowu?|e)
z4uMEAc#;$TZ{Fv&YF^}z4u)1Nzd$Ax`WiC4MAzSyxTsVJs4$NL3L&rd31H<|LN$ik
zpA$Q$VWfRFSug*+m;-0yte94I(M!UGgQg-WLFqDdQ$*wQ1j;l{@F%$GV#nvKVaDfd
z>f$!_&|<Mx@at2`^H!ge6o<$eC1|){vPWSqv}pXVV+qK+5$e{0i(InMbLe_0FEj4y
z43JVny^vMFHg8OjNsm;)TPA|AQwS<J?!?M}<<0+kx#)wswUv<?4w!&3;35ncp7&CM
zhx@%N_PW>qig)L&`e7&R?#?9<NT&jhA?;L3@i0!UBqXVHiIw_z4Jmddhrmi!6ux)}
z;Wf(B5%!Yj2ZMTK7Ko5?wq$J8E%>77#>v1YorNyKX6~6^FKaW4AtwU<2Fz=mQ#R-%
zY<p@{ea4qAy0T+qE5kLrDBuV&t^+Yl2X<O2f5ZERdObl(w2LK+EOsaNK1O`=x9-0W
zT_Z$VeXu2z-fFfu8e}p)dE|D98u*#ucC!27GD8i*!XXu17unW$hW=SMlex3!bFoY}
zxP%m6tBl?aLJ$KR!sIp2;Q8XZo;uQ)uVmjX#r<EAH}`Ec+SCvdeuiIt6yYX)lxAu`
zC8ACRO>-hxWQWS<kYjlYZDUN|c*-J&xj=|alW@m7EHehUD!p;jjyS|kc0Ow#FiOq5
zxiR4U@NQlyB(6p_zy{RdW9KjcH^`oSh-V6R_v<mkghymMw%GuDg!LV{V54-Oyu~R4
z|0w%g{d#rStX&(><lL(pq#(Dc4cV)}Qea=m!qD9c*_WU>p;JP_y@HMWTv5fO=Otch
z9#o{*4Ows}yw^%U#vJOD>;}4Slv?t!L$|DI-F)9TYw_COV~Z%sfn$aTyrK9Nw|hj+
z0RmAOSf)Pn8t};-qH<Uy{-x3O(mImX%!8PAan!S1biCvf#32EmYk5bGeGK@lMxBPH
z@q(KJq^ee(+&MU4SdKEOOY$!Su=M$l|26mB3U;sNi)enu=_+Hz7jE<jQT}axwa+*^
zx5tcqT2U57FyHPjr|S4u<qE=Nmi999aG$@2lffd?R~Pi?7@sHpB)+`d;rFk!Y1P5K
ze%1ZnN0_2#kxHSE7*ztDTj~J^>@T-s0gb=qq*45n?#U{Gl;+Qun;ax}{xYD0MTP71
zRVIISvmg%HY#O-MlVFwq1zM}r0vNlsb*wYi_r-->%r%_#Y&D$G`h=#O#}MvUZ;W3&
zh~8m44ZGO)F+8|*0$m5@!T~Sc)Bx{bk!9xWt2D;JwRFd)-lvHjTA`(g_r&gAE7qVj
zB0Q|I%l?*c+(qAb?iitkiVYV22f~w&75>yhQ*@EBJ!kLRgedIkKLsF2wz3{JhlnJ&
zh_hGw#?}0fcDWGyfKLxRIa`YE!H&$JqCjM1kSnRiY$)ni1zbUz4SQl>E$~){D`*Cw
zBu*khy0AmgcIyDG*|}&}*1<{JsVM&y5$pkTczO))4rY=lBi!uJby1=kxeY(ZWuamJ
z1MiCv@&{Cb2r=CL=M_bYpB_JN??Pt$nT}|%?a~dwG74ffkA+UKAafulYfwkNeKz4;
zF@JtWzFJ!uxs@@A<}c14GS;uzvJ+tHLf2nY1QglOy6|5rVCt0wd*Xbr2GG;ADHv_P
zo@p4qtubjxVrdci7*cwG3j%lL<%0i~P@%bKw)E_1urB7!w2hwi!MIMls+<H&8Y9Hy
zT4iFg`C3BiA3u09&@gWMdD&p#31BiO4~2SMD*U`4iJQ-nR-p%9MAxf{7>jTNifOr9
zhBNU$!SV|?f?tZMEZ)>%W0Ai*ifpALquvYemae?~4(`xJ04L|xY_m7DuKPn4FXI2~
z)&aubNu4i#MJaZO4ha7Fz?gfem0^m;6++VxrtdH&F@wFU!wD8(Wus3BEPy;cPtAyr
zKr=D<dadRBc(8dLmhb>tRMEH?jdGN>&F{)@>t*Dtym1Hf4~P#xHa?|GVqW$H@9Wh8
zGd1KK8UQJ<=ZKm84otg?Dvk5ThQ;U5;k2f3vPrCx1yZO<`0#TlvP8v@k6T))8JFiR
zP9giWXH8+`86Jl;FpI2fY*6I*1kz$(St_kq#l>wte*wT4G&}HVd&F^so3Ura2JN_P
zjHcLLmW-Z)!qDoKL~hiE_xCD&VE)&|)4jmOu^Q9Ay1nIB&cxP@7dKMAxVz92^_+Dk
zV4w3IPSGQpu#j@YxZ=?#OzsYbDe3Qi)dSFs%jJ+Nu+Mre5DD{iOncr1tN|xq+y$Qf
z7256F=BB0w7zLq`y9>AvAQN>fTNk|6MtL55ed-OEg#;=p_V<eji{Y|oD}!^{B+w;o
z(y4K#=z|-~JD(h8$Xg%dBytlPYv3bBfxGv{!2x2q8RHILm}J%5_&uWZ3`NOH`j>c%
z%$y;P{Kp*d1+3LF@S0>gG+hl~-7$5?st-qjt$RJ30fX?{yNGf*nfSo0dIgmti5Cx`
zEe~o?<DV}8VAecwE^pidlW#~_B#S#qF1Pqh#1KGt<r=Bx)*TN+4sn|U{=)@u39$@L
z-k|VfODEQ@%9I=-rX~?0k`@Xf*KJ}Sm(U)WJ&!uk_X%t@CN>l+oTBmg>pL&tLf}I7
zSQzPG)g>9qxT-cE)f7}UX%YF&Cpw4iGSgy+hc_LFAI%CZbnHm%1B_!G#6(uIlIFOG
zBS5F3bu(>C%x|Uah``>F8JCG%-`BOz$<gA(N^zxGv<g_-$MHoySd0S4o;>#cj(4tb
zXEW2zODf4{E8=0#P~0!4wgnL-aLPE%pO;}@++O0r3dq3=yvQx+5bQWDzv@<aHq;lB
zX4%>H><DoUnq{p9l70tAxcj1XXZEtuqT8%-u4NP9zpZBOetiZBh*AoOYjt^#Dl`od
zCF$P|g~di|RITC$$oAKoW$qOSehe&7@W?(ZyCbLQeSNOtkFoP-{EzTV$c1puFLq}L
z-zfZ)J4aDqYM@wq+RvkEziwMK%srWvlWw4+EXer-TPJ%NR)har;)gh_hCX^+n}G(%
z35Q<eHwr>#O?m_+u8c8zG*g@=qeWKmbBCF9Hxlmg{<#v1r~1U+$hTEF5-;}Zg@vyt
zcu=WQn?dJm0*QTtaJ;jIPFpPb$EjP2J#KhGVi?*uj&eXgpCo1E;7Ht-+tD4tOC*iu
z2(sT#3Ny?~N4Gy0aWU{Zo$1`n59s^V@Fd=_?eARIa&37(J&CCZ_(D@Ape|jIP5{A6
zhPYz(<HO11E;O)<(~Dd&7_oFHtmuc&nW2q-UR}|_P%Go=3hjJNB7S`lX?YT~Yu`7L
z!p^<wU~R3~QC<Z;;aD%>804!S;}l-tImhp8w6x3Q*LHt)XZ><w%r~XvZVh3GAb2LO
zKH2(|pg+0H#R=(!6ae)cPn?)AL*bK2Z4D+~e#Kg1tm~GR9Q5q)Jh;xUM}B6Qo;}-7
z`aM6|_Ev>Qu|3t9K;jZ$9fdeL%;6exWyC`4N`7f&k_M|zs?Si$QS}tq!&=|Nk+}Vy
zZWg9)>gxi%O26u^Dv@HDXzAsagbDE+wNvp<^lj=Z1?hNJh5O`HYz4ffY6swvK@f&_
z8McS_cB8-_C_F7K6yUTUBApKdV1<;s#ov!{0>R`UCz!HelEamK9*T@AIgInLI!S{c
zFge{5Z3F2B#F-v%4@wC-OwLNfy#6jjG*fX+6|ttdWDw(yL=o!7Ym9>HwhQB+RiHW@
zWMdOS6q5A(FafTK8^rTbp~yqox6pF8YLc}?*Y8NSDI*=-73K8L?0NEY1`u$-xpBY;
zrbYO)YON-7b4y$yjc@~4g@F(OHtLE7Cb{aNJL#S5XVZD(vX~#d4~)EXa-KFjDx|W|
zw3?!2?j;?RMrYovG7LzV4@fuQj3>alu$A}|C&mq5kG2i`?dK)$?~D!2j6rA9iQxu`
zHQgpfB!g3GN@!&4A~l|GjM$UA-p#GPBy%@__p{4{R<XsGEw=^I+LG<zaGA4z7lI1l
zpre_e-JEQTeuPHdxL6qM0y75|xf)3Gzkm#Yzd(A$hC+Qxq3iR)tjD&I^~xNS9su(a
zf4ll*iN|jxSSOfP(L))He{H<AB053WxX0k9Fd;u`Suf!CL64P(4ntKvIXI6p6c2zH
zKXRdf#+0e}$oy7>`w4HZ#RBCqTj9om7(f0D*5qsA_6Jp_MO@@p9oe-<D8Az3R?svS
zH3SS=t~ZFCUoq^J?YOipO@2G%m0&GnFNsl3A@Bz{D1c-qgyX@2A~f(lQB^eP#Ct7|
z^pk$`)4S%?z68M;zyk<=UsSKpxz1TO?%ziEpeS072sRB%WxZ(?$k_61ZRSq>o<4mK
zSAdZ<XXC5zf|+PDpzHEKSZ>$R<Ct3{e5DXJ8n6|G|DBs;8_O8+hfaxP{EM5W;~z=G
zwSBI*7`fb)9ibk~45<hNK{ieR@3rf%kG`u!CtgV+v&=hj=u$#Pz9<w@6eeau^|wYr
z1K}>SgbJFuaq8hB%`E9rLRLg*>0NgeBr?8l=dLr8H{Mh!@WKO(M-~JEDfJ}ySl92b
z*BOI9;iaX&kI6{MkY&|uM?}5lR*&~Q>><~+%N|1u?034vIM$!8@4MGu4gxLHuL)iM
zIFE{_dP6Jy_X&WebIY|dXm*xdu;a$BI;$1ZnQnoDPM50Pr2@!k-+<7kk9nZO_rG`O
z+*c}GYZ*#!eN)tc-Gki$QE!VB-}F?$dJHJOE}8;E{Xd}Be?|+>!y&2+YYL4D9m!n1
zzt=Be=+EpE78W)J5;j|d>uGmC+2et03qf@1!pS81uUiehHQXPrQ{k2PJ2<S*pt`xI
zUqX>qtl=FwEjaGNb2L!=XienVT(S}#Xc=I_31T9^Vw(RmSnjPov^z!U#%WH{>!S%h
zH=o;a=YeM28$Z=;QWSiQWMoO2=c-v+=+Zv=J$?`G03L(R5PkfUX%)cqJM_a`?AKPo
zi-XmJK<+1ZiF{@69ea^|gwO#nFs;JI27`P465Q97$$b79PHXL0$EmnO7hcvFn&^9n
z3h@>g-)hp_V%kkdbPrP|)0Ml;KQ8uWW0d?5ggH!KqyEL<ZdJqS^aIr~OjdY#<ZGWd
z$6sSYt$IC?nx;5o3`Twiy6%rfLEQ$=vjyt?W1>arN16>6Y>~|YeeRl1MxoLMXpTS-
zs59?GGArgcXjTz3IRs<=RcEZ5kOjyF|1cUUhj<>V+^-=>7ftZ;)-$g6)~7annwg&c
zZxjXG$`Y6bK_p*(pwipGZ--7LQQW1KvsDyRbFPfS;%`LtOuJSX;HeEzKvuOWjm8CY
za}~ooo>JTU+qtUbP~voW9Jy|jHuS$%4YEJ0_!M7V#F;&awLZZ~7imfc>6EMol|C~3
zcXhCTz}cZm@4G=MH4Q`L9?yPItP@Xaw3KtG#>RnIee?IitH1@g>-g;!P*c(G-F6F`
zO_~3fTmobT*%(?WsC4q5=c8`N<`cMOY4Q?+1GjAOBWGB+&bR7xLx*(0ZGV8I#c28j
zF^M9oO*FD4I=DChd<k}LD~$ECrvF(r#g}C=i6IOT2+eO(G`F1YG~3$Yj&uHldgK&R
z3H$-(%Xt&~IaSSL;y|B_+*IGQKA=SZAR}*{JCr`E_U9Y`n8nzArGQ0D$8z6~1V9BM
zBmXC(k1LO`NY@`MTC6Oc{;RX~eWPRsC|w469)Sf@uwB4|1>XVe+#07JT<)>&;@aA+
zSc1tvfY~`Z-qpN&v9dq&m<70X!40dbxBE7a{om*LT|$iEw$HLN?pbPL%@!AFF-uE^
zn8f{JQ$&$X!}Zs^TK4Q}5Jgln{?8mDnZbs+l@VWm90UJJtuRyc<6?Cn`;4$O%MrO6
z0tjFP8Q_p!WO&Op9G&}HYt2cA^Y#?Fe+UhOYo%2|goS`>pH}qAzGG%AG2Df#d<3(}
zWfW<!A<iKI;vOa-wH+c)9q<y_!!?N6gDY+Yt%F2XA~H-68)16`cUrn^+`X)s9XivR
z5S-fE&_njL0CM;51NS8n)R{QS8u3}2HXsL#fM-HSh$uaLaWBJVLXN|`=&v1#2KraB
zwV8K=<LeuB2)K@cq_cD!_up+LPhZU2T<;9IHIlfw?|%0*N`wC(=7AyNY}GG-HVycf
zCXS48!S_rWL9NPfU~GW<EG9T#9-`=6LcaGinCiKNfpREdl$!Vt4<0z3ve;tA)o*M;
zSqdF)u(k!ZX%NOu#|UDy5D`@t9Cx~R6TTGwa_`~eIPC$njO<Ms<Bx|R_f!4>81bV=
z!%J#6N&tNU&M_m14^!&NSP>h9>7O~kxjhG0h=FaPzU@ldkWTYx3|;=kO<ByQoX8)H
z0Z=SCT5I@CW(H|;L3=)t8z{>9U~s0SdER@%mdgDQXW}-s)De9-BOjzV-q%BKdZ!#e
zFmNY)l4fq+xGG{>&xe8nQu@~FK%#N@?y&F$%L;)MfYh`hcfi-&jRSf$UeF8m6!Fl~
zCed8ihziIU;h<}Jhx@7c!4b?#gB09W$iBt)iA^HppSrUaSsueGX>3yTCa}QnBg>DO
z!u=b8H4ISlijn4kFljFkuVpt(KC03`ahD1H&$h(*_8yzOMr;ts%ao>bPf*E}I#y9t
zB*Hy#W-ZI4<<edT$Rw3#X_iCd|GQHE@BNXgjQG~qPm0BXz#M3m0}jj8l6KwT!b<5q
z)OEv22}@;<hghm@Xkt^}011qjB9#T2qQ@YeyU*n@X+QbOZtD;=Vs6B?_3QPX2Ultb
zEOd@FfIAiHdT!&Nd;H~>E&{|~B*v2G7oKhZooza9@GK|@#))R%0?q`z8nT2qufzJ|
z*diGqS~p=ZdSPN~^9+~cF_4}8R}7ou(rSahM1p2px2nc52W9`YD|F=GL3-{g_i&;)
zw~EM{4*ieMOB24H>);yrmyU%0&Kp!S27dd3zM`7Sru)nNe{n@T$EP5sVx-Q910V_*
z0MgDB?NVTq*3!im{>6QjH^)WH>hdSX-dMPMr?c7_vSizVy_(~^X|AfqDcAL{m?7#3
zBE4?tO@OrReV%0gqHPvUg+xw{Hv-)+D#w2~Tiiyt($Zh&k*5z|pui@&u@YuV|Bf-3
z1xE@LXyR`CZ10Mz>ZCER-T0OE+ZQl*Ng#4?bJ@<$OY}7xKhO_H>8yE!srFCruc@mX
z2^!Q$YwQ>a475|uF}{a;Qrcqw7iGZVBH3zN_kSn>5EdQSLN}63b<t%z+h7sN({bti
z=t5n)WzbaVHAZvC<PpA@^k|Pke(QZDo!<Fi)=#BYAY^(-Y9W<lj7-RJg7!kV?|WGr
zhb3uV$N?F%&(joz_J}<FJF6hC^|46!^M%mdC%@`4-^XZdSgsAH{3s*$&8UDkL-+Pl
zf%QN;R>1KeGEMh=`8O>Yk6T~srRDHXP=a)7P}rOJLKCtYn|u7vR;(S<N_4Ohnmzy`
zS1o%i1QC^ZYBSlK3VoksaCaTjK+^FUfX<SatLte1)7QShu10f`jIH|MVu58u%WrNY
zshnelC@diD12T3ecc4>&V|C~hE?IZzf*W~%xuEqYMwf!N>dLGQWtxJ83=^!6U=g@H
z(Njd6<{ETep@(bDI%QETkfp#m<^U>l5lt?N5WxXsz85rWM=i~omI0F<v9{=Vn70YD
z00&d;7P^qh-`;6jU4L67gPUua*0)WHW<pdv5|Gh_gyVmSH=~kY!C}T&nqEhrZS~OX
z2}rya&panlG;&5TTt7Xp`M`bV&GjRReSaG>i=#oV85RGpbm;+=XTPp(M-1{7npK7^
z+`&|s7kk{n`5OA61a$;oM~E)=_HEKCSQ0@_Y5AaM%BHAwXYWKyP0ZHX45$C1bt=s3
zOGE)Dtb3qx*UuU2jU$K%NvLg*nIMBF1D!MRm{hh?jrTiwZqL}rQ|sENMqeVugYd`B
zg!ncOzleK1O-+I=yC~rSl=WiQ#p7;!wbAFkigmFo=X<kmdL(ll&W~Q^S(35@k1wPa
zsH+)60`N`-gm>85LhKvClv0w)<xPCbO`$A!GSfjWC)jrG?D6X8Mjw_9uT8y?v8rZ2
zzxwZ2gUiR5d9*v{hxY~KgDpwrb_mC@|AG4g&+Nu58@93w`%9xNEJFHuXT|}sJd<r?
zvmi!!JWc)^@l{Ax%hkZ{&Y(`yhDL-nu5kdLe%@iyWuj8EXN%EY8!j^8vyIg?oyA7K
z`}na>ioCqON&okHFK~Q`i8$A+y;+@(r=dwVclX?gPvC90Bd7e2|9R$rFaE#wk5qq{
zG~swUgqeXV7NGsV66gX${q+5yH^awxxCX4~vGTnDhP6NdaJ(UnGy3nBN3#K(LCre~
z%KjICAZ4xfDY{Awgpg`r%YFI>B_+Rx>U{Xv_`mKththNlY*hua@POO_($uk?pw?Cv
z%?PKv1AKBmKOr4%zdd<|+gB0Z;Fuaa_7D@5dORxLE!{JM`X_xFGj1$%DG;=uJs1yC
zONcm}kluuUx}?C+0oE}ZENZMKo|p3wq>e#-0La%G+HO|X$5DdHSr5dohQX%8fMp(Z
zUioR%R0ZcIT^A!f^(vw?fR6-AbX!KCX6!Qbgc{Ubk>lnTa8>Fg;O|0K?E5&C?H9Ks
z5&YcE$L=ub5IjT(@LM~o9sB{cRR;iDwSo<ApO?)S{08903K>iAMX{XBWOh4a@B79-
zQ_E>urKSc~>Ihj&IqHKNY*V<?xuSqX8hr<@BqxO)q;7>6i=7uLKrQaBw9&(4-#qTV
zpa{4NE>qglgPq!OU;1v3>Z$n!D@X@(fs7mS-{KgoRD+vT8$YPu-SybhhUC>3j;*;1
z1L2MY0|vVlz}r%#5PbIpwQ7O?nf(NQJDaH4Inr3oQS?}f9ZVjCxjU=i0vB^S9tLcF
zh(~?x0@@j@3oW9_^D!|#;w`StYbxyv*gy<6`@iH5{8sK-?Qkpx&5~SIX-x?x;|%0W
zUL>ZTRiA$V>KNVy<F?{bwClLd!{)BNz48E_Y78tx0D=^X5nkX16_ZK|KHpTiPkXyf
z&S?9>Q|2<hKR{r?0D?Xr9SDbQD0o4z8{8S}`%x#T6k;h7(t`n|BOk5zGrp=)XO-Z*
zxy2G}JG&%i$YGZ1fQQJyqmXVO+1Fv`3^F`J|J6w45O^w`^pzFNl^UJbckbZ5aGK^a
zV!H4Y_^}U?<D9ZVjcAAP<x?C!GM=FNlO!uO$Ac3k9MH+YqNI2D5B6+uBMk6(^8J;o
z@37Zb9JUW)zt0ZGM(CkP`Wy9TprYYA>&|M_Eo_?P+6A?iw_-zrXoi%&KyhgAbMW07
z&cQPO-3#D10z~BRydOMjz>1lN$>==*K5r1s&ji+<qOrb3Xg8LEIgasA9EZZ0f8$fF
z5U@jCOiXMUH7e_42?qHx8tqtSvzKlq16;3zHLL<_rvK;q|K9lj{{S=k|0m)9p-DKV
zQ`)7M<GmfL0~O-%5L9JKbYI5#0>5hz;PaODby#20h2p2C@B4Q9XMG2k1P>nRC~iFy
zB4}EVDX`7D`jWZV-@&%_V>GhrLNR)EN^SjI(&D*BjWEIPJo4!$ud3--8;)v;L1L|X
zcx@_0(geZl5}MpujqKdLXKA_IXn~EcU&t5(;Ds8go!$-`jXka|q~3Z{PWvP7!gg%@
zT+^7JY5Bq4*!UBt^0$uLn<7CL<sp(9=Zw)lBj(fuMT$nnF6^hovjU*Uf~=M-_pmld
z@FeIkD_6otv#(8{Ni<l*;FN~2=H#7<it;ICm!Ztg?xOj2tymCkt+Hz19z(~{kIf}%
z_v~QM=jC<8WfzC&`48&pq(Z0v@xr^5_vJ*WiG4<PfAgUkZ=4{$nObwh04*pMh$GAo
zu-p~9Zo)UUl--Hcam9H<LJ=lJ)9j~TI~rrN+br3TlAo*_|02*qo6>FPp`A#L>509b
z?B2eJP2z5_U~kYYi@_YVKOfWaF^@<+vAI8#WCUjQ{%-Av)tF~}<KfHWrI!@yyl&)o
zTpLn6AEE6MtAmU5-luFX=)=5j$r%!WvUT3yqF#8KAwUb$hu?N(P7AFbmXV*f_7lwd
zB}z`H*;cVOC-l7TxsOR%|BZ3vO+)|i+nzISTC6u89O?||$78FiD*&=Q*q&4DPYBXF
z&7TFA36JTRw$PI2v+kZV`d=S|EMs;q_goCh*!9?`_qfuM4y1rUIecs(`9_HCG0M$j
zpy*sDvRV%zlxv?jeZs(GF~xLfV$c0kQjs>j!5X`v=%9e-ZEdM6B2i&BwEI5B{V5&b
zX?jCeP5X$JI>0w+rt^VN_$9;!UixQO+n1FlzN&n-+js>D-jmA>N4oLHr{{+~uDb^E
zYf<b?LRl*_r_$JVZIDdV1o`xubITMNI?gxBp_Q|Yq=qjYV!eP#*kVQ~@2TF)Ip{YJ
zmCQLrz$IW=s_)bWZ9r*$w4xD1oT|~6396)tn+G)KWQ%C30L6AMhrI5b6{vmTmR3Bx
zraWF<e!3Qx0J?L2tO_x0pHnYB1Bv~@gfjqr${SJiw^0LOIKoROK1~R7o+G)3iKl1U
z7<jDp2sHbJkUz_-4_<5!#;9Fip7>j^fcONU*x?eQRdokd2JT6HT6L~Ak3r0b2gSD#
zgF^O;JcXXfH;yfj>(n2o3L}2y?w?><4BgB7WsGzXCvy&q8%?bky9rQKv4JVa9l;(X
zi^uV#5fAk`J8#Dx@z7$=^=UG4HRj0?II><CS7WZdiZ#c@s@wh^V2$7d@eVSJahqu;
zoimMerBjyf!Tvcv$Y@P95FR<^$^rEsUIr{`H)_0Mq<@acWzKYuUTh~;epp1&1K&|C
zHCF=Up^asAi$-yd*~4wlQ4+#IX@?ELcosGfsSxfsxqVf0t(5~241Wt5dQHHhlexSs
zig(^r)>)fn0eLEeW=?QiRWzsqSg1RBSA7~_4v;oYf^=oK0~+zLlbR!!2hr3Ex3s8x
znqqApCK%ch$pm7zMg;J16js<yED;0BZt4}}F3y2xmb@OoO9*K^J6uAi#(j$d6-t~i
z3pE3stsgM$ig#>(L|_;hhuWF7slZjEQS7NjWFT^diqMjX<;WLg=94aC0KH}gLApBc
zz~%$6mg{%qcH%RX-E7V)ifp%S`^Nj+?e13zYwm1X|DX20JD%$Hjla&9vMM7~X33s~
zc<hv&S@uXt_KIvrM@1!sL`KL+PF7jrpoB_xvJWMD9I|J>>vN8t=lT8j`}g;HJ^j_|
z_>B8=-Pe8H*Lc6Ln-0bSCv*TTck0!v#6+GV?<>y?<EcWGcu;jnaf7Fb;<nN%xdDn>
zekEZ{@(ms21-2KIHQC=;x{Bry<7Pa78E_f%SFfNP@^e3({6>v6K!U0A>{>@(&#R;T
zPFH&)lrm8KZ=V@GKU3qH@r5c?nNv9P@iP&R5j!f0N}?n#B9izduxf+pteiPM@O$kX
z0dZd?QP`1_A!=B&&f~{A0LL$;@oD+7QW2efeC^MMs7$L$e-$Uh(K-i{!tT9cpsaKG
z;h^nhDx4<pApyWdXB8DH&N@kpA{%3r)*gE*>Sm?UD8&njp5KF4k2dcWBqE*jnZUX3
z`^dfs?6$=L+f?I@1z3XyoOzi~vnc@nQYgLmQ&qhw)&Y{s2_0kjhAnb_q^|;GMj%lt
zg?q}C&8VJXadI)+5Mi6l(w4iCsmjVI3;J_%KJC7((<1hv{gbEXlx<IeGD0BR4^FyF
zn?{Q3)nkJ(s&A1>M4KT-0yQ#MCu`|a?aeT8N9kB|@M-jypc01JE_D=voX2y@bbAGN
z&ls^hg|zUwcg0qVV*;W|ul{7Jop4yCP68a{IWDo&)B4|wwT4&QJu}w(ySUB7<7ypq
ze*EQpD(hw243Rpt2=moEK0Xl+<>V8FB|hzqc%-`ANXEk@7HB$cQs&^wON5pxFRSqO
z<wlc<&=)3jsGLTw+Jgy&u^$VWy;(F#?UtyEoCS=jA~R~l-qe~J?ZQ4c%~$eI#vKc)
z98k?kfr_U?;?qwI0+Nh5MCc!<dl4Y$>dz=VHRKcyp$qxT{ra*efDdOG)w#sbiuW__
zL*4R=u$V^VAtDYHDjbHD+4lAq!|bU++`k}E)Kumc&(OQ3Q>h~M<aU7(0?%|;e8@p(
zq34o&{1NsR%dNL7&O;++L6x;yLu?-)<bXOO)IKC>2CzQ{9SDX#)K8QO$UC?~zyRXT
z(8^)_$OiT#18CZXSv}*eynp|SRR<IrD7>s7dRVmVdA^4yD&6mEsfy)u2qYx<#B$M8
z4tv4&qdF-wS#GJ!Pi%NOuFNGW`7eD-##&BG&LU-j7swQMSqi((bO%fq-CQ*vP}W9b
z8sInXP5VTs*=RC4fw3UpIpT6xAn=Kk?~fDnM%G=)*cNicOp|C1g9>rm*MI5+q;8nM
zLcjta-o{)tXyto&@lY^BxrMc-oAATjye6Mt{7?;?tDKD0zD$K=S$DyiUWI2z)LL>y
zWqNLClhCCOneEf<>6!Sg$C?wE+KFpYst*2<>|Q0bLsaFHvzHJz`Oowk7G<=%7W`lo
z0;ww;R%b}l9i!WxXHaC|bQgG}I{x(8$fdd=9Nj%BTyt4p5}t_<u4Cc{E2KWlI(=G3
zw9$%@0pUf%HiQ=2u66c~oVu+vs^72R_2x(`-H{ZU7Qb$DM3teFA?Pwd@>z4Gi%N*O
zT^>}|L_d`AZ`~%68suWT?C0NAqEEIlV>Ue=<IOIIF!Ca6PYBXYZl_xOzQu@K$en7E
zyUl>47{FyQRP?KIRFw@I6`c1^{vz&URV^>{8cX(252yJNiLf}uvOo(TTYD=C4(n{1
z9w<PzRUPZY#?{;YZrg*cRsfy8)#wrsOtr*TOVL%Gy7vdNKxV;2mBg;()aD*r;xkJJ
zvt@k@)8$Sd>pyww91EtJI&<B-)3NOgYMaSKlKWhZ?w)p}w1U8MD^xZO@PlDK7Rjqw
zZ|XH})m}jHV;20q_+CoIKD&K`zK~N%2gm=!k1W^S?pfU~?zja(hjh*RAKS}(veUjd
zeh&r>joZe*uf}ep_lY{92xJ!GRT=ZoyHO5v4qRmcK~xk(XgT8gyzDJ_4KKsisAwS^
z{M9-f$I0dEtDe{5$vf`t&<cgNk1Bj!@dy2T8=7x?$pNG?kq5h^TO~TO)-t&jGY)79
ze}27)YDpgh(EzKqcU+-xI$<#Ve9vsE^cFELeM3Evu&t-IVwA==^7C5;KJ>T#Fw~in
zb>~Ob2mu*2C>4*dL&GZQ^xB*ae&;#1u-mhB)T;}7F#}`|9x;8G7+Db@`^|Jgrh4Of
z6mRX_Q>hBxvIBFyB{mC9cX^O}b}On{Ypb_Tml?juQhnrhIJrMaU;2tM+uhgF2h-(P
zE7z3K3zOd&AU(o#q(08ACQ=Z+V`JX2dX+o%=Lux{^7V{aohqF?cKmQy`n_(-^v8uY
zQv-to=HZne6f-^zWhBfW=<*LNxEy8s8%;lQuyrJL$643s%m%|Nb);f<1m><@di<hR
z1ue@c+JhY(&OF*W!uO$We)98`i9xonfjY*~wD#$>j?(uvAoJz5HrVlgu07L?Tt}6q
z<Vp9F_YE3VVl*mMM!*Mg)p{e-9(ljJ@jCyy>|d9E+-oU!KR;*g-<Rb^i5u9w6bO@G
z5(1h@-&Sd9o6S5PtK-M|IWE2Ndqq&Fqdevt^`-A`=4J3=M?OUR$N1+FL=GftS=;1i
znESW~UMm#xvE-F#I~A+n<nZ&?jxS?Rcg9)Pw`GhR-7Q{s>`K~iJwJhD6w>TKjpe83
z-`26&`t6OO_nSm*`?_)<425ACl;N`9+V(ZYIhpd7xs~H>aAHQRQ|O7v0a2rU^nTPb
z)VxwM9fZbhX~Kl+kqB>_8-#H3uIdEGj+(sy$a9?%3N=TV2awqnfXuG*MUSjcd7jYO
zXguNLrk3vpr)4I`IQ<i8P&V*y%74we+L>X~$+GFxqx8naM9uVfjy#hyiT#q4z34O`
z)od#FG+-9{h#vcwORV40jR)#N$l@)uhDjm6?Nd?V#d|7Bjl-&*T%?*(*LzO==gp0W
zUwu)7%z!GY&%~!~V(#6l-H*!9*POT+z;an|D+mkio;o%FzaN$)IPHOd&mn%FPp8|$
z>-X<yXPI-zIYJZJunMF$UH;13;qv<Zo=f{$kc}-D>kLi&?Ht%_phYs+{|ACY-oIC;
z_g`5r8b=v6#xn9h9XCt2<n{1By!uJ{-G-ra57t}KHT2s<<F%CU(qSN5Fs)@Ec%8fa
zWHQy9s+wbiLQ?Oq{TSu{Q7Q;l>ll--=MBD>-GxOzm<9C=2el2f#)MZao|cwMn28Q1
z&juP4)cuaS&~LXw+=Nw;P54T4ahrb0x89FBv3^F6XPlWGr7>T~jp{zxOFug)zo>M#
zn;8=+a#fFMh~;TF#!~_wgEnyMB5WN@c1nb*35E%_#gcN*zV70yc|k4}s^J|cKSRsJ
zYk0}R8Rc8G9b_H3VFhYoTG-3=WK;A#1Ljz4PW_XMTlBGhmEn08UBsz>KKj~pMJDN~
zY#Rod8nFV<-l`CsOm&7&zp>Gr`q=W+c}5{9#b#!L`Kz1Tmo^F=zMa^-?onTlyM3^<
za!C8xg^Z5xXqLR?%KxblH|s?xqBm!Bzp&|~Dzh8_Dn_!O<&3loPn#2%|Iz+ID{6}B
zew5*U<8tBfAi*J@rD845sVudu%C~tp-}IUhEA%c1NcEhkSNZ|Vz>}QKNvqfFYN)IF
zkdIcRe3(nPYT!2iVs%R?O%SCr(WhN&{5`f~S=qRyV6pEhdz{Y2S6(jI_x|09uW-m`
zwIQ_Ql_ix*^V2euef546z;$xHln2{6(z9-gS8&Mc$4JHsm6xzaH0+IbWw`Oqo90HZ
zX!0waoK~<h@msD3QbG|WP@<ssZwZ;Ee5}$q$C-UUuk26(b21Kjg#iXY?lJztvn<UO
zCTZpxR2hpRbDvy;PFK%`cL%5R<wjaw_MtMifhGJ1AquWo4s`Bmx>5Ebni^X4fd>ZD
zexyPs%E2n=c;YnG;jX@$J}&Rjtr0CwXGOnu-I=reo%fBgf=D#lWpgd|o|x+x5qFrA
z%UHZVZ3itD+Y~UxzYxyE=CN!QG7;LG_jb&I9SvovWkvdZ5*bRoYLm@JuyrtA1TsSJ
zk5eSir)<k>v<vNi_}LX%J)ugPQ-eX$GpaTvF-mp-0V!6_6&A&urjccA8^f!<=))4Z
zX+SOl)VbH)(62mtk40LX>MjA3M3}yu!?+qwi-p27;AD~loH%NF`+O`!i%Xrx?0ep|
zh_P=wM$)sA*d;Q@p;~v})$uG>c;u`1l70g#<>Xfrk#)8~4wS`HFQsy7thwoPw5{_>
zV-iJjgbpU<E3a!YJbGn$4EF%Bgx31-3E?qw{_>L^1tQKW?t8oMqB~T<g#ZJhXu9t0
zt)NElE2_s{9XxAz9hJXdd|Ho)B!t1y`*S4uzUV}Ww8#zy9n(#71z>|z<81S%^h~Qr
zHo<Iis;URn_H3es3WmZ4!<}(;Dn?S5Ei)q4BYh+g-(?ASWCaECsZIk%Wz8ja^(sJD
zk#H>IE47m??^4SPjcpgBS#d3?h&!g1R)VV6cS_2>vPew>wZNfmKYZKM%W9N}W<I(P
zs=&j>|Bz4b&X6>G(=Zo?S9Ws&*T{hzT9)d#L;>s9^3b_WN+FdrnlP=G##!MEIRYB}
z^$ytkNC5K$K=Wl}UWR8*>M=GRh<gQLEMSM1-f>>v4xaQs!cn5gy*#JDie9Rgq7c%u
z_Ueex&oK0TD|BL6L_JN6%JXaoi3Y_DF@-RtRmlO0@_ziD+!K`7PR={{@ph^e&Narl
z`G`;Prvn04=$mZ&)^iDeECZXQ8rSjytM5S~9!Lb1{LS?EV&q&nvN2|LPl3G0w@uox
z>(oxBlo?Z%fXOccY-xF<lEWSR%><e1R*%O1f^|d!O2Y=AO3){zM|iK`fH$_L_(?52
z8E};jyS{Q3N*^1;vKnq0Rl7VhJ@AwwbBMgOiu~2pWS`#;B9V86+<6vDOtAz1xB6pz
zz0}ctxMKkD3~k1h(AY2_XWd<=`{;IlMTjbrSS=KST-NIuqq9UTR~8E3w+UZ2cRGS9
z*1tREsJ7Mt%S$S$pbJKpbFudQk(-VJL<sZ0X>qhBk89txxW1ZNc%Ex+BJVKTKV)M7
z82Q?DsG>}-bNC`1b&yYMV}mc7TZ(&P#cdrjjlB~H*^V%jE(gsoi}g~VcLhmriCKV0
zPD?I8eN~!RtN`tw1EYSk=8%fJ0Ng}mX^TYwFNmu()2f^UxY~)K@2iP|Bb64s&VeGb
zY-b`AOwP8)weFj?Cj9%0*0y+b3vzLV>wNXsNeF1-J^vt);A*i9rDNX%Y;0{BGWvsh
za{3NkCghb>Mw|V8b|KhD30Nsa-xWUT7o)lc?)4f^-5%q*q}V!uMnAdYjKsr#zE=yr
z*UGyx4OyJS7Ql_Ua$zbcc+PGR?J0Q)Og}KfUBl9s|26uPdnx6|iHKQRX+ihGH!Q({
zfh&1JR>p{%obVM&J^wu251!uQla8E;sg&l8d2wi;Uw)u@5FM!Zx4A4OqR2^CGa(gD
zJ=ZwoZZKl5PgwkTmfvr?6WWdJHqM?yhPONBHTB^JHG=OhP?F*bkPq_@${rErqkHdY
zbP^IeXE<;)4lPO$EW)Vm%@D|Qry*aek}9e(zy0)7^S*P@ZBDet?L_H&AlA1#faTQ7
z)gf8-PmRqShMT8KGaf<9ZRCw`U<w#EZKeWelpp2cnh(CAe)T64dB_0Ne<$}eGAbzB
zJ)Rc`cl$*-VR;fe(jEpjlz?9d*%dJI3>{>tJx`J#LB<6hv1<#56XN?quM1p0U}&-K
zUFd^-`U7%Kf8V0S08^-)BS37%^os$wei3KoTSN+TH{`b1WB;&wh}X*?n6sz(9S9Jc
z)}*4gbN_8Q<LbO>3gGX=&tdoeYvTUZzzE*tM*c4uKSA$u@`)3*4R4<%a0wGTZJeP5
z3m6Lg#iXTN?dIGpVUV!e)F3qYz5CCcaJD6YQM4&WdUfo90%phOGAW}orz6~sRO8KC
zCC>a)m<F;gpq|5B4<pP~AaHPUF9XBuZg+p+UF>%-<#BFFVMfR~yvRu4S*Eb~ug4+z
z3it&`L=Bnv)uYO<Lc6&%a5S<;L>dEJw-@CHLLP08dQQB{mXdX5rXiO@6uZ$dm6zLU
zW8l_fvQ8Y`?xU>{bk);IRw9yx3{NE&B=+&fXg^fOMPg2UMQGH26s{QhJ{4GQr%NKg
zLCPp;RP~7lj&?2#+6&}+hyUxu?~nTMX{0C|KFtcD#l8ZYx`3@W#=A!VDO1{jpi@`E
zw+lBWj?@W>vlxgQIV?a;L>mE7Ex0;8c9570luF7+EZgp2egWjB39G0=%(pi&5!d$h
z-e&u>ov!(@51-2p)Cv%ljCezBF=7ZF^pcXh7TiGNd#HgU6!hiYPAzDNbK_o?>G4P;
zrl*iMJc@@YwA$t;a<uHj5qs(Ud8Ab0MX5JLz_7Q!%9A7i*Wwl{0mt*}wS%OgbsvVL
z{-e>)WroYP7AI|dwaF|0b*&zf4Q@_*Kr(B=^yQ|m*Pec*{*LYmlvum?3jIgc@SWDj
zVbloO3z?`Tqg^2$`Hh{S0b-;_CO&262R*`pB?$%d1aYXVZc7kZzo%){1&8n^y&pMa
z7L|dTxcaSivo_!#`B6w9%jF@~fM`!@Q^^es3WTcH7n4l4ieV2jSw9n=Ptr_8;s7Rv
zDoV%2J|bdjka<`A1`qwrpg<DhG5#Dyf9w!)Inq*~xm*D0(1*Y|5!<Nf8@Ln3hAtx|
zyu-NKy#5RvIT-^WSQm^PkUS2>H7>*hXo_>gPBoRQH;5&n=@In&pN|ABDJiyr{z&lK
zY36^6?_<^Koqw!9^xUBL*BT`@-S~f!9;}*@OfCtcHTCCvWK@kSdL8ZXlc;;yMU=!B
zlC;SHR^pS-1vijEP2j-ijDxLP=2d8H?D!QZpw;!<fxZ#DL;k;pL3?j^&sLBP7YJlB
zu9gQ@X1*Qy-<KC&gSE)*b8Ct;D<;F%c2Yar(y|eVy+glFwX{I}vtt#WM=t(>B_Wfx
zG=_mOR0@;6dDeiSn=-rqkIWzw2AZ+ki~{iVHOPkClxZcoamHEU*w;hZ=l{8K8-O0u
zms7)$-d1FNLeM<psL|)M&Ofkcq&%}rBXU#UL;m?fqYSaF;qH|9fS?I{RV2+7rX%T{
zy@u12O9Nki;3nijaCZg%#!cQ*ssUZv=o)%XbiVQ_GBd4A13Tl!blO{p=`0B4FS6Po
z2U7o8>n$)fDevY<>$zAHgmNU-f2b^1`=&%TRVvV?&S~Ie#Nvp68sx4vH4u!#N<{)9
z#WY!vd1X;iRAuL|Q)zLo!l9Z}ll7HE3jmt@nI(54fR2GBCB8B(0`YQQTdbeCv-ur=
zD8}DKZoHW2t|9|U>q1GH4a!99-pqrNYKmB}$#uA9u47IVs0`KQ0`Vk5ifaOTTQLsS
z?@#E}DCx6yUCyD0#-wdcMaK2S`Cdo1lZLJ<`@z^>p>dVO?osQ~z2ZrbW_5ni1Bqy`
zLrJxrDG>w8^uRI#l<9DEzwPR+4U%fyBySKL${%<;H<!}qM#>%HF1maJ5BiVTw2(F;
z^i__e>o1@j4x5_>igy;xD%eXVf5^mxv-k&hNfN{ps3w$cDYTIeixo>zN_5NT3r?O(
zJ2+!`x3yuBOmpgH+8YU?n~c1~`YB9&(^q4pFCHKt4TnDsmHkMMvXieWY0OelL@V~X
zxok=x2UC;Aq(lu9Z`MYMgh}w*b^0|gTfxKi1>$V|bGPTh0u<G!N-Cp@iLNp6`S+0(
z{J~g~^n5MOyug4r0~9K2F8Me5eBDXvTU_MO_xJKa+DX8W=JqZVk?oLMH!yIst@<^K
z^?TqjS_JzJxP9%POC1o}EJ;onZZIgqbeFp%sexW)1xQhtStTi=5C7T2pnzpIB|9#o
z{8!!(q4OSOL3eLV+Yc|2pZJNtBTZH2&wy0|DbJ_ZzFWBhxFCf<+1shcbs86@OxMrc
z&Ue<JP$~Hq^ThrSEb9N>am{#OJEBopw`nqy4ED^OH}#d5Nv`4K24gW9`1;S*Ap^aW
zpkdJ0K;pom49gol^gvN@r!(NMEj`23u*ySWf89B;5AxvLdQT&5^}kLLBZj-M@`aNv
z5Kac@?iGx#ajCNYR-e0Y6W<OR94?=uj978;y;1IV-_n^w-}ry$h14f9J#4^(o%Y@D
zxMPZGZ|F^}0(VBqjp)rZML@LoTAY;S;;bwuD>lI>hD4i(GhPmKi75@2GDeQ6rw{@p
zq+9xc0BNC6)58uOxA3{Ffa%i6kKCig2-jo4@0)~KlemaJj^R;pklJ^0<i?+n$d9+H
zSrO0G@0qY0evVWRpjknW0@bMWOP_ZK+0dKBK$m*c?Gjr_q2ais!)%olE<RdG@-&rr
z#@t~l<SBtrlw2*k?^7Y5cgNh)r2=tIpr0BffgvL$VYKs$%IW}b#+7-K!C(HvRf$b;
z@#DC`iq!!!XUq7nLups@c21M9y<~mJM)|C|Eyj<$gX$i!47-LH<|EK_AWCs!O?Gm1
z2a*<z8Esox6einV{4>;f#eF9BH~)M(l=sZV%BPMoK|>1r@_qHlNRm*xJJpOVJLO3c
zHJM#dPhR~#A0r=l9vIJEprhXS{rINywGsFWG6qMGxpR*O7Xyl5gq&M(uCjd|iQ2bn
zPmn2C_EJIAb|Tlzoo$ubB6aEpZH}tX4T^I#;}ioyJt@_*Emg7ON&&>Z>j_dIxv(wL
zH5ey)YwW{hhiMj2MTE@$Syt_a*eE4x@-t>VJleTxX|j~K{4cVmx;1=6B)%gUFD#w-
z^z+>L*DMQ$mlHT~Eb>_pxd~~2>uLn%sM^ec`chI^t%u!vY_6!KxL0;rwv#>GnQYlw
zJV^lqVATvxiwjr7L2FTM7AikIA<r*@w7AiWjP;ifqeagGf4{LLzV{j?|7hY@OP$_H
zkA8u`(&W!wq^N+@J!sms`;wRK9jj~k?~TfeN)R`a8hl~}8ry|tl%oMTW`(N!y1m=b
zm%i7}k9_f;Fo@Ku2`9lOtoOm@aJ0?ePn|AOhQY_I>x*Mq%B08vIMwPtvODWNRum~B
z&uzJwCL85hdHv%w%>_Z`7iup_cmG-UR-w`|N0&~!o`uN-906~zZbl-oMH99uErj&E
z#(Au%u1fUbq?uB^G$CzKQaz*dtMVdmNCQ&u<^UmVPmHf;uo@0lNFVx+Uh{Vg+Nq6$
zb%$Yx-mI?~D_$r19jZ8YFP!Nfwd2v=8vCV<=_HHQ!GfA$9<3RZUzHkENDs1GwO`>;
z7h{)~ZrvEQ9X}B)-bb)Vl0^3ICZhW%B&AG;HdkGq`f>sCFDc<UGDp4hn~!bT?d=W<
zUYUm)8Ms?u_2Yw>yP1YPT)2f_rTI2)<1_N^8ood}Nx`XCq^b2Md)2g^Gy8@z(@>wV
zJ*+zH?BAs57>Hvo*sLhMd1~EaiSo*xJuEXC=g(dml(ZohAsb+DM}1uL(%GCjy3O#<
zsj#`0QFsw5b9tn^ISh>$(ph<zWjG$}dBU&9F7jsO>2$v8P-x{L!k56R|HX4XVlUC|
z4zL^meG6~?b{&R8Yaa&Qv+PDXOWwrTmL~T5H3=GU7Y3ESX~JKHOoy#E#Q>14<$8Cj
zQrLaq``DpDiWxmZ)^sJfW<~W_Hpk`7Y^KrnO%9}!Du}5Q5=YwOU8}e#SxUr;0s~v8
z)G`B%c_9sw0pR=05wBk&BThRpm9s;+4TyppN0>jEG^O$WI(VFWv18fN-=YHB&wEz6
z02}mT5E&r`Mo2A_F0Rcd6W9(7C;)>YWl$h)mlO&NBxj=8*7mKMxt>##ff{7(3Vwh)
zrpl|PI+b#xc%I<%smeE~dvMlJ-7|i-3E)GJqWJse#lpyz`<{KKhRdUCI{A%mx++@;
z=c|bvu>pfRUo6;Db(0u!a`U6)WY}JowX?>=*wL$dj^QFHyS?6&cAB>@|5lU9D*$K#
z?Z>kaorPIhSkN?vV{_9JJL-oByp0R`i4mcWdPvRn7oB>B8U)4Z6g8s^kJXt@=v|9`
zrOvgy!*+&aR^-D4Ze!}qF6U0Jc1!e^6$wqjfoDJ?2XR9A6Ug#(`SD>{e|h{`Gmv_#
zRI^%Ft>zx!$3qQ$I351pj~x!aacd>NkvJ0!U8r8nO5YH7zd!Dk*f~F!k?;|_a#gV6
z?Vg6Pz>JottJ`8HAk75I9s+JR6AgZQ>UBAsUJF>U*=xmCRf}_{2If)|Pr$<Z3j-Lt
zyEl@*I^`ea9_M~!q}Ae}#kJLGkAvNj>5GYVV<dxLdmywnJbvl2P$6XJ1dJhl0cWg(
zg?$7;oYl9%es%Y-h{qLG$|LqT-|?WWBd!-_OuJnD<kLX``-C6SO8||&k_Aq=q31(8
z7za2yG;e#{;E!Oc+?>}D<`(#AgSnOz^J3(@Rr&9QgKWXP@(UfaU1_rTy@?3^SdPr~
zCtWBX6Hg&MbAzwv>%u7}llGHE%sL%5k~IzfVaMweRkIL81{{WkxCN_dlS2-7-b6qz
zNQcNm{f|zUx+)VIGwQ4FX}nnC+gMyk)ipktXSQ+BeuJ6+zVTz0;}7Sqol?Wwq71i!
z>qvb7#*j&2DD(+?LDv2Ahh)^cR?Bqlr(B1Ckq@>HO85?r3}8+bF*5|(`tpDBVNYCz
zpeCXg`ry<D?{}^DU1X8$OwzHql(sO`?3E!z5Vky&^_zLFv3=*tjf-MdQg;MeWG&e5
z>i$?hml)QuV#TTL`Af|t>V9R39^=Bkvy7K(f|5&*;f6#B#;uD7b-j>{ppXJ=unOO}
zv04SiWE1n-F5mQZ+p3FOqib3k6)jbp^Da@>*ZK6(cGIU%XkulvGs7a3@=>Yz&fx1W
zscbD;oI7lM05y4PcEAmV{wT2%{A2bvv*CsLZFV2^?gNu_O}WxL?yFYY7MD(8m=#!f
z6^6*IZ~<LdW(Ntoq0*&<3OFKonsQCV0|>n2l=8gqgit}66P7;~S6qK_2dw41K*?{T
zJ38@mc0CRs+O6HVsuceEywhHeUU5&+ue`3F$REv^yY`|nDVSx*8(npLph-U|KPg}<
zxTfs|<NW3gvm*SQoBl(*_ckkLbs_%;s|Av2R(gV(q@MijJK8T1mJk66S6lzBuaJ3_
z#axve|53?-BY9qLz#(lG=pG;Gh%bM>_O_J_dRBnu@I4wc6mHazXC-T4Udz0|wFDtT
zGS%UoROzgFq6hv3`szugUJj1(_9?0f5=ElZWT3HRLU3v~^eYiw^C{zQ)X??}ImU|m
zL!--~(x?D!PG7{V=4eA==gjA4j9!o!p$qtuYd0ujf!r_nXh$1tAhG>Th#E}_8Ce6$
z_DBqApf|yIc5(N%-jGx6Y(+C8Zn^?f!mAnQliwOo<NY><*L~xR>B%;P=LLMpa6@*t
z;7~8l-TVhm02+6ocOf1W79vp5HcGZx?gl)GgDClft36HS<l4iy+C_A}>n3|GvDs7(
zz!D3rTG4S&c+MU25TPZdHPulL)y2?JqTNI%EQ<W|_eO$Wm{Jtk=eR+36+z_ON?Ma!
z;5(rnE#^Nzttm=4$ixN%&1Ts3N5@Q4bVLX^Uh2KRCuIp%OoMk(Om*c5I~ep-43ahY
zFJ1>(sS}tR?-O?n4ysJL0dPcDzw@H!-rS<o44T_UH(EWZ+}=kk4-cl0Kq^Cb9EUy&
zJs7OMD`bU?pj>%(XEL4{9Z{e>lGXhJ&onKIS(vD*^HKCC1+I<|uVE=)ch^I?S33kh
zEv_^Vw@P2O-Xfe^A6e({F9RCzB+!5Z*oxczkgi3DBdGx^iRb3#C2xJ#Wqu3j!v%&?
zlKk10{Pw2xT(Q#)+nOYO|6ZS>J*^an>syaU7?qN;x%-eBuF|Y+^hh|PAb#aF0U;M-
zu!u`}I%ZQKlRfBJOBk(CVn>Du!6nDlceQky9Qc|T6^O-!mEVfqd_2k-I)%cCZVT(c
zCt4W)?MBX4g!PEpV7wF(f~7_dGWD6H2~|gBEJiwjQG*9$!;2GRW^LY1KF<<b**rpu
z(uaYU@WJ$GLEv;lE8`{H+S(_bDl4(qHOxVSjhx|d3R&Ts{>HX?Vu~&taunvtHx(T<
znMEg0G?0v(!r`^X6@9)&4csBc1y2t0hcg75f>o}uxP^;?+xHCNAaF1{5+JOsb~_6X
zef<6QqnKz9W@;oaAx@q7mvPgNB<NFXt$=d4R-@*&IH?<bfvh8=baL!2DRm)%@bkpn
zMZ;6&{42YfdPrn!V``YK5uK<4d^>wDb*7qIr)Jt2=w|n!@uR$Bl8P=BlKr-XdhoQe
z=*^;t$tFM<^weiNAtY%EAtgxJV9vLok}LJ<o7a4wPs&uZUF`FHs${k_-nnp5AbxgK
z9MK<6y(HM2Tpm+xs6&uF!Y9vQ75wwZ0pw2!6zV^v8DeUE-#uPPw#lA$SM@R+?(%I<
z^%5cR*J?vR;7nwL{f-?enm&U8{o5$8C$(9q$tD8if#$fPJ^3#kQn=t5IcVY`vXq8>
zLvu=a#Rgv`RB5CKFR(`vmPrA;VWlZ()7Y;~=~DH`G;WZ0)G*NhwOr|4^kG5Z<K4e}
zD|>u`Ts_Tx^1|J_K_4;l@fF3!ex0^00|x*a<T52ZbUtbk5G*?;_-Jgngz851c9QwE
zk!yJ0=+uD|3`nMf!b=Gj`u|cMt1xgczn)M%i-fMHpk(q)>!(C^e_qHC@3P#3!MtbF
z#!lReyO|`2TOhg6!{2*G!$7n@pAl&*=SZi1Kbe-j+u(_Eh47;m@~Epmm4_Bxwy}Eo
zTWSeg)t{v_qmk91G>zOlr1Dg9UgG6AwfS{6K~@;X*ON#hQY3rHQ#*@4y9xDz+BPAq
ztO=K3+#f#QFWv6kQdPBKC;>8>$N?Ft$>w)9>uBIUF_+HjG^Qht76PPgKFz(1cFA_n
z^40`jx<m70OjXKMsT_;>7QJi!EA!?vt$0QRIaa|3`c-e$l+~>3y)t6iQWNS`)=AQB
z9ddls*qN}tml~<Rb;j#rQ)ExQ99OkYZM|*VV8t{P1`V2zr-bhUgy})YpLm^jOFC7(
z$WHKP8jZq9(h?gv1`0i@mQFf1YZI?fvpA=k)}9okaDeGpz%l-0R|Srl8IfWuV$o?2
z#t9a=<^Mj39H4$ksQMk`B=@ec-T#1%AQES>(W^@ZDIf95sZZ=HR+8a;HuI{HF}fzo
z@aVhVVxQoqDC)}}JcUx6Vu#Lc$I&9q1fXFU%x8&ZXI*F(WoW9LiDxvvuA2EY{7Hn~
zcVpOZ%jbJixWWor7tmoZPe;y|eKgY5y`@@*mQyHu_}S^O>32kyVl`llw?Z{@%sDNU
zf+}8*of@dP5(f!iOe7U7LYpQIpW@}jK`3voEciy}K{Fxcd(=!l6koV$ThqNnvhMbG
zytO4MrZCdv%Wwa3sULx(ZabVV04GmPhFG^%RBTs!F#30>F%&{F>2@66g*<*(bS%H~
zsu{+s<spOL0;}eD49Otu61ltjuV>3<5>#jEyJo)>b@yL9I}D?xkZL-6p=V1o1dfN}
zKN@RPCv3b!uNchwyGq7K(TzSKnPsxQujXOv(fe}a#QKky-mvQa{#T!Z4y$vmDEDyu
z?nSy+#-0rf;@vTg2qxwO+xBCY+}?5Sun;>_cN2aqEUgQj(qWHh{opxjgq$((u;aZz
z7xSCLqX}QgI_#@X$Q??3+*<du@AR8JcZrpfAlPK4FS?D>PyZB|`YxSZdFY}6VJS+~
z=j~Dv0HYw!ptM21bMwL!4myrjuHk~CV^{0??=*`U(A16L&2p~ZDA4Sti3z~T$n!*9
z;b?gKG&PB(z*t@sNj&a`l6LIYX4_&PWb?rJUVYCOiKkw0W1hZG1nUZsBgJtjdVc76
zW_vU>ZHhVJVPAg~IU!07_R-gLmxu0Wl$^O5LwK_xc<Dz6Swqw)bJ!_Nz!7FsSqXYK
z2l@1?@FH4!6VRwD*7c%#!!sXomu4M83aF+}y(^mw3Bm-W3&153!jD`hoE0{B9_FSd
z=4-A$rM$pi5*U0=Og=G*KG3#kXC>RZ%2jOR4Hu4mTtg^Q`RKtBLI@XSRpe6Qbz~O>
z*gF6&#RM|rP#ipK23))vK)`bpwpy#N2`|z6P&1ekbrM-}Tfb)q-)Yy09o}c%Xd&%Q
zrfN-AI!qy3i=wGL$VzunOj-3KMM~QDUOIhhb;IZ!=OxnzQ)ljPtS)l<dknOYS#elh
z&BkkIR!<APEf=N?6rPWBzPXJnKQ2wkw_zH(&c77L=5brEs6Z+Cjj&4PaTgn*hVtv-
z-E!GY6XyE~$s@y+Fl|UzB63{AzVpe7Owuc&*Gq=WQjfEL@1jT+5lca9hS~izi5IB1
z(bg^-@U6~X*q~Tl@lAD2Z8Y<8P+a(mK2M3QHQ@7)LibjewT28;*!eIHzGf@+>&bk}
zwD*wW@7c=J46`+*r|U#6J9nr0%p|(V>%E}H$jRM|zNn6Jp}64k;nBa!yvUj-ZubBE
zhv+l@Ck@y){u9D~LO=q5|1{x0A^f*H{I?4JTLu5Eg8x>*|EH?}lS;0zN1*SsxtnCn
R>pk#KLq+F&zOr@5{{e@yhEo6l

literal 0
HcmV?d00001

diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/index.md b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/index.md
new file mode 100644
index 0000000..ace4440
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/docs/index.md
@@ -0,0 +1,16 @@
+![cnoe logo](./images/cnoe-logo.png)
+
+# Example Basic Application
+
+Thanks for trying out this demo! In this example, we deployed a simple application with a S3 bucket using Crossplane.
+
+
+### idpbuilder 
+
+Checkout the idpbuilder website: https://cnoe.io/docs/reference-implementation/installations/idpbuilder
+
+Checkout the idpbuilder repository: https://github.com/cnoe-io/idpbuilder
+
+## Crossplane
+
+Checkout the Crossplane website: https://www.crossplane.io/
diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/mkdocs.yml b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/mkdocs.yml
new file mode 100644
index 0000000..c8ae223
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/mkdocs.yml
@@ -0,0 +1,6 @@
+site_name: 'Argo Spark Example'
+nav:
+  - Home: index.md
+  - idpBuilder: idpbuilder.md
+plugins:
+  - techdocs-core
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
index d517d42..6324717 100644
--- a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
@@ -3,8 +3,9 @@ apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
   name: ${{values.name | dump}}
-  description: This is for testing purposes
+  description: This is an example Backstage component representing the use of Argo Workflows and Spark Operator.
   annotations:
+    backstage.io/techdocs-ref: dir:.
     backstage.io/kubernetes-label-selector: 'entity-id=${{values.name}}'
     backstage.io/kubernetes-namespace: argo
     argocd/app-name: ${{values.name | dump}}
@@ -16,6 +17,23 @@ metadata:
     - url: https://cnoe.localtest.me:8443/gitea
       title: Repo URL
       icon: github
+spec:
+  owner: guest
+  lifecycle: experimental
+  type: service
+  system: ${{values.name | dump}}
+---
+apiVersion: backstage.io/v1alpha1
+kind: System
+metadata:
+  name: ${{values.name | dump}}
+  description: An example system for demonstration purposes
+  annotations:
+    backstage.io/techdocs-ref: dir:.
+  links:
+    - url: https://github.com/cnoe-io/stacks/tree/main/ref-implementation
+      title: CNOE Repo
+      icon: github
 spec:
   owner: guest
   lifecycle: experimental
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/argo-workflows.md b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/argo-workflows.md
new file mode 100644
index 0000000..1e01c2b
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/argo-workflows.md
@@ -0,0 +1,160 @@
+<!-- markdownlint-disable-next-line MD041 -->
+[![Security Status](https://github.com/argoproj/argo-workflows/actions/workflows/snyk.yml/badge.svg?branch=main)](https://github.com/argoproj/argo-workflows/actions/workflows/snyk.yml?query=branch%3Amain)
+[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/3830/badge)](https://bestpractices.coreinfrastructure.org/projects/3830)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-workflows/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-workflows)
+[![FOSSA License Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-workflows.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-workflows?ref=badge_shield)
+[![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
+[![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![LinkedIn](https://img.shields.io/badge/LinkedIn-argoproj-blue.svg?logo=linkedin)](https://www.linkedin.com/company/argoproj/)
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-workflows?label=argo-workflows)](https://github.com/argoproj/argo-workflows/releases/latest)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-workflows)](https://artifacthub.io/packages/helm/argo/argo-workflows)
+
+## What is Argo Workflows?
+
+Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes.
+Argo Workflows is implemented as a Kubernetes CRD (Custom Resource Definition).
+
+* Define workflows where each step is a container.
+* Model multi-step workflows as a sequence of tasks or capture the dependencies between tasks using a directed acyclic graph (DAG).
+* Easily run compute intensive jobs for machine learning or data processing in a fraction of the time using Argo Workflows on Kubernetes.
+
+Argo is a [Cloud Native Computing Foundation (CNCF)](https://cncf.io/) graduated project.
+
+## Use Cases
+
+* [Machine Learning pipelines](use-cases/machine-learning.md)
+* [Data and batch processing](use-cases/data-processing.md)
+* [Infrastructure automation](use-cases/infrastructure-automation.md)
+* [CI/CD](use-cases/ci-cd.md)
+* [Other use cases](use-cases/other.md)
+
+## Why Argo Workflows?
+
+* Argo Workflows is the most popular workflow execution engine for Kubernetes.
+* Light-weight, scalable, and easier to use.
+* Designed from the ground up for containers without the overhead and limitations of legacy VM and server-based environments.
+* Cloud agnostic and can run on any Kubernetes cluster.
+
+[Read what people said in our latest survey](https://blog.argoproj.io/argo-workflows-events-2023-user-survey-results-82c53bc30543)
+
+## Try Argo Workflows
+
+You can try Argo Workflows via one of the following:
+
+1. [Interactive Training Material](https://killercoda.com/argoproj/course/argo-workflows/)
+1. [Access the demo environment](https://workflows.apps.argoproj.io/workflows/argo)
+
+![Screenshot](assets/screenshot.png)
+
+## Who uses Argo Workflows?
+
+[About 200+ organizations are officially using Argo Workflows](https://github.com/argoproj/argo-workflows/blob/main/USERS.md)
+
+## Ecosystem
+
+Just some of the projects that use or rely on Argo Workflows (complete list [here](https://github.com/akuity/awesome-argo#ecosystem-projects)):
+
+* [Argo Events](https://github.com/argoproj/argo-events)
+* [Couler](https://github.com/couler-proj/couler)
+* [Hera](https://github.com/argoproj-labs/hera-workflows)
+* [Katib](https://github.com/kubeflow/katib)
+* [Kedro](https://kedro.readthedocs.io/en/stable/)
+* [Kubeflow Pipelines](https://github.com/kubeflow/pipelines)
+* [Netflix Metaflow](https://metaflow.org)
+* [Onepanel](https://github.com/onepanelio/onepanel)
+* [Orchest](https://github.com/orchest/orchest/)
+* [Piper](https://github.com/quickube/piper)
+* [Ploomber](https://github.com/ploomber/ploomber)
+* [Seldon](https://github.com/SeldonIO/seldon-core)
+* [SQLFlow](https://github.com/sql-machine-learning/sqlflow)
+
+## Client Libraries
+
+Check out our [Java, Golang and Python clients](client-libraries.md).
+
+## Quickstart
+
+* [Get started here](quick-start.md)
+* [Walk-through examples](walk-through/index.md)
+
+## Documentation
+
+You're here!
+
+## Features
+
+An incomplete list of features Argo Workflows provide:
+
+* UI to visualize and manage Workflows
+* Artifact support (S3, Artifactory, Alibaba Cloud OSS, Azure Blob Storage, HTTP, Git, GCS, raw)
+* Workflow templating to store commonly used Workflows in the cluster
+* Archiving Workflows after executing for later access
+* Scheduled workflows using cron
+* Server interface with REST API (HTTP and GRPC)
+* DAG or Steps based declaration of workflows
+* Step level input & outputs (artifacts/parameters)
+* Loops
+* Parameterization
+* Conditionals
+* Timeouts (step & workflow level)
+* Retry (step & workflow level)
+* Resubmit (memoized)
+* Suspend & Resume
+* Cancellation
+* K8s resource orchestration
+* Exit Hooks (notifications, cleanup)
+* Garbage collection of completed workflow
+* Scheduling (affinity/tolerations/node selectors)
+* Volumes (ephemeral/existing)
+* Parallelism limits
+* Daemoned steps
+* DinD (docker-in-docker)
+* Script steps
+* Event emission
+* Prometheus metrics
+* Multiple executors
+* Multiple pod and workflow garbage collection strategies
+* Automatically calculated resource usage per step
+* Java/Golang/Python SDKs
+* Pod Disruption Budget support
+* Single-sign on (OAuth2/OIDC)
+* Webhook triggering
+* CLI
+* Out-of-the box and custom Prometheus metrics
+* Windows container support
+* Embedded widgets
+* Multiplex log viewer
+
+## Community Meetings
+
+We host monthly community meetings where we and the community showcase demos and discuss the current and future state of the project. Feel free to join us!
+For Community Meeting information, minutes and recordings, please [see here](https://bit.ly/argo-wf-cmty-mtng).
+
+Participation in Argo Workflows is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
+
+## Community Blogs and Presentations
+
+* [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo)
+* [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
+* [Argo Workflows and Pipelines - CI/CD, Machine Learning, and Other Kubernetes Workflows](https://youtu.be/UMaivwrAyTA)
+* [Argo Ansible role: Provisioning Argo Workflows on OpenShift](https://medium.com/@marekermk/provisioning-argo-on-openshift-with-ansible-and-kustomize-340a1fda8b50)
+* [Argo Workflows vs Apache Airflow](http://bit.ly/30YNIvT)
+* [CI/CD with Argo on Kubernetes](https://medium.com/@bouwe.ceunen/ci-cd-with-argo-on-kubernetes-28c1a99616a9)
+* [Define Your CI/CD Pipeline with Argo Workflows](https://haque-zubair.medium.com/define-your-ci-cd-pipeline-with-argo-workflows-25aefb02fa63)
+* [Distributed Machine Learning Patterns from Manning Publication](https://github.com/terrytangyuan/distributed-ml-patterns)
+* [Running Argo Workflows Across Multiple Kubernetes Clusters](https://admiralty.io/blog/running-argo-workflows-across-multiple-kubernetes-clusters/)
+* [Open Source Model Management Roundup: Polyaxon, Argo, and Seldon](https://www.anaconda.com/blog/developer-blog/open-source-model-management-roundup-polyaxon-argo-and-seldon/)
+* [Producing 200 OpenStreetMap extracts in 35 minutes using a scalable data workflow](https://www.interline.io/blog/scaling-openstreetmap-data-workflows/)
+* [Argo integration review](http://dev.matt.hillsdon.net/2018/03/24/argo-integration-review.html)
+* TGI Kubernetes with Joe Beda: [Argo workflow system](https://www.youtube.com/watch?v=M_rxPPLG8pU&start=859)
+
+## Project Resources
+
+* [Argo Project GitHub organization](https://github.com/argoproj)
+* [Argo Website](https://argoproj.github.io/)
+* [Argo Slack](https://argoproj.github.io/community/join-slack)
+
+## Security
+
+See [Security](security.md).
+
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/images/cnoe-logo.png b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/images/cnoe-logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..63b8f228ef58a42a758e570331053afc547df964
GIT binary patch
literal 58052
zcmeFZ`9G9v{68*{rH~?`;&6(H5g|JjN+C3sFl5PYWFKpjQ_5N?`&L5P_pyzovSr`*
zv9E)%jeYoDw@$s!`F`G?Kj8Ctocf`=d%2d^@_en=yt=QZOh?N`OGZXUcjxvkO)@fy
zbuzM}CDg~jo%lXaEpUV0>gLV+HaC@TB5je5S`Lp)&6UmV%^j^wHI;9WkzEfCh8tR*
zgEPs-l;rdO+2YrglJb^*U-Vspt!DdQ1GD?)`F2BB!fXo^UN<ZZ$5~wxnb`Yeby=24
z;bisa(Xi12{c4^+tkV|*1wIzs|48A-yVbU%{Go$|245nQUlvwugKZqzo{lB>%;21s
zaK~R4U(pZ8T_nH4mL)LNIi6oP{r$V7bG3IHop+l6f5>~j_m_^aPkgN$SR`=P;(9kQ
zn+F#7tozDGUJgI+%eel7Yuub{pSdQ_@F|7DZaqz}$rjCbDce}i@l)Rl$#hub8J6=}
zquvO=G*Z06n-;YHeefmK4EM%E3M!}N!4PTD&zYCG8WkJF(xcV5JF$MdzD0_|Hs1&R
z)I;-yyqQLh7H>rGIfjq<pG<&H4mrQf7PQK*IeB1SVnwsUO=ehD{@jsvMfSTX+_U`L
ztn-&N@%AeI)UGItlOulaF4fXMYL{;96<#%prFHSqj6E^UaDi-eoKGOfW0U(rj;a;k
z%f?_GOR>7ums`ctXC9M#F9}#!N%po$BtH&NxUv*DvC62OD*IjMOMJu)l92$0srI7G
z3q<S*=XxQRJ>rh5PFxiA_*)5<<7`0}VcLZ&H|l+L3VA-AG%9lT4ILk<R~-!daU`KK
zfo<x37)RKmf$VqY$lwO~>c3D6%tFSeZ@uPZu=3J3PD-U^o3;Efn{4@Et9x`|<m=__
zeKO1g>-~ECY`f5nlmqVNwzRJVOE`D=2_KYYx=S0)V+Zc8t9M{`-ui8w;|iM;I{QZw
z=UbizEwdoAc1aa_(YkOhC$qJZ_Ab;BZp{So!1BOZH-*}L3$w`4g4P<91o4x7t$nRF
zKi>D+BP6};bpp$jv=hpDoaUVWv|zIqaIPQdigRo|_-ZuMn`1O1{_w;;mCsRM{Gc{Q
z6o0Kro7TG&ssCMhO-9X3Hdz2}`zSx@qn@bt4mn37nRkhM8MVbR{k_S}2D!I34V!N{
zF8NO2CS}K3oDv)po{T)LHyjmoG;%b0!r_#lY~6(-T(eoqPRga7wu;agO1SZ`Pe7X2
z?77U>Z(q&ss?RdN_>1Nd%)?bY{d6#kVcD^|9Hd#gcg9neFHQ^g8Tmb9au1ZkkMVe=
zOb|qls@YHc#eGNaEZ1|pGLOF&i7Bo=cVz~$(X~!1w$hX)UPfNmWSQi?I{2L(39Qgq
zSm|<{%WI?`53-6YD2$#D_|`BvVM3cN%y;I*R8=A`zI3+iTzd+AVT9!rS&pah^{>b~
z`y`e@RI<5K!m;anJW`tvizFCEGmf_HS~iM3wV1#X$TDP8+&47cdA^&BkYDfi`&O-^
z&eodFfhX#_+h4?y^?6|t2fHK>@3o^{BV@&i2S*Psx*xAG?P&x6am!ry&SO<oGCpuk
zO-6p?6xmU5bp-q+^S2_SIJ_n!y9E9vBO^~F|8<9AJ@M$T>!T&m!vb|GN$?7#)dO8;
zUDbP%rbs)%M`lP9b3u1I2j~SdX?IC*X=m>Ih|}H9*4|0dU54xM4M}hf-G*^-9=_si
zBg3VudY|(q($Sn#Oi)Nrh)b51lao{0(d@CL<}IbaKL`Jl;j(mgc94X@+}zv*-9!YD
zjux=15)u+HAz_%XumE^NzzJpV{K#Fv-iiC?Aiu`BW$t9^XyxE+g|z2{#(iXhba9s9
z;({jn{paU8ovj}K&rJ4Ce{TzH5C%PgT@@69{coR{yIcKVK7*e8{OoXFKc|z129s2G
zv@!<^hL$CJRr+v(f8G0^<w--MNZz+{H@DTjWo2h>?{xT$u-J8J*#G+IfBjVNe?FBE
z75V3v|9JBEm(nnZQ2!v@Pp%x^1#FR}m4^Lhu`I3Z(#0AwGI_E)w-g?@A6XcdvpuI%
z%Dbhddc;P;JzQ+K%B$)a`xQ>y7Ugt};If#A%+cFl{~Z4m6Uina9(R|U&AsHy_tz9n
zFX<5l$A{u=!~FS8#VegR#B^_~{3$1ISU57L9r*6M+;BI1xO=#g+)}J8O)YLM{Zi)s
zj?~QE2BoKDN60CtPjbrtckv$){*#3NwBSE2_)iP|(}MrB;6E++PYeFjg8wJAfdAtC
zj4sO)FaG7)mvZOqE<f~;=~Kg+;0;qlwC0JO6J;yIhY^4aCB^#u4~fu!ebI7;m2#Ed
zWF{`3;dW@p47=yt@=~MIhG#VNmf*>gZDnM2g8w2=q~@qP1E#~+;a%GL)J2O56&<mn
z&Q`YsBgfcbD9BiT^YkfBnbYUbe?}YVXmSY=f@;4y+{N_cnSgcu($d_ET1YMdDn?HE
zQLH?H#Le*U0Hx{*c{UZ*X{xnV7soRrG1k7}cO@ghqVT+&iI@<#;YgZ)2yR<J)go0{
z`y|R{I?lH+t!bto8qApX$Pw)2oO3GwQgRFGNtd-Bd@R+U^S$5L%ME2YeRKkE=VXzS
zd*D50f@A(kA64k(V^fc=5fw?(KNfdpB*UOJ@Hm*0Uf6#BS4`CwDUT3`B{u{Z$GWxi
z*~MWR*AB_?<>?8mx~lZee=Q=6y30_UFj16ly*rV*cMp0tbDU|0kmvu;*(s=FxnK7-
zdrHmL;m)QE#9NnPRtSKhb*b?yub~%P7+-&IqYp~`CoSYh&!Lrins<xs@Uz}m#w`Hz
zVtF_d-Qt60{{5OQT3mx7DebX7SV(yKS4j_!n5`&iA=K2faYrYt{>Am{H%EK?u+-Du
z-nH@l@o9WVu>BNqs!yxfXsBm1+ndE6{PXRmKOJ_*Tq)Krv~<;$@aP!Dl{L~s&$r~|
z<q1dW<^I7r`KMJ;<QNY76h{Z=>57#2rsra|5ZN5Q04YkoMgPy3wJQ4fBo`|@$`952
zpg<-x{|e=LOa6*9po1EXfdsMd=0Dc}1o2B1zFI-L-<B~*J^St3udEhd+(W?r5~%Cj
zcK`Z*`d{2zMsTuJ-=1sPO&Ih_6jF*Q9k?WK{G5VfU3>O18|^>CXEtWbLh4#Q893|2
z73Nk*d`*Fvg)08!;_pE(Pmwd*u~c7g)O!?^|3F&#DH)mp3@1CfeDt5AQGYU^Fui}_
z#jP?$p_Y%@zsEcZ#$>p@_fH)<LO!QTv6hxb;$pSXLdKH{EFgXwU*Sv?4_}V^m)vNU
zqU5O7DiExSQAI4Sb}W|wnco7o3N!?FsQ!~m1%eK{)%FIavdng^?DsV6;{TRfp;Nr_
z|KbuE`W^p3xSy|;(#I`jzK+6yPFJ~+;&^&Og>4G#;U8f9d7An*eXOVTt=}X77m;d-
z4FN@pD>ggjnA6qeGo3EuUG0^rnObtF+mO(60P*pr7+3!1nlj#3<$PQm<*gmMr8uZ#
zm4uOM%EB|(6`oJml+PB6KTUH|mkP~~7rJfw8)7UqIH``xHl;|Yg%U1c+!a+%bGE&c
z-zRx%ZD_r(u>IUHyuLQ<7KOt4sQ3}^h5EKVQmuMmdAbaM%*5hWr8|FXrzL_@y`BBt
z?i_Kn(>fBfbP%pd;Ds~tZh0jk1u~|$3vVYfqI>=PEN7Is?T7&!9TT1soyhX@p&a)}
z*fg_Q)!=Cga*Cci@)|)drGvG<kjGMmQ|IfI^n^=D`(pWhje9lt1T(@tpCWFWla>mj
z)1+^fM75g&aw_VTgQQQHF`Mb?@i7apblP!+4fHNdKwf&(<>is2r4q)|e=Ee}(~;Oy
z)9JHS8uQGg`f+?rywu>LgBbcDxfazFtXM_x*^@$y_v1@T%~Yg!Y1x9;clQkWhU1Z@
z3`fXqV8%Zd2P!GZesMU3>GLsvt@xFdG1M4I>dhESl!D(odzmfKWa_1<xf1nCDH%h;
z#2S!r`P1a8$JR7GT<nFAeZBM7E4q)*2KP)aFvP5I{I42r!0WKKujUsx6DkOY=lbaE
ztBj<?Y;qUr?41hTO_@Qs^DO*%U!61Cd)swc3mYaUfrppoJ#l@E+iEkIE6S*qQ{Bc6
z#jaBLgN+;80R`%r)@JAZTZ0mhpg&^HM>*47b5=MFC%P<<B%jg0!LrndrX4OkLGexS
zw=x*)dM7Ypf~Qz1*LGOW3wKu_a^1G0Bd=ywxF!!4NWgv10RTpeo;um4pA=*F`EU6}
zM^R22qViOXloFIXos5*V+uc3vHO|!xc#@*(l7JE5ayZr0sD-l_2^hBrcoduXVS*+^
zV)wPMT>|!7J~T=q?~C5wdRa9|o`1zbZX13{W)*&~b+N9R^x)P84xo8h{Oomdn~R60
z`?Spi`c#a#@M=E)Kzy(BunMN6uQtq6e?}CK0tC*;2iC-;Vz*Z9Z-LddN5i<}uSUn~
z(_N@Yh>zi)^{HqVmvJjWX5qyDY;zaN-ct7PK)R*jrm76$j7{R4QsyK50C41#lVhhA
zOXGhD6!ppL7lq>EV><HJJ(jsrW@Obd91E$^-EB(7=P9G<r>ClhX0UNzE~l?M&O6oe
z4EYpG_{>T{jEDtzDwVtZ^4Cs{-%~ics=v4Y<hbnpp!K|Js{ofLtcHt}GLzL2Cl<a&
zfqUm)C_K?(Pk@&Wlofwm?4PO0Hn<lE>(rT9teD(x?(_9(xatZqd=X;!QaHQN-wZbv
zpj7H~O8*=mgM+uK<}M+a@c~isW#O=w?>W|+cO@btQa_33Vu4FCPr0_*ZPCz{{v-C$
zU~6+9<PVJA0_NxYSMFb6gLYwLRcjTf3?B1g?{v~C-5%w*Y(cOCOabmp_Hn-_S)b*>
z#^>8q?Ia?_8wrZ-p7Cj0GU@rua}VP>V}V6S!&!jP5T$Ir{uY`e<fo}07%84<*O{}U
zU#eLjGSE$m;Gb1`+PXeOvv;oJEIP#xg&l7dp<GiEsw?#VQDC@hz;g<0^*Qj)w6~_&
z*#6$?Q+WY2Y&=8iO9t1s%j&J(%Qh;ELyetI2|g?~%l*{O4-$ioaTA{YBB5ebHAq}S
z$yqu`ovU5}yZP$5^6&Lf$THX0h-&T!%#}#+YA{uPpQxBCNzg<+Mgz0E5b~@om^h|k
z%@rxWq?YwsYR`~O?&{oTeS9G>Y)`9rfKQb0+Wpxt)+RndbCJ%x$<b9#9|$ROIySUw
zpLFA>5ku+>uJl0vUiTun@;Rd@2F!v14n4QsK^yc8B`4Z<p!_DdbkNwd<jW30#*G89
zR@S{d+;;8=`CZukgV6a7hG8;@L5DIued#`P-P{~DZj1=LGqo>6A@abT4T>uv?yMfC
z3$!VZiQn~D?%bU#QGCK=Lm<MCRg4smnRH(m;}R~|Cu61#bUi--6LTG7wCi<9T1tqt
z%PDN9e!)g3d6K-2+)i<V<8(8=+Ep6&iZ5THe$!kUfwPmA!LX^ddNX%A?Ou)a;p6gD
ze-b=}%{E*_byk;43v5^;v)jjTKE-GIGf0+emFdIw62;no^H33*XuX#0%r9}hOrfOp
zAoOGQHh*$#gUHJT>^nct?%wS$7jYHt;xDqbMBO86JDt{a<wj;>ZWMoaD>`n7<cY)#
z&*Fut7DnD}yLlE_ZD39K2UtnLv(K=yfJTW&0Z+~s)0F;p4VKkLXUbY9H1;J~Wy4Zu
zw7b<*ayJl}l*Ez3!RN?{xssA+OL(_#r$B1WbuLfjwI#uIO^$E{<Fn6D{VOi?({#sw
zT=7ejg@o`6(6{h;*SRadHqcC=mNJtvwmvk{825Ry<UB3oWXx5(Mf*DmdA(%zFXy~C
zx}5+zIz5FEcT#2qccz`Uc7mzaJ{mW7Bl4qAQ3PPysHa7>J`@E78L~s8dU0|lZXWUH
z_|0!gexc}iPgYW+5f2#XNpK1|)wdTcs|oGvLwq&YCStKH-A-C&OK|g%^`YlOq4tP^
zIb(!Mc1LZkT2iNN{!nJ+h3__-YT}H<03fF6f85Wg6$<(-vBrYr;vDOE%GLniTki)K
zwRhdue3*J>Yecn;J(hUxk45Bfig9@Y?NoQ}8Gj}A3<aVYc3&CMk=FJ_@13~KESr@Z
z;<w2uE-}CUApYgu#P4O73M{XeMP}{TkL?X==!qyk3690;(523{6!9K>RlcCblD-aq
zaJ*UTtPx#Ze<QQAYOCQ^W|T5jG{al0N+VNKjDM~TV5e~dh1ZW<Gx2+Fznt^q%(IR!
zaEd}D9`;eaBaJpsL<_Qd6?<c5Dn9-)$VrLQ(%DN7?T!z5<gh5r`O_g%;*1gd=Ru&L
zEH_9KZ`8k)TANS9eybbu9i|09`4Bgr1zgadY!&iFhs~EHjk9G_4JOT%Fix_=6XJXm
zqD#kfb_h9dXEDHp=3>VqEK89d_F7fPZFyM2Kc`*l{ixq!jHsYAFD<H)8tVWEGaLK#
zDPqR{6+HwNVDMn-y%`pxl!NdKiuwnC;7%s&i?_y5yYI;{e&3cLcC4*86MeXQJL^}e
zg92=VQfHQufwl!yAp#b#@W^<5xP~rwfXyTj*kUE-YOJ)(W<GD;Rkq#Lp>&s}xf~VS
zc^@I<=2+o+X-!l4W;WV!jdb%cYUB*>Im9byf7+^}1lYdTi8<fU(I&Hlp0jFtL8Ay}
zBZ>Nm7wC$J^xBSk_i&dVi`V=rNe;VRJD%bx5`}AZA*nNGYBW5&FeBUhSvFJ=mm@bX
zrFbyp-_ozp!;br}Z{d6zb=sj=BV5Ti&v#O=*}?hUPkQRwpe<lUT)YvfpG8mpb=fB{
zRJKl`!l!uJR#u_H1;kSO7un1??CP{M6vQo-lVR!v#A;nOmwq9K>1^Hl#JN!^#Og|h
z(kA6vOGPNTheertI2pQ-85ov9edOpNkb_7h9$S0{9ZsU2^d4OLOtIZjO1UoUqcHXS
zfJ#Hg?V60Zx}9NM=54^v63yiqcJEH787~{B<t^1Hx!0DfF5NBBsHo{4zoZwt9yIPN
zq3i3ojf+(Ms=$O5GJ=_6^z9OV&ZI~gkL^=6cR87~YjTy_AfI!jlnTuB2Ka&S!Z6ME
zl_Oj3o0<o)fL@G4c*PCe=g;+;45^)Q9KgGxt9&tVd|EU?@p|<lV_OVa!ymw9f${-t
z!?rgs9?A&+MWJYf=Sk$#%6VMz3x$e_dbS`F3PSIs)Dl9@X8pE2!K>ihyKR{On|Hw8
zX*si;F_Wzf6j?Z{+S+`iq6>0#{U+;DX{WufIBv8`_^mg%#aIy5A;kK(lZ>7^6FIm(
zP#fha|7UgsW=KKy2)4n972qM9e#zzPvh?<SSqWh(9Zi5O8Yim(0=QrDF<EDmFo<p{
z*Y^!((D;GmxnR^uB};1A?M+cFRDN33LA&KwT!2xlJ5<&xHd<-VH~9(lrjy5`5rf6s
ztCZUy#ZpOaj|=_EhFzpyvJ*d7^<^Zrwk2rpwS*^<J8$z|Yur6isx=(_&J%|)-`0Vc
z$DX?i2;69D!?E5D4RQ~GYHPrKb0)x(+Om|^pF9}`-0ur&DvGV?sGcjN8wvWjg}mBx
zz*hZcVrxe(iFnZUWxkZ$qj_j~kU?B4V4O|DGn-AV-A?#(=RFQQW|dDZxNy^v(y-I1
z)r_f0Dr~BQC);)}?CDCf3J9=`RUt2HQi=W2Aw1}+prx@z_dGAdM_}d$>~qc<wOa?F
z>vaeFzBZpq^w<Gk;mZqaPES*t@Py>W;*oUb;uhdxP;9QQ52cROuzA^36o$<eNk^f!
ziT5#2?;$4=Oi8u-(Us3mBmj-MiRM4|3q|9YSk<yssTha0^1?_l`l)FMgL%1>O6=Cb
z$Ew<cQ~e&TGp<%F(Fs+S(etyoX)c;yh?U;qctC%`Py8Eg)$e#Bhg29FU$#_Tel0fI
zn>BkbVS2N1N(E3*SM|tQk93q#Fk~PosIO#KNvdXNx<r8RjU$`TD_Qs|%xqTl!*xS;
zl!rYt8q3u0nJy+H&eF?zCg9bHiq?<ywPV8(onu$p+r<eSN=U-Bfr$l7Zf@s~Yh8m3
z7%hpdh}xYPk+rOiqE5o)JPn(o!N5x2P{N{k4-XxHM&nn&F9_e7o|F7Z;LArkZFnl<
zwu7I%ab<a%$&)C)?QM;(KW8bS=Sxu1kI=ha2BcK+Nr9#ozdp@0_W0{UMhZKR;L0aL
zuuYe6`43NVH+%#P-;ts1X(Js6n|D9z{FD<ckdv49Uh{h7Zh#re7g4mP@ApMh#stOm
zkzbc2GajMa*-S{5E^@)CGby}T8j~j~n4{wL0Sb%jpj##uexgxGU1Q<Y?%Jgu`i!#2
zL#QN~^PEzI$kJBv^G$c>x`jjte=fTlU~F2rfj*;81Jd%Gx$w6ESUbb2nl1BEyv(R|
zw}amai?YBswBa}I@=%!`JA^5>LZ58l@i<Wqw~Ft?CB#dWviRF@G?nG$k{aHPg24A-
z<!uzHh6l)!6XY)RAmm@*eut`PN}9dJ8XvxNZ1E1u@%d_N1J~Hh%}o|Lr58Ou_r4hp
zi`HvTgcM2zgpIRNeLFri7Yt`U@|w@rXlbq_Y2jP>vEevgwznObRH*rFjd_4wmP3mJ
zYMmZydiE3Pasjp&toF00=FO7rA7$`Tu@{F)6}%wGH!fw9P4FDT*V>uc@$~@{UDQ?b
zpj=%~Mx)CW;R0J4@R5|XzB{dm$wK1JT1947uLe47uEgrP%;qMbvyuZ$z1?ubc!xLA
zo16BEmt1UojL4=3`|k0C=otR~it~G2U-`#1Ja&fdk1wWlc?rRi^M%)H<2cOqeI)kV
z-JpOa5&<#*9wHWhyU8vTwVgJNA!^y@DXVulPS`Pd8GPh4BAQcNJh)gGm8rwj%H6l!
zO{M0eOAna-*uTAhPn32X*j5030wkH{s0uf(VoaF5TwkEdXMfa7rxAO(`lz}QjKlC0
z?KCk!&L~n;kGXCoIz~28=Ru4>pY>ayJa;bxV!Xqs{!BPly``DV$jy^{iGcO4517-f
zf{7#2L#LlncG{z?KV|BZbEvmsQF634>qXpcrxYrZ<KlM}_cFIH3vVEl#0I^LoJ!u>
z=?z=$U78uy)j#q>On7Zzfsn`IZM9ePK>=`I56Ywbj&`U25TczXT?@TiBkB{H-I`LN
z9q+j7j~~=Z5SJb656pCD?Q|Yd?<HB6+l-9_e%vl3+RN1Id30vfZSV!K+7{(4^?pU`
z6dZ-pjq8Gk5NViY?3I-vncZuk|K4`(ZhG@*AD17hFcAM&Lnoo!zd4%@NTCf3I8cj5
z<cBdz;u`sOvk798FS$8Vtt8Il3rA?^L>$6*%tldBS#SuL=?y^<!q;!n{d#*RqZAKp
z3WyxhR>%PDijsZlkQO5zeVu1sc4m0H^;Nb<B-Vvb3h{>3<zW%En$jL#o7Z<xTT3?A
zWH10*Yeo{MA_2iXw3d_(7{=4F0#r4)6OKLe>z&H5rS5cH1_z$~+D({j#xzdx*qUR+
z+Cklqt~dr+YhlS?z^p)~<+)leqT$bkw!tNbevf+~6Q`mm2RHX!>TDFmd*TxK`%|=g
z!X!&}J}1^7n4Y;`u&H~l7+hHOxVcSguDK>u_QdM&s|rNf)?Y6+&(tLG?!3uFv<$6&
zI)WAx33`0tuVdCUlMH7O3`HOc;I8lW5=z&`$jV$6Mke3}_t&>y#5dHy2J}=Cx94+G
z{iWv!OLI<wo<o5Q4=#)hRxadh?!tC`2X~LQx;vOpBnTQL5Q4O%6`{ZyvVb*Z*7qP}
z%V8t$RJRFw!jN8gAvw4n$DSEls2f;W8R=?0eT@`+BAkmVm3}0li})0`8&d06>Mb*@
zgstlr(D^Ep=C<=CUkM!-d!+ER5r+j{X8u-9yVfu<=OP-4^d2)Jm0x>EWv#B*d`LcS
z)M1<TX=k#m`EE!W#xwkBm!eJ+M+Xx&Hp<Pb{ZZj&A!E~BtDR@(^S6j%`z3`<H3K<n
zAO~5sM|rO#uCjz5giv7Vjg<BzA}5Y>q<F6?H1y>{0bj~h?D<c+O#AQ!nSfDM-$$KJ
zsrnX+6V<T?PVD%vpke_Z3=2Fa9r$z{_9ipps3$R>s07z?^Ou*ne?P_M>iZ>go@Wi|
zuDzww@fypQsa)4|RDcX8JoL@39m##fpMQ`V&}-T`c>U$D(n{dDrm}%Sdpi#gooA@+
z_y;R)Uk|H4A|TV+{C&pkF!|B;Ox{PtfWE>maVqwrlf?s<tK?oF*?9(y)x}><nE@#z
z<f5wS(erYcSDl?Utupl?uPD;y@$OpQv5xI;FXa(SUo%R!SDo)Ft+E`(_!w9~7G?TM
z3s=ub41RrR9F=6+9Q6|UBgry9m~$#=eG+G%M3NcSjd+GCF;ax(VI~glia{&+EWnwl
z6VvkQ(0(OeMCT15lc&bm=Y*+fD}#yITz-UVxfjR7Ho5A15ki+NXr`;iGX_&TZ7l5C
zxAhWBY-QppT28T=Kbhv#-DhL&WxYil0wFfz1A8ZawiC0#vX%{|mg9te|0F>VxfCAX
z{@vw<W4`kbg^<%9-p7cDe}D{f##7*+(hl9adB{EHQ>+4cvZ+6OuL7fZ_6pSqNNJq8
zDvGH`mU=eBTbu1#c2b7d2R4jGRW0y^Bc?jK+URzFs@9}ks&9Wx%Im=wKRuWth_jv7
z)(FbFYLkSyuuwD7;GZw%G`;=p<5gb?X(yx8>RARt$d`Hj6v1MUcrSpEzR`z@2)RcT
z+RB{js-7Z!Mr}_kSdZb-n9hpOfh^Uy>TXUmTN0Zfy_~^>K;<^35XPyW?QN>Fr8{co
zVGnW^q@O;sR9V}PI*WvZwVe6+pywBB@l){bxHZ@VPj$2N$jNaQ(tv=0tI7V;*+ot&
z(U>N_*b1^*b5g<K+}1Ro9rXj7@BCy3C0Z|SzpyQiA^IF;ZwStuK$Poq>u2!wWyEi&
ziWUl{%$?bt3++v9&HAD*A(q{|39vYVF1ejV+}#nA9^AiQv@c`HbjQ?2;B|f@a1Qx&
zG(v*L8!-KTYDqR6V)3Gpb+6M2_P2zxvB~rwh3-(S{g_W}Xt*Tl=-S&EQG%+JBu#t|
z^{*cA+&#@fkcU|HS$^<<)j&h+8`q&VraL}a)6-au_?9WwYY<PXGxdB_UA0y9a>{J&
zj%N~W#EcQYj;89jFPJC$7xguy1H{WbMc@eR<f*%rWoi3&`2r3k&0jkYJW^ItCkpY6
zP2V_HVp+RVKzBX9s_Adzg$Ttiy4%?&oV9F3=ke|PNRtF*y&@kq_M)V&2c3y-vSoMq
zyr@#N&DVIciQQ@o21!&C$Z?1tjn_Ji668(ErySDk){qz2@uO69!62UkV%?fjO>u%;
zKw63CjCM0=dZ+QaCqD`JHsy@13XSS@5^0Ds4s?>w0><#q`%IO}Vq<C#Qk%6-GfcFp
z%fKXkqrKr~itxGZWn6bdWbE|Akc$pcRlN7bX?vy^6f_5d(uVaJhosbW#6s8`+-=0Q
zN{3a7`jO|Kq2PN5-w*L%B`O^<5`fdX8C9P>#w)KBofa`7!OK73D%R<U`7FKTDuWt9
zrh6|IrgA!##CsE3hx~@*Nmdz+*QPc;W%uW+_zPIzgYBDnXZiHA->{@9N%9C8z_O(S
z7|y3e4M=SZfxNhfBf)s}wDq|X+v@UCEqkpiZ<g0_u5^E-LaC2r3bWbFuElGthpSLQ
zr`c|*;=Jxx-1e*1xME%DVxNLos^is%;jYbCmlj1)D#hm!AHV3TdU$-20gk8}$#%^%
zG?n=gS+qZiDDz#j$H@f+4NK9D)IIKPvMF|o1`cXf>GAcR^Hp0v<Fy-<j!KG%1bgNp
zKJO?W*rxU)-n-&2kXanbh}^R_cv6Ssh^Ys`!4B(lZ+qBw`(ZRsTSZkSm1nMxRm*F8
zpLq`i3}zwNTADIqP789)9jlaUd7+0?v_4Kf+nwUXbx6=i4NmnHzI4B{`g1*VQx3u9
z_CzZ~kFb2=>VOA!JciY=h1MF`XoG*>ZE1(y$ognbzDP4!S&6wYNjt<aSaSQ`aqK{u
z*V$)!u!;<jb6n!X#=2~^0ROW}5=@i1HZ1P?H{W<;GPg5c*M!UmuBS%2+UUntdF2x;
zLS2q0C>O<hRuoGu{ph5ftkggrYt`5H%$p@$H<(ylw)Z@ee(rVob|S}3ql%_-D?-Es
zM4!=npcp2iC;hV)_V7$SGh5^QZhzLPvz)nnhF&rO!a9}BJ=%U25pxgyGOf}=s_qow
z<We6L><-jx)i%x>DZ_*C&OH(o)4Z=!`+!qxW9IMO{}pbe_+lZUGpur<ux;Z`m_+1e
z$^zzom8nEe6aSvv^kmH_BPga^N#w1S9Pu`Vyliw0%{2|`q~1aGP{M}kN#$?oNzO-n
zn2F$dHM4lzI;Zq-lK8olgL{80HxtWyhPBfINbag$QZ-Sc^uc7r5u=4$4iY+Fy%9-A
zQcqf{b5d0!l$i&m4a<WCd_U*q<~ms=6ZEp<4q7VDhD_9EsCql^J5sDUrs|jv_lMd)
z<p8u0$^<5%z$E0S&!0~_84xfvia#5JS{ICT>u3Tso0V^4W!cwacOHgIeYrO%VCMMU
z-1hDtLTP`Mv7oU@?gHm(Z9W7yePUGfNis|ZLCVdY2_h+ZxxJyA#S#->w?)_6I9QVN
z)$Q~TRNC^Of?Txq#<yr`#p1<`ua|1G=^+08vszxINh9r<D>Jh%8`_i<A!6jTu}~h_
zQ<&>(CFfHSlmAI6O7q*oyJ}ZHkHI%JEN8tk?}?Wc+@;q|d}@oO94}k{N&!6mP=@;z
z$i<yC+82e)pmOyW$H7#NC<h%>0g|@?CMdJrIue3}hm7tU;}0p4=uLh!$LV6y-`_Rp
zn;kLQJEcXtX`_C*2`}C(Y4};^+$~q!%5&15`;6t2jU;zT-^JvW^&!XWqHa9#HewSK
z6ZqW{cJj5>9(L7jfN)R5$<|HmC{{;``BGBC--r&hg!A7aC_UESj~Q5U1yyLXX;Rmg
z;*08XPyb+yl$D?2N_pYswy=%rClE-P98tXbD~9e-<IJYi)~@?zjQe=Z2yVo1oD5J$
z%7w)-+yK6)?v0x}y(+1iK%`fbgX5pjQ_F^kJA%?`aJJ3dk6O9pkHu24lG^DCJOc0K
zTYB)xnZ+}5MMDG_7nyJ0s^~TK(VOUVWc>bc+d-OX=9=skaVM#L*A|{g9qn|Mrbf4n
z&j=s)iM?A;#<LUDzG9Rbb0LG7a~<RX#kgPhgwi{6hh3?x_ShJ|E=+VxxHO16;fKm6
zR=ylRmSkJjkR>sv0dn2S)n7F(jeWbL?lyFawuxUK#_~sfwfl47@MXn3Gs6pTUzwl-
z9j{@NR*vL!ELMA;-gjs&W^+w<$!l-DNe(6{f}B2Ld6?79d-^oK_XvbNSNyAZ8!d{A
zbvwDwpJBZnb6PYe)%U$0l1Fl5$j@Yq7z-B<&77@y@VQz#YmzMxH2)-vC%vxmVQSi{
zc)#>c1BEJ&H|1w(n;kel`IQBE%s(@WK{8vu&$795Z%hSLKy<z}eQl?@ZgcSV2&Adz
zEJ9PR{e;AQs9JX(s{6I9&JCUEzQGgcp&#xq;&z~7_Pmd};Nt7_j*S3m;!bZZOk+}|
zQH)%GW@rbm;AOlD%LJu5O)8Y$Gn7}N@DJey|98fSyD*k!s2~9csVVI#H8v`+Ic>ef
z1qY$T=tQK1)1S@fUVFVWgJ-O!m$RETcA6YGc=MmZ?0jH9-*KFrg?jQwHs-=Du_qFy
z8*7xkya7fX-NBh9d!*(Gl-9<?(F}H$_0KJWQ7D(L!!lk7z*U#MV{;cE8lIrca_M`t
z)=>e!N@rWN2;cF#>58*`(Gste*ldfn+8NU&pP`v_ksYDmFMK}Q+raGfA(3a(bvh4$
zpr6K`zsAwjcou_|p!`#PQW|no&=S<TH<9%9f(j6`Y_16L39d}tBgc*#3nF<f=0An$
zs2M-_Zj#<zNYtipe)^DwHA|W8E^9%_iJS2zWx2T`5gFwt!qZowG(oW;{j}kt-R^<%
zL>?OmJ>+?S4Rsk8o25A9es0xDiFd2bAMkHKie@f2&V}sNuC8E7cSD`X&_xtx_`-|n
z!&a25RDVv5qK@8WjrE;EspU3fi%G_EeEqbbcS?Byv~rN4oxrHSTY!Y#$iE3`ky#>+
za&9zhM`2VzC(?1-x*>|%eh<hOd@ov2(L3~F?8aR_q0o%-cL+s=NK&Lp%z=HYMH%Wq
z=ow0trLx}JmuaFeu9ef^IRr6hE`pF+V>Rn8L=t|^`+MOPB|gs6@~a-VMRYD-*?$x7
z<L0_+f#?dOc*x@3zr$?sw8{#-Z8k+>gWF<e&NMal50*sMH64Urrz7sKByAnkF6}00
z6RUIjy3*)dih()`MS)UzL+m*aO@aw!nP-#Z)Dyfmn+8`$hrGj<iaQ2l*6-Ir>A7SI
zM{NYNuX6f4Ub_yy?sHFvTZ91G;Iy+v?7egwTtTPXwZVb3i48Sh4(63e(t%9s;QAp_
zO7e3i_V(*1nL_&C_6V)>MQ1_D6}Kh=%1rw$O*Ya~;!$!VGG!zY*!&$JS{W~^c=?fX
zN+N@ADOsG#1BT1y8jL~&WizU=66p(e6l(*lI@w!J85oZ~W2ETe%FlxeGk%M%Lk2Pl
zv+v{)rgOZ^R&vi!bu$|ox8J}WmvDDn%h?_W-E;h83ZW1m`I;U-tiVLVuhmn^sqshS
zrUla{ufDID0Su8Jxd;<wq%#9Oe?sEotSc{{{Y_lC7knlUdMOYqt#k##*5fgF(%nHe
z_?1{YJ~$%M8_`)Qc>eWKh@?~y3ly(p7fWFZS8HucwiLTnRswat6&{#5g(iDLF3Llw
zA*_2*Oc&bjhpImnic@q~Z_H#<d5VbYd>WbFf9#Y(F9r3PiBLE3^Jnw=sIp^+O9ahd
zA0#XT&p`96Wax}F($h|EZ~KbgTay<?QmLn)3_#jYR;~9n+CwrtgF3sMO^ZYm0)mGH
zPbfmw#J18Zp(NBYQY2f#Lr>ZNIm~0wiEesooF$v8E|X$y_1ze#bx!RH1d{S}uq3cJ
zG>{L`;)WN8jYv)>>jUE={G{>?FXKMxQCW%IumC+o-srteVVxX-boNYFF$?J#hC9<F
zH{yohFt5+mT`Fmd327B|!eTtO@vz+^M-3QJyfY^FJtT1hr+FJmQS5{oXCWw)sSP*2
zPFXk*${<%^=lxP~<*r%oVv9@|zQ>6BzFv_?1!CpqgS=tna0?~G4dcsDC3akF?kA%j
za$1<a>(&t=UR9^@^xAY!5sQUdR<dY^$}7Wgw|XAFf6UM3yuF2}`J*iN%v}4FznJ@X
z2fFT6USS4{UEgYy;XJc%h%s&qRVJej=>r~g1Y&$Phh9RCU!oP7Z?UOwGTm8}Z*Txi
zpJPp4GOHMm(1#l-3uO=6Y3QL)*m7~dbMm&_x?kSfm1VPKLV#}t<+V3@=B^(~lM-j8
zMw~f6SEL1+phppR_o+M!rII3S<D-pH!4S5_Y-&oOumpj~GSgpo{TNyIq|qn((A&ER
zrFy=`q%<BH(HrF3bc11@RQ%VtZvG)}JWM$aUpJXOSM%5EPEw$5USczGRq4I0n^#}{
zQsuo`uo?6kSVapa_h;v10qp*|<3<4FlsCeJ43q_X8e&SuH*YazYqr=UzEg48Wk*E3
zRVg}+r8oyHIGT6{OitKEt{+Z*8(oeA{gos|*Xlw*nYNdZ_diE8mK(74^soz%$HA^L
zyCDD2LrLr|6CJSSuC-sb6uDu_!4S*NLuHgPL3Zv#YG@_iZY}G-iUk&+>M!z%xkAwS
z`c>qygzXcXsVT%vqPc|o^+qzm>znX-yM>Hye`)hV6x!bqT80DE!*Nj_>VP@KE^ur4
zO_f(_Z%E#1R_#MnATQ^;x}6m1bK3Kymml76tUXL)zgm<)$m;i(u6b;YU4O#ucAFc5
zi%+0F%YzJ5`#U`k-TGW5o!XmH(3epzCo|;1(qzMP^r|`s;z43w5)3wcXs;T;MlLxy
zLbYQ^77wWe>NMvk?-jyk$Tc8<Oj@qt%3EC}L(283B9rQs_3`A>D>B=GUvGC-L^>)Z
z9R@{jpT@HsdL@U0Kpn22YbYvBSSOpbv**V)r1fb;GdH&^hd7B-=gC^Sc0H|AwZ;Rb
z$VA*~9Gl~jiNBwy0^^bHcm$TAYXyRn_Z8S<zpL2ti7E2*wj{*#jguq2wvTo?J!%-{
zfU%oXx19}IVH$k*FxrH@`bRLYPp&I|O4Ql++F=VW0Z0o@%l$WH0ekLqs*8IMk2`m&
zM+W+S;>Tj2A1fV*H;FL`((#l!9&=;wRS6G72;(S7-nW<Lr2dC8mndK0C#L{+rOsL>
zY!KmmCUNDUdhyUDuzw)IgdOgY8L`>WERYuYgVc~8e@ILkFv_LB99h92J({Eafs1GA
zykmj+8#39A2926z=sT3Fk|=W&Yo|?R^!mGFA)fDKNBZ<FYX=+xpti_W^P>|I=`{GM
zxa7A9=?_KZ2m$dB@~S|{`*%2fjdOWHasRuQTpBCx)rsI^Y~_isKv_+IIR0?NK(2h0
zw+z})q5wKJZX;zNR33-1GaL_dWiebg8Tz2lu<<cq@!Lvhuy5-`0Rl0R!AK)*|3O0)
z^2p{OU|I^FgIcm4GP!S<h(B{j4Ro>yAf_I4c1L`<Czo7V=Mq?O8ZGl4uQuln&=uW7
zQA-I!Fl>yoIqk$GI2H|5-v~sQwLLm1lE(;)ZjV>sc!Vwt>Gq-DKa<YBnr<^-f^xHJ
z3erFtz;?BvV{uT7LIssUUm4@nkI&tK*Dz&ssiOuE^+Zqz1AzAD>p;2kv$rm7oJ*CS
zCevY5gk2bsLGZdDxPhhy*m){6DeBA{^5z6WT2)mJb}@Z%Q4-RKyeg3F;EHrBZWEkN
zM6{f|MsodtsjdNSrjO8%ssj}=!dUv-*9J<3v0|Z{Jw{1=%IR8x+()07@;nPCp;iPJ
zU0&FT(T5l9N`j_5v><4+br}<!g}Qvtz;aF-TEg@nb*#L%lB1W2U3Y*Sj;B==<PxuS
z!clSM^)KQFdxGZ*QN<<8HJs|X0>}cf9nj|?e9}pXP+Vw}q5Ul;UG!WM)L^>@<YpSV
z6acL`UY;4>>tYg^@dj!=xJy9slqNw9&AN}#v6S%l68xFi!g1h=|5zUw!f1>IlH9v+
z{@RL!y7ftz=eA>!1ogZ3zT8dd{)=F+3V;%ugf|x;_Ff?GoqqC$Cc8bk;$EM*KUi(z
zP4c9<APH_li-Bi%@?7B>uh*N8^~&%1UK-=t4dQx9CfMKzyqfVIn7$quKm--IfCL>7
zKwH6>^?RBlCt*;6VFu0@KmwWI>ey`0jVXKF$g8g`{<--z8Rd~CWsGoJ--_M61vMa0
zps!<`v;pPPtIWZ85j6dWCTs1?a>H(UjbSJmsO;CH%SRfq)Fz8H@&m_B;xgBHy(@Af
z=m~=RNH<q^nd>j@i{hfTcnyOCu!gK_{hMZI<A)7isLeyzTnaj-d#B2hkPyA3(BtCx
znap8Tabt3ddD<)2UhC{}8@@`^))DS<919iymQfDFJE}P#1lMyTE{sUUj_UdsTwK=k
zz-f05fR2VLVW4#aox>eEkiSz=H8#)CP7P%clB&3lq5y~a7L!vqLmr<~bV?oBu@T&B
zU%F-rw~Z+?$}jp;#8F#e<}_yx7uY7hBR8ENpxIs6>yay@v7P;n&~H$|sVxN@ZP+~?
z{V*oKlb%b;uCjSdwR;2VbW=dFzV|}jbHNo*rJG1)_D$7ASnaO*ojVLOSirIjKbdlX
z{Zcn68%KiP#?7^AS7y+^qB#m2m<LnOSl}^QDy=CEM>5kj)<52j(vZjjO}M1~^Y#mR
za9j2y+l&uh>W9tvCn2^TgV>sL8@=U^GV`i$(w~%Zu!D%1(<YBtxeMW5om;5X&1)?`
z_|skUS2Z&jw@}DbErq6*p}!PeKjrw~xVAwp3atiK<}&X(djc#i{GRbUJ&aC%FO0eB
z^W~XqKw|Wb%asuDMZrJ0VO04ZSkUl7l%kYL$S7yh3iO@r>Ka!Y{wqaN%TBcWtt+&k
ze;(Utrk+eRsEkS}xB(PVl!cXQ6~VAdb<wEFkej8P*TmYcH?6pZpC1<LYigP*^4@c1
zpF9#zIdiZRk6$(j0>obgabO{Gf%bnSxP?X6nG=?*^GzNHoRS$gM+ML6_wRMSuY-D=
zp_VO+a{>?67DnWe={n3(xB$3<SAMJgZKc{&(Sj7Kj#C4z9#nD1&6@d@D95CJ{T2W}
zj7mgnKvjL|yvv$m-ZN||$wBJ9AM?4$KcKLr0#JR8=qmc#3cIirlN?0I*+6%?F%Rz<
zQR1@3j+be+6T1A|q}S<guMtqtIWQMC;CH}iDas9StUDTgP=Q5wl6gRG(lmg)==`o<
zO_1Qu8f7iI+|glX&+p;L8ZS}Iu{v;~C;QqWrQ>u@O!cF*j)=~9N#Y8v(LL3kKANe~
zhl@o4xV3>9$v1#h{Fi_SX(Ha`@LSm>F9}7Purk}QoUO+@hz(rl&yKyRjmT=LV6>Sc
zdFdEiYE)hVy^Lw%u=#l?@I$|cI*+3CtvG*^JMI+gvDF_?lT%@_58Y9e1b232v8;i^
zRLrKE$^6QrbM5<G6CXECOWELF420++RJFj|R@OwwrursWhLAX*eu+leNl54+2&#HW
zJ>-)Ulcr0Rb*@0pW!<1HglhFgXK3TMcWE1baf&+v%<QPl^8FG6*CzEu75ze3PtBL{
zLaK>dkk)_=ipM16Lmu)^H|$ni7w`14X9)|sJo2GF&7|RabTQEwsmo+`K@W9VMny+T
zcW;6#0Y0LWY?Cf~YXZtYOGAd{!vfpyEv8?7Ez+E34ND1LswEpt5c7yPX}OW!f$;Dk
z%$DCgv%hz!+Ge0=6D+Yl1vfAimmy`9U2u}0oxB*p=VLLyekD)M4jOJ5bOaD&p8o@G
zFEP#D`VcsacaXHoIKH`s8~aNp;o#B4M;7GF{dKO;EMA{Gz;k<ExH|2d%~LWioyMx(
z!B7YGXWRgJHhahBWq*_I9OdecySbT<KtY>gklR^u)OL|sHaPj<el2vNMnfAHMsIQX
zahMCv(P5LA7%#6Oo$dB9AFL`T8i?)xG~0l|6ECA5z0fORr#xq}h*8W6WjXpVS{`vv
zQP9-GPQw2q%eE{CQfY@rd=frzDrsOB_Q{CQ;ik3IC);8Y3i*Hgu2;gUa!%om<%9!V
zKMt<d3zf;IPQY#IWH?x;E>n$!CRlHmWt4}brMmW>`0sq=2PD!h29ESsB%1y=3!PQK
zX$$I6=8{u*oj^kGTZ&cT2d<u{J8fnPm7+7sYbvEvmlR55h?fcKv*#;)XAj-iKaa@3
z$bV_!5%Sd3Zu+B|g+Cm`W{Yp3%O71by_c<e73+Gzb|Rpn=ZDQQv4}#I`1Ug9u0xFT
z8#44Z0KDebf%k_Z2{uMidTBY;Uw>}VIGerGTBPL^<?6H?R?Hn#DAP5%btnh3NS9Q5
z5`^v4T}RI<le{*!&$fC%txGl_+kh#;;HrL!B*-OYY3~*t@3i*c9Mb@CL@I#bi1Dl@
zj0Z@xb|Am>_0c8lYi`X>_LD1?YKsJlWWTpOY}?TSOiC4!{(XQ3xH{6J*Axo}9Cb5Y
zs}%)tQZPME!kFuW?BN7`;y_auzt3%uPc@su`Zix7_@$L<WUoD6DEDw^;rc&Y*AuzP
z>y9si(Ca=EV?DbUw#_HjU=L35g+83`_WRV{ijZe4Q==^nLJxf&Fjb}m<LrgI^UP-@
zMCCl_y32GQk^Ua`J&;N5?IkuSdWLA1cn8gQUeT#j$45Z3vcdjdSI>3!>@-(@xK29i
zflcuz3)Fxm2+_K6W18kM!#+72)#X^$;qp8-BSkV-IhhhShgYA68~<GP97r1;=90<w
z&H_h?ICDM%Qt*42(gi}S0rRvK%frs62rnv^X;HWajC6?iGO!aGQFN{_cEa!uk}=W4
z3+Y2Yvwd%EuT5A{8$q19mfGxWtFd?LIcy{Ru|Rdyu`+v}h?qiU191GnZU$h9wl?V9
zF-K;if5|f2nJrNATVJR_P`LX<7f&Gu;<oxqsa&tJBd>>FOw;uo@X_7I1T7TLr$<ws
zP{WAzgFa~8WNiHpsptg?Wq}V>j~8WGWX^gNuEgGcT9rl%JpcJP(O(BO<=M$42ABE+
zuW8)R*4dNDTida7Htl<yRq#-$Drezd^1#Y{j%0pzs=JsCefpqqKhnBu2!7H$_Yhgn
z2Kl=gg&grVQb1e3xQw}cK0EQ{p*^|;&^2lcN<17AO7|vO<38cKaN33zvz`G5@|#sy
zE+GcrY|%ZrkgI@TK>|q%_)^K?mba3i{9I5oBXo0X>B&SUrr%gld)f1BRD_cu4@`;a
zY><wLN9IQsJKXS6fnl;up;W$YrB)%;JOsk`K=+k+$$M~4>TeLPB~NN9TdePCM0Q|m
z)$2BA80$Sz^E3S%A>?XO-!4ZXsl*>6bE?m*K4>?ndeq-j$9{V9N}U1LHO+;wj;D7&
z-Y+3n4fi(lvaV;b+Buq7#=V5UF6l@WL7e$Njyo8epf#4W<W^QX&qW3be=0bABvq<2
zRxH6Z!r8n0Y6}-FA}EUld7c&?i(5(=4V&%GOCEmklS%P0019<cfMD+{YmNa9sZdW|
zer$dZ{^dvJgGs_0y0Fx&6C66J`EW#yd#EOoTYY;z`+FbVGmwxtRgc_Dw}zdWYdniG
za<yHasLXxy24mJ~UH2L^eWd0Msjppef0G@TpP|%kv%9T4I6!0DbKwb$Xp?}4NS2WU
zwKI$u+~k%wrlC|yFh<rq_;fC3Fo1DVyhz*xy&6{ifQMlsG89uD-xa4zHK$fe?BxLU
zx$iM1kg7=vzE16`cqO{hkyBMO$8fo{eMLG`jG1cAIwKU5@tpkyy5qBfK7B>J$b9<P
zyGfo+`e`r22>d(w5}BKBAr{wrzd*>V2kjkOcueVOl_vEG7B`N4Za1mCi(JQ%LO+x)
z%LR9-%EYJbi4B+g3doS`-R7O*pvV_RJrqJ5OdESQfTD`J#BM0KqyhJzYj9Hzi)*V+
zQsQ7*WRRPUa@%~69fxsu%hu73Axia1W%*`_K$=_%SsqVha1e;XXeY0{>-Afl9cWp`
zFLGLR6_yO&!Eme#NaHT$7SWuHR530WMC?oHYTF&q#irR1=tF|?>c8`IaU=CoyQk5y
z53)!V^j~dfJ|m=JM)=|lZEL9_h{rbcm<DqH|Dqy59W+uUX!2+?Z6K8Ke31~}VVo?C
zekA5tIN0v8qGZaNwGz(t5;OT;rw(1->xX6S^E#T+h*)vU)5%Y=rs>LXi0MdAj+;g_
zHbAWxkp=)R9Ql=@cuW#4-F&$w`aZn;mEq*qrR{<3=Ji%L@2@h$=bf*iizq`T$c+lU
z-#jn$-9e5Hx;4^V$q)gj>K;sv|ER6*I0!Z{<AhNedc0}h(j&+(PYv}B>@2aW?q*5s
zf2}mM{vi=ehVF*WFp)fM{{lXbzVRD8bDVgO!5_U!PvtQb0iTC-6&YjZFiREH&Ata|
zpVbDt$IqDJ;k=GlFWlYtk?P^{0<9|b{>rGhY7OGRM5p0uWYuMKvsP%Tr!MuZD%G?l
zNORl)8;V;h%00!|mQ`ixU2dR|)55;)x|`wxtRb%hQ=H_>?70-hGvAy_MdHnA#)H3K
zNXFGZ$_VZy(2t&wX+W2kXWY>9mbl3;svhjJ3c`Z-xfx$Z3+_-n{^Fp2Ufq%M(2F?_
zEJn{t7Q4t1^5(;{5jBDvNn>-kNb!-=0w9Teg?z-oHwq*Xf{mN<8_Ep!UW2rY^!AFt
zd5LJ;Sw#WOb>Fr{t8eMy!4b$g5We*^*vv&(KaYt^{%Y5bw^v%F9TA4qN&?D(Ovuh%
zJVI{BTpx8A<Z8~I8uq!Fe#1b=NMWaN3Cts>;_JC`Q>A+|LX)W`Y26>c8*!nx=g2m}
zFyLMcUs`9y1+U>Ab2e)?m!4WFy1aV%c$ZbR5t`6cM&5wTEw_$q7P05>Be0*nwWHiX
zokHdJpk&G`N^mSHr0Jcsc@|y|6?#QecE!+z6TN+W@9Hz>R)ln@Ehf^(bGoa6T8(*^
zu?ZX*n<<;(#0h7-64ySflSayLE70`aJi}h!SbBKipWj^4r+EukArBw^jACTAxA_VQ
z1rZ$m*ALybeMdokP2ly2!F#`iX#1k)8y{CkYkiI{f^JasB}&H>go-j_-(Wx$&Q-cX
z%(jB%xkyC`jzc!S*Ed|?WrRpw0PYdr#~<^cV7_J&-RN@WLOpv{7^ciI%c%q<D9ps_
zy`^{hrb1A(gBl>~Kl;$=XhFra8<gd<Y;98$bQb9B{V<wZ6p}ok<UiA%x+glac=#g(
z#SY&4IUnuCn!R>o)6=!PA9?H;(!a>+DVmkX33cXTQb%j7u^DHCqtk}cyodMDFAfuv
zE#Pp4R75RwCO!6#oNLwPZhFkmP!>bC)EPO2m{^akqz&t`AbGIoy-Jw)B--9}JSt^7
zivng*P%$BOZu09<)EuVXIp{~>CVlE$ktt0q?7nTSCix7Z!ctwY`QTe{;Lc&>EeS%1
z-dy&NQc$hM_?q3PyHO~VVP?CWYv2~*0c>KV31&Lq|7K3(ywCYLHnbv?&OaT&;f+1-
z>`iLT?Xpx^RC>aCwl011nD2wD?yx*MZmHEKQKmY2J0FG#>Pg_!v`s4(U|*2K3*nw!
zpxft{4L}1Mz&2!d^G~R*v-bi|%pp@c8mu~a%WN=t{yH&W;++SnD==}Gui{Hwc+Cn$
zG_x*NUSs1dWuWVe_f{Y$_qgGqz1{oNuK1xC?3QmMVz2n~sC7m@n+=0ckCbjhP+hpu
z$LNGxi96PBlUk%}D_vU5R-jr%Ex=$?nh^lU4sWXPtGuq5gBR&9=hWaCXTwC6#JJpN
zIPzJBnRlsUFTOtN)LDtXawf-qSPzRFFX_aOVG(bM%eYV}7|Tg5Yn@D$#od(}zd;R&
z>+j2s(@!csb0gF_i{`CrKbc>(LWZ*N2<a;XZ3%TAHZ=Vs<B?b85HN5eLC7eL6=@v!
z+1@H`Az70i{HB2X8+tC@{l(-uZ}+P7&wqMujcMK8=yd0^V`O%WFqbL6`edJzTQR&Z
z?SQTcgvL1>MsBq?joLPqzs=92YcsklL<)MMtFBO9U8RaS>|ZRt4`Q$z7o@;`Pm(8*
zDdaQZSC19xiDohu8;r)_>*feBpCDrWC5Cxoz;Gk`QXiwl^#_Vq1DTGLcWPOshY;7w
zmrfiUtMy1oFBQbiJqgWwXW}i5F7Lc@AsbADpJApo$*AW4eiE204FIA_@~I$SG)^vo
zPgXG!6aOI{m%+kJLD-0~(Ygzrty}iTdop&Fok3?cihS^>N#K@(sed8-f9!qrTa;bb
zwvM2Lq9`RuE8U1R3@V|5bT^`ufOLZ+<xL1mH%fQsFn}T<9nvtAbPnBo`x@`(dEbBG
zJHGEXj^T=Z?Y;JjbFFpm^XLm2Qq+2EVa=WIU$0(pby+Vdw=tJ~_Mi&1!U(>jXk&Mf
zL2EkPk=S{B-r&F#%sfsGDIrn4O%YV`b(Fh3<mHC~r8l(nhKlVnOaLdSZ6fC+tZyKO
zJ;-n_^boC6_m8-^O&C7M^XZ$zE(22rKdF9LO4hz>IgV+zEzuaa!Pz+uUYX4p7H20c
zV&fJscy%r0gR5}(!7g$hFR`1z^+f9YLWbxMr_d5xxZrAm<N0-1nu&>^WtGv5nK4ID
zWozUGy?@bwiWO8{5QLob9`BWBdD(jw9ny=}S6%$t0pNP7K0?w!@+0BBbbyMg-c?nV
z9q$165#Z23t%dbXB~J9T{R}?m5~JIF`S#d$mHa1_`W<vI9BsqKj;LEU<nPuJKuis2
zoY713jA3Oe1~}IG&;MKkCQM^`&&Xq;WO3OuY?Hcs;?q@7yvohf{$q96Hno|5r@T|G
zMZ}f(r>Oqt$_0)JG7op{0q}wjhPlTe0V#?ZxEq%mQzB4fC}R*2KNhb}cV0L+N%AwB
zeNhZNTplcKmreD|Z8{!*xIvy}^s@B_H&r9i$i{fQ)8!cr%Ii~0EmJXUW;2{Zcn>2^
z^3+JqjH5PszBM+3&J_NNN_pl*_*?aj=CcIxV2=em!arT|*@y+)m!;pbY>{jy11W#5
zL#|;8Pz%SC4vc`?LIn|*TejydA9i6cw48AdG&cni{JCD3h|rYT;!@1;LjJy7=NU1?
ze}_9v%(iI{qeAp&l0v+s?SkMBr^-|X_nqt&#hP_%v4(u76UaNKdvIC22#S&unU&NM
zcyAP<ohwGLm_WW?Bj$O?w{E(Z*S4ZPsOtvO40q_zJS<2msZqQ?>eOx7ByFN+v%A&4
zFyT8j8-e5imm&B_?eb2o7Ru0dLwMmv^b$aIl8Ccay8OH5x`sp)#8*3S41AWsrI}jK
zN;q(!GpoJSQj5BaWO=W7a0MY_YueSa?Iq6}`bg1BH)f@rR(0N@VxA7><||6Osngj5
za|^a}8O*_z=^&8z8e8&v>};SQoJCAm><tvys!LC3>?OoL?s?HZ_Y48f0>e8J%{Z=D
zWs*RL<<W0krMZ{u*0f0)T6~Tz7&m5mT!s%6oU$?pi42#*`lCX9E9#kpkG)(bYhmL~
ziXl74{E4d&KT3WSn0}o}8{Y?T(3UEFoU&j~O-|oi*$8NNl--<|x%joC4T$i(hD6Pg
zx(?PCj>N$vR*$26BRVHvcQ;Zo68X9=^N@ZHt?C|_uurWFVy#e*%NlyQ?@miqd2j~B
z|3!OV7Cjmr)&ze(NIF%0tE#7E`Yqr9s#^XRbYQNSdYm$DrQ3n6)BAM6nn_(xy*rmn
zeoc6rq$?D?(XS}jGr$oj&7tBMcFADUDHWEVHh!#;DZUy2*{8UF+;rB5&DISX9n$s)
zaJR|en_oilI!nC`HsA&u-?97V4p=jVpMU7UN6SChl9YEU_r-VArc*>sgsx=_`zE@%
zpm)b*mn}_qILF663$y3ldn@fc=8Ush$@pYd=5%5nsa#|`)O6Bo4YhlE+#Pitv>}l=
z=BxLq_TiO8JqNWju`{)A8)Snq_Jf54ot55b$yyPPGmyRnNoSnhT35~8e=Z?D;gN99
zDV$g2h^l7vs2KQy^k7p?j}r`p2O+TQ$mRW}Gvj@o=Lt<V(Stj?M>0MZFp$|TWUKnN
zIgUYk@p)CU1vY6HTs*z(&p<6bWI8owwYjlY-PXKXNK*6Bd)~;(z=cmyoxDxA!0`JX
zb(iz{*Ms~N&2gxnJwF3lY_zj4*lP?322|);sJm{IcSuf959)Ja>tg;Vf{-CC(KYi;
zi8YPneRY|wLN<o?RX;{unA5xk)%k;TJjqsP@QFfA?H{2N>;(<3c+lqixXxC_%BH~$
z^1~K=Q<^6(X<927MepsXcwREb;yO^L8B?Y`9awReEkl#ei;|)0yp^dN!_*zCVFk_=
zZEYsy#9GCTt}Ac3Ke)`dT1^dxwsX76N9akAm$zxVqVT2*_NU^WJ(Lj33?6lDqLEoJ
zEs7!3-<4b|PJt@r_jWX<nJ8f(yM7;lQSvS?41r}Tf=8WiRvV$-qqDONulu?SZf<5~
zO;LAM?Wh{AyCq@<f19aiw#r*C_>JOp6QHAfmA`+o_xE+t<}`DfpQ=gbsN*+$dQ_nt
zC7RUHLglot3@AY8w%iwzcK+nzX-V3uZ=~CS`0hT~nlJ3r93w6vaPfBCFN8DAy#(i?
z98zbru_5fBNkiGdbdcjM#0T3f8Y}Kn-&)kX#mAkIZ6_J2jGV$Z?tT7xtM}?WZocBI
zJ0MvUUoyxTvr|m__HL7Bs7>@^NZlMJqW%uR!q&%Lm3bRjivaq7VhDy`_1Fwe1f3l?
z5-)lNRy&B|-}$I}C!o`lSfcy71R_8bk$8SS+nT*EB&`Gt()`Xs$$X=6Tz$&1iZpN0
z`&aedNvtOa?d3>SlR1G+6_N=G#RUDBPNeE};?pAm70mHxiy^}go#+Aal+8KgM+W)9
zn)7=YhFEmy^9n{^WAz!lS^ZF><cjNyC$;Y?nhDefhxbIMuM{3TcLU3)j~nDfU2O+d
zWH2CfZyGdHHTwwmmE58IJtGha#^n}r(30_lHAr?D*k*3=!e3XI*2kBv_Je#rrM|k@
zRV@&sdHv;VT+RA`f$sPaeXh2c|Kod&-1kijD=p5d{6~!MN&VTGT)PT>jPy|YT9ljR
zB%V!dRoqdv%p*b6an-+>we`p)!ZGQo_e$2cL-f@~U8s0ODmLuYm;a^f(F9F`f2p+)
zzi@JQi|nQ~BdEoe0ochKbzs<EaMB>nlcsyu!>77F>U`fs5*_L7(`{~IX<?dtI^%wi
zf3ZLgiII_*3j0-g&oNOJbU`vHW+Bg}dvfx<<BJ_Gw1SNcynSQZyLg0u)q0%Sppd+3
zF?@L~UX}+Q@=YPv>qx9-NR>N(sC9N!>_m={-0d#9=E5cEN-wKLYfHbzHO7j_ZEwgD
zsJeH(3LD**gEb!r5>AHT7?z;Kl6`e{-@^WwzJ0~zg)`q7kr!0W#>`~$7q4(ulTkt;
z7Ga_#co%O%#7lEbj_p8CU}n9y!`W-kl#6{RTq*kX;Z5_q$r4nJGpNRE!dsC(W#e<?
zGEm%9KCTm-s;{_#v70XZ*oizn=DKEW=yrEZ5`WtIXC&XCIWyACjbJ}@EYvVN@$<pF
zDRUPlJ5gKv=hPa=CuI(H_f2Mqa41<1ZzS&RSPlpSw0Vy#e5?+AFtvn#t6Cm#c8OK2
z&b$s3sPw7!))0xTaX>7Uk?UfvUQ8##S6O^{u00^H2p!%(=DEd7utI`axWG)Ff2(~o
z;MA)6I?tZH^dX~>rgethv`uD!=7#Czy4otoLu5qW?}fJ$TrYFFt_0sCbjJvaT-yRE
zi4dF>4pF<Y4NzlyR6O_aV=IJZK&}lRvn;Tzg|M<heEwivq7Bl|#KXZBZl&%LQJn}>
zqPP}O8J=q0uZ<q-p!F=2c9NM)(UDb7%y1>)6r28woD7b^L8Uv53G))k`N36pr0R;y
zEOMJ297tEw9AD2hPR)`<383mAI+K_6e||DId6KTaY`HMQrY`@dlH2GE#|B*_!n4#z
z)ox(m!JfIU?UHw;%JdnMr@Nf}T3V_;m;C3T!=Mmka27$UjV{ip4`I<FeV<}x?~spF
z$Z&H)y@=zP)k}|sC4)Q-(Sn4zVMQ>%X?J1UVGOBNNN;l)s3vO^x3ClKM+Sgo;HDob
zOwJC!J7$R7{K-6B!s40#BAU=L#Fs#N^QiyjoE|2o`$vGF-T;>&YJz6}t9;s~@W94i
zj?;R(UB3INmuvY&B3WBpsrsH6AKA%=<t$@MF$w(H^`E0hwmO<svN=`61C}w4?w*?J
zdsa@kZ+;b0pIhteQ!)Zm08aoSY`tO$60W4gZKFbiF-er2JdHwY1H(B%m%6%6`cPWq
ztmGKELA(6#%x%LtR6|B)+d9&$nRmnZ*X#$ft~fWPDB`Yf_f)dt1X!i-F}j|MdDZu6
zZW$5OmJzMH+XdUDv`TZSa9`X0)T(&$@_pk2z^Zcg;F^B9=o@M*-%e^YC@kQ7#0=J6
z16EUO6;)eXIgq1EJgPYtR5wRA#e*ysqABE#>9;ebpw8+s5d#r+vPfT3Azq^CkhM(A
z_VBXNq{iuP^R=i~Q)VMK!gf<EaAiiT&W!0Mc1JDtx+TvYZ*8up>e2>yPON@Ad~j|<
zlgT_q?N!$S8t3Kj7xVWin^8ydr{ebZe8B*=85}0S@s#lKmlQD1Rq*p&*R3-Z$`Jme
z_T9nki_bNCA~chADS6)|!uA>sS~Q8YS`OM)R-0XLh2l|zo4$@Uqb{mOd7v_$*#142
z&69j%!Q_7Z_I#@N@|~1ED+zMN&tAiITPnC1le_-kghFl#na&AZJnx;Y#V09Af1>Wv
z>&AKoo6PtP@Q1v=p1&-eS@}HOh^2Ljw|e(duvBQ-O$QCbyOKAvHd_v6#*CZZPq8cs
zQeI$qI=CebvZkl1!+*BXC89|qT`zX3i=T=qKUE*et>s1UNy$u}Fe{=?g!i`2Y;IEC
zauviywXIG`7we?fULFXG*UF?b*r<J57iN=6i{Hr-esQ()i$C)7mDRtEc<f5Q#rxbK
z=$0L!dk{8drd%-Cm_@NBbjkHNGVzAfP&9wKI~8}&*x;c9?X{_whSQFj6U&S0o@em1
z9mx<v%|8P73us3-)<vj)Qkg|pdNhyf^bF*xepOk28`RD8uCfsjwWQ~s?yn`qNSv_c
zjvF9%S*}5_eq#-cZ?`+61gd_>!evnEt@uHag&g*8%_{3}IdhX7bUFQ*v$>OK;J%^b
z&_DNb^7Fhai>u(piDRwE`nZ(ofwOn;^5C*u##r|hGqs*O!rm-^{$AI+LRD;B0>Z|+
z>tH+b#K9$rPTWhMP)omu^TV<-yB0ohfd-QV3r%)%g6mnatyFuZW1r@>srFyv%}NW-
z?e)J1TrNX@{vr9@m=Tm=<PTUo^!}yN{GVpZAsITwxelw&!O@`Ei%@|<iD1>3KMHn9
zQX+wk*I`+Cyo<{t0GBCn6ZADpQni(wxJPE4!|?vVy;zLa;Lq?U7`f9%wF5{t^SEmM
z$+2NivE5xwUI8&7-Yp7zttUO~2rw%V02ng#@m?6%3~~gG68TM42U6eto)xVN!PptM
zxK_E;TbuSa?EB&X*_q}W*N%tbiN>ljOa?@=Ndm9yk*|0&Dv<{=Jwwt!Umd3Is9nys
zXh|acEmjj#=7UWo^Z0^V*t=Va&)+x3<A)4w)GAy32FZq2$L~!-2RxzVQAO>OhuT91
zbR!zdbTAiT^I`T+Y4`0VWn!~BTV9Pn#%)=hA+_+xT!{>(cuE8#;Z^8~9Ftx`G9m6D
z68m(CR?a+Fs=oMy{e4*(@QgeCD1p1;g%jkB!(w@U#aT$;L3h|X#ADRp(Nu&<Sk2JM
zV!Qc6#)#z>Xl?nx3v<!;l1fZ|4oXrRHs73i&K)Rp&P$!sJ@C1u^0U?z_QQeRg%}n?
zcwI8Q?zDL4Q=60<cB^$l^oaalLA0(#g~(lN)oLgZK=YLvcaJ4|$6P3j9tT=?&*tSO
zX|=K`B2KpRo5W>}=wVH3zjyfvh<4|WTR+>mB+5tWw-v-LecQZ<eySX-U24u$t3`Ni
z-U*{pH^UutMXHX>Q{b7A1|oN?VCt!<t?rwz5-Ctd;@xwA4v_=|g2k*>O0B|(q3;>G
zwjGJ)6?IP?*z{z7Fq8BidqMkV5HvLz{)`EQd%&`Moz-zR?dd57OviU@O6S8a3?hAB
zpL$@}3>*S2(uCA*W&9!!ti*fB!DHp5J77&!PY?RsjFNCknza^@wrfD|alczVw_9JU
zLAOZCRzCAN4sN;I<aA&%W}|N1JjRdFziP<YS|Q0wp5FGomgOnEdDTQwfS7*6l64k|
zwyP6)reR%UcC~c33e9VF?s{2wutA$)Rp;*Exuxj0{uB1Lb5k94sMrw$D7a$-W&A3v
zt-xubBUEc*4Rl#CPSlaL9lI*Cx-lP;(^m=TXphCM0TJ50iQrA*r8|G9R`XX6TvkV$
zw`5gc?f9PGO0%JJb1l7ad_3)?B+1sF>2kM0ee|C~g;9K|I@a&^UZ(28N;u>uIn6%k
z5|$Mv?|`km1r^9L--pU68*yPMmJnr)J(&AqL7L0=`R+*p9iL3vlbvC6s%uBNd@#@E
z1)c=%Ysd1#)JGf#K8hclq%mTogB=vzb~tOF7+nwgNt);DYs~h~=Pb%?W9%u{UClqZ
zLKr4T8QdVH>|SSS%jOK<O+yIO>=gh&eBmVV89h984kkR8)9keS=I)ucRK1-?nvb91
z3sB$!`;yS~-jI0e^<Jny*^W5(xglw5Q*hW7CuUXSoq^WUy8$A37b(VY2|mO2*vAQ3
zgFXA1HG~EqT=lC7kD)BLeX*#jgXXIwd8`CKWHP#eYGDz0`o3`tkHeB0Rrx+J4sO8@
z!%KT_SpPD)MK{BWSgX47=c+@+17|5@39thNL2ETG-)je?MD99m`VSpT5ly3Lo^BOZ
zQ8&CBXW#Z<`dBr@ZRu<1h5*osvn%SGC@4sGx3@K$54{f6UO12dwkz4UF#z_H#(ASH
zTa>#k`Q{|)3q^sM!)c+S?Bc$)SjNHG<tBm4vXbi3M5orMsVG_w)vMFhKUSA7hXl(e
zdKcy=w|+o#D~dnx-2i)l9MAJ!qlb7kub8{=@OM#hC8@drN}4-b>WJ~1&Wyg*20Yve
z**3`BqU&?utq9<~5dL%l9JJADM$t~Y_DtQSHq5H-t&B?$)uy=O<>Z5XZ8c}=P-C>F
zGs=miEv{(ZXw~Z~dIe`|n`&pu<g6u4jYPJB-KA*G>PIZJmQjS;oyA^cKKxk6us0jt
zXKqCaT%|@4ybyHuh3@)S?|M6Zqnt`WG3uylB;+Jss?lmST`+bWDI6>yt(+P<t3(`a
zQ;)M31lr}w&XKK-<3l!~0iaOS77B2@E<!=TAOdp>S}8bD?xY*c+uirz@J#79PI@64
z2%!;wI0lTRmsyOIr5CK-atW*lKTC8^glgU4Q;c9|D0}lzz-NI>01SwaAQH*HSDQ;@
zCNlL4C=a@KnLyy<IFcc<f!8p%6}hAJ*Rn}9l4e_gUh3K0GZ-M!De@7_zfFC)PR)z-
za@|X3r<RwYLronW1b>$8GP8TymK|a23`*)q{*XWF?#D^XmHd}Ppgx5~0M#Th&q3sp
zdiRy0&PMdPQ)Axf1ulH^9tEJ_8Z4^}1gsuz;uNpvqS+(dT}&P(KerOEyK^TDP(~70
zyZL18hxjS8e{f@thiG6@mB9{?5f%W6-!VMT`o1v1Bd5R<>EnSW&Q+zsc?TNARov}O
z6K$J}+>b?iIc~4ZHedE`yKB^pRpyj4Gl56EOK$9T6J>Hg2N}$#t-@Gd$xKkDpAg@P
z4<-W-Ax65s;OldJ>U8)rYvAgVc#%UcU~tZ6<tY^N;B#_jM^P7fReczBd6j9WK9;Ec
zc4b_v8E~j@-J#$Ve79KI)IA9Tvs2GukhH)pg}jb3s6uC9@hw1NwduIY3^R%>iPf4c
zs!l4poj|=@3}GT^9Tj<@R&!1nZE)L<6Rn?+f5{F?!35V?X=x1Gx=(KXR0Lx)R|6e2
z$}dB)9xoNj+w|Z!mA(3;obYt2y{WjQ8L<%O)^ho1tjr15jt%t(mr;{CGJt*z6kQJk
zFp9KMr3nSA{yKHHz1t$T{<Rrw1M-s*s90_Xcl+TN-2<OIl$N7FqVwv&>W=?9{nl4_
z^7)=eP{qb}yo(zOY2qNXe&%K5<)78%%|iSnEa$CyzHbbBf9B!4?}1ln36J6~A+&Mc
za0YxX^HXn6o+lE5IJN%==El>b3!hTTQgiW&TNl!VbKiQ4BSB1IHknZ#*Iu3!WVz#2
zF?w*VNcj>diTvz89QO4<wVSAtYw$!90qW4o>6O-+uQBaW73MY_GmAo0**HwZEKI^}
zyjUsz1V6_S%`jVBL!B=72o|2;oY*tT<`=_>CQ#IGWiqu*C#CoGiKgdSmn(0voPTyd
zdg5z*)xZ;q$&H9$X##Q=1^ZF<S1}QrkE~KQp<;(yv2uVQ=&3x>@x>_82QBmorQAEH
zfE#`1`3Y`kguW3uPY*NCl&N63Cl?*@%ZJ^M_}#K69J%6lnYUPkQ*ja*g(nj3iHxuH
zYw1nD;ZCwH|8lznA%s%r|Mv97sUZI(|Ky<JmC^wIN%cLCT!p>U+FGa(3+S?1dkWbb
z`dc#s=<`>nBkNm~9%KISDqODT6G;+W<1sZGT<g;KbuZjJLGgzPjtn!>L0yfcspgXl
zmdaG`1^n@*j=VF}9D)n8@Q(Ee^ZvvbR9|Nl)-jcw?<`v9$((X~>0{%l@J7(P)ycF{
z^~1GE7~gFdGZ9tT=JkLWFxgUcXEYaQ_r<+<PWGSGNS=KE1eJ3kRte;m^flYP!Q@oS
zrQ-F>rG4OM+RY6O4%(AIXb>bat^Y9RtmKxUNg&Jl_zS7zg~{s6%~It~I-hJeBAaBv
zuageW14Y)XxCUWYF&_t6!$goLuT=j@oZo^-;k)qVmITc5Okp_gjDWYAXXjN_9(`BS
z!S44R^gI0WGnmDBdSpJ5&0_dmE_(FGL9iCdyt1DE{=2wPWkDbhh0IFU`nC;(`)ry4
z<esyjgcxjHZTRD&H%iUKbiGdyzUy;`BkM&D@_&4obDu5kZT;5PY0FAmlVPr63RWhm
znms~F7(9C<P9qvGEQKl$k2bK2$B`&-*Kdh3?}%+IBUtZ8J_X%su_{J8eRLtYJ(*%F
zXB*O(yae)1;W`K*9)R6;S0H3hxrC_4yZ$QGga2y6ZTCm8J^XZB78wlhh$TscqXiez
zlCv<jcAv}G#hE?^ljv-l61?ZSM&h-#j~P{VBI%zMvXD@KEOaf0l7B%>yrJLOf0kGN
z0o_+Y(wHR31w_D=TikYEzEN0mTib_e*!s}D6Dj3Fof((f)LA9Aa#?4ww`LA+esRP!
zBZrr-j91{kl$|1NR@V9_Y=p|o#acuZ6ipB#x=^7)A}2e-Iwx$Nw~PF-Cajp}GCs;*
zIq%~oL_Y3<*IFgZ)xK8$cSFp-9(+&wlufnCHx_%k=d3n)7<ef3Ha`7yt*v(V9EmfD
zB%ec_nQ<XB?H<l4v&_wv(KBsI;LFNPb<Hn>GWc3L9?JFZ!Oqf=1Ef8d)HMiLv;?op
z`E?HxFhbk_OvI?nvie{QeQ5pm2-?3o>1cZL!|g0i?}XGBlJ&a8&ZkZHpT!s?Q!B@K
zdsjXCjY>0LllF9c6k3-jW4D2fDtB$Rd!^0_^-x-q$O%TF6Fqqi2ij*mTSc)44`h;t
z_a<m`o?~U$sJ_+a$>A$UW-{@*Y}ZY0x#=`Nz1#zN6|S?xte+Eyp$CS394w#VI<+VT
zG^rh0lu)z0JnUicC4@g=o$zRUS$C^VKqu?cJ0NO+nd7VAmG~!+O)YG!3!BvVI_hT-
zPn$()-8?8SXmX-C)f}#ok@us+MKX(guJy*nZug(S@=NfV?M1Ji(e+8)GKs?2F_FD}
zss8mfOjhvYL@#a>*X*kT3-#f$1iuOG(879&osqXf(RHhqf|fwyLkZIpw9+C@90na;
zz4j@bqsA7{@#B;5Q-gdI_(CDWX>?j7Pr`c1xSC1LcFfqOeU_}7VOT(kzG3o|`R47V
zVz^E*LzkQ8&zcP;e6z4F=W0=bBmjaFPIw802y}n$4Q5P9*?7xQJ(!El0<akQB@aMl
zdQJqLCnMGZ-fNZhqLUG(Xk+;WF9WmKc8216h^ny8fE6K<*Uu-Yxw5D&K`#URD$FUQ
zo4sT5`h7oWp<e<`;#4~RFdlU9U>}6%OQGw9kCJQ&8+pD^vG3Pcyn|~p%k^NreO8D_
zS3Kn8-mrxI-f0jDGFaz$AupX52_A)pJHL9(^%yHfG(d{ncJKYQX91Y?Q5vKI<8r^H
z!^Mb%NW&5<S|M%6JH_MMDl1z#JHi6@{zfKgnIza_mc-ew91WD$hWg3;v6z88*u(rK
zSmz)H4}9eMGl7p8w)!efdlJWIri>fa?x>`7=~Q0CFBqwG{9>WI#ZUcL-2@O3{vNL7
z-J~l1I&c4dtir6ty}!FcrVjOfGlfl_i|sIw44U5}UQ}F)YIfJV5BIsH6%LP|;wp?z
zB+HTuYYX5LXY!~{ZCA(klMR#dh-}uX>_eDa9(a<@q&TJQd$<{H(3Y6mOvl~v2FgdY
zH+~>Qr}&SB^Y0?67}q7_#=LIdacx=`+U~}t%aU&Kh!owKO#ckY`*UC#*yvNBO-F`M
zY+tlHuRU{JdK*^vsU`T;b+eq~NnUmNx)D5iMnDYH^3?I(YfX8YFlu$#uX=74>5~sX
z?n6r%jN31UvVFPHGx*qHv8#CzY-_yVKrLy;q}xNnuR#~8ReQ4K=4sUuys#1+PV>*R
zu+8q;g2+J3H?N^I>X;0;jvs>!Ez?>^X-8=lF2u<dhJz02?`m<Y)TEy*FUJDq{osqE
z(YTc0jg_$ZcAk)hYC;2b-9DzXIO`Ye^Jp)UJ3_p|=BtRtaZ~;5PfxV(DawpR$<8%)
zy&m>GCx`e_3U7@}jDH+{u%mw`vbo-Ztnl4FFZh}4KHb+UI`csgb3H*sKCL;}s*2S*
zdYiels&y}o!)31dq`@qAN{W+Mh*~{{#-Ey7h<Mh7IYQRB<Iv#w1k}X}mRcQ_*0-UK
z)Wf(@CRO<~OGse*>u~W&2y<lxz+^9FH7=yZD&^HD2p^UnzS(Hz?T1mNtz^ZGPdC=$
zG6la#SD7jzNbnY+DY~9ukTJX?W+Tqp<OB3Nc=*%QPgV$#!e_e>IRV~pCNQ~F86Tj@
z{REG{X6v|}vgm2wRW-YmpCw8)JaIHT+5hU%;IDTJeILkUCKeUZ%nL09wzN)O%(oYL
zJR6?%qN=vA43%V@?>3F&gJ#O&@;HCk&iwMNhzoO}!@h(IyhJny1_rQ&Xhg~OJW=;L
z`i>mFz_hd*T6yI271#(;PTtj&$Q_!!RdTqv7JcODk(F1Sd_x!|p?`mN?IbI#BDsDM
zGo*^|10?J{JO*b&d@N{~-ors)bg8c95KD#6gmZrvlpI2Qpxp!$Ua_~$d%Eid=2u&1
zmVLiRw*E$XP|mmvJ`$-RC4Z&WU|AI>alupLtWB@+7A4<m2IiHnml^RLU9ffX%kH|H
z(?W4*cS2k@0{p{V1z7rL`me#er`3$mvicJGHP-4is`A*;0F5<#yZWHXJ6mSTz-lVk
znNMVs;qE516>?znDps1pU_{3ZO2CnNeD<nbU>HLLEhzNkgYX4Rl3*P9tX};!(I)Tj
z|3rhICvS!KuF6PSfI7V-a+W{`f1cd?y9+Q!tPgf;DX!7{VWQ}4=|mFpIxe)Na7Lh2
zLW|j;hC*7rdv9r5U1)r^HXceA26V~#S`Zau*`2`GsUk3^s2wiHD49iT+I=;p5$MxU
z@BIu`k#bk?Z?(y!>fP-oeWAYI?NkSm?L*r16u18|h4e^@Xm9DgPW=EFB%!IiKq0o6
zlR}Aun>hXY8{ZE1d|iqzUXe-=Mvyub`Gko7d$%`!x|_>@K$GYAoRG+-Ydym~z}<Tp
zrT|p5Ku#WrT<|<ucn+v{e(1T=#veoN^<YS`c<KH;GJ`G-_H_g)h1KZTJAE_INOiy>
zSQyVki;&-Fno+H3HWk0&lz7w3!S+?{t2OMCaqxB@r$+np1fB6rc#jftOM!qSwF%4*
z^@f-NGdwj7_PS0f*^DaGc~N)*%YOpqF90^zT(+QxmxkBi@0&Dv-N_HC;8+9VRJy8i
z8Mt@uK%*VqcK^<T8agPs3dJ~=K-n91l!?RSCEwLYbWF<zvBU>ugmOz=Hj99J8$w6j
zLgq1VuQiCbv!MP8DfqzB+pgl2Ev_1i!8wNy#JsjV>-ql9O7QLQUfsxYcW5tar0R`|
zpUmwRh4v?)JBh*P1FY%^;$fAIx|gtv>1*NGe;2>;2N))qOaTLUVIr~6hy;-|W+%=i
z)5jtbz5C`9G}Oy5Vf=Ji>%54W3Hqq!1A6_0zj+RRFfB>TY&Raj=|mA=1xELB-b3$s
z-^hS#poz3YBYPHd`8fS}4^HbHDjL5-g8-1LANsmE5$NoMbHc8T2h#sMvRoJq=}(aD
z`8%DdNZ6dLwd_<kHCzYp6<@>VgfuHw*vXiIY80{(02+Au6`;&JJM6MR^Twbb>OiU=
zj8Yr#_g=Pj{CU%33hl((AHc%-fDxXpI)LLtdYLY#?T-DX8UsCYU=C~Pm0Hs(>FWrj
zYX(E#S3o46I1(h`y(dagjC)I~98R6KyCG3mw)6%B1z4%l`T#!`Y{;Ea9{)B{ajWI_
zv0@asGW!`2DkiyR@YzOh5F#?mq{coA$JAJI1yKI@gihR&>c_i{7P97|nO~o*0&D0=
zp~asE;RI)oK^J&}D>u(33#$CbBuZ9ylW_MhS?{g3m(zRZ6t8rWL<^(rd0g%iU}Yu)
z$USG2;XHI3yHYC)DtGKggy@0Rzq@4ur#}>#du+c^+&+7<6}FyM)1izVJcl~`v2D&N
z8`Lj-7vUzmoFTgJ6B5!d`eX$t3GlSG$J48*z1Yt2B+=;I?Dg;6r}LeYx3Jowu?|e)
z4uMEAc#;$TZ{Fv&YF^}z4u)1Nzd$Ax`WiC4MAzSyxTsVJs4$NL3L&rd31H<|LN$ik
zpA$Q$VWfRFSug*+m;-0yte94I(M!UGgQg-WLFqDdQ$*wQ1j;l{@F%$GV#nvKVaDfd
z>f$!_&|<Mx@at2`^H!ge6o<$eC1|){vPWSqv}pXVV+qK+5$e{0i(InMbLe_0FEj4y
z43JVny^vMFHg8OjNsm;)TPA|AQwS<J?!?M}<<0+kx#)wswUv<?4w!&3;35ncp7&CM
zhx@%N_PW>qig)L&`e7&R?#?9<NT&jhA?;L3@i0!UBqXVHiIw_z4Jmddhrmi!6ux)}
z;Wf(B5%!Yj2ZMTK7Ko5?wq$J8E%>77#>v1YorNyKX6~6^FKaW4AtwU<2Fz=mQ#R-%
zY<p@{ea4qAy0T+qE5kLrDBuV&t^+Yl2X<O2f5ZERdObl(w2LK+EOsaNK1O`=x9-0W
zT_Z$VeXu2z-fFfu8e}p)dE|D98u*#ucC!27GD8i*!XXu17unW$hW=SMlex3!bFoY}
zxP%m6tBl?aLJ$KR!sIp2;Q8XZo;uQ)uVmjX#r<EAH}`Ec+SCvdeuiIt6yYX)lxAu`
zC8ACRO>-hxWQWS<kYjlYZDUN|c*-J&xj=|alW@m7EHehUD!p;jjyS|kc0Ow#FiOq5
zxiR4U@NQlyB(6p_zy{RdW9KjcH^`oSh-V6R_v<mkghymMw%GuDg!LV{V54-Oyu~R4
z|0w%g{d#rStX&(><lL(pq#(Dc4cV)}Qea=m!qD9c*_WU>p;JP_y@HMWTv5fO=Otch
z9#o{*4Ows}yw^%U#vJOD>;}4Slv?t!L$|DI-F)9TYw_COV~Z%sfn$aTyrK9Nw|hj+
z0RmAOSf)Pn8t};-qH<Uy{-x3O(mImX%!8PAan!S1biCvf#32EmYk5bGeGK@lMxBPH
z@q(KJq^ee(+&MU4SdKEOOY$!Su=M$l|26mB3U;sNi)enu=_+Hz7jE<jQT}axwa+*^
zx5tcqT2U57FyHPjr|S4u<qE=Nmi999aG$@2lffd?R~Pi?7@sHpB)+`d;rFk!Y1P5K
ze%1ZnN0_2#kxHSE7*ztDTj~J^>@T-s0gb=qq*45n?#U{Gl;+Qun;ax}{xYD0MTP71
zRVIISvmg%HY#O-MlVFwq1zM}r0vNlsb*wYi_r-->%r%_#Y&D$G`h=#O#}MvUZ;W3&
zh~8m44ZGO)F+8|*0$m5@!T~Sc)Bx{bk!9xWt2D;JwRFd)-lvHjTA`(g_r&gAE7qVj
zB0Q|I%l?*c+(qAb?iitkiVYV22f~w&75>yhQ*@EBJ!kLRgedIkKLsF2wz3{JhlnJ&
zh_hGw#?}0fcDWGyfKLxRIa`YE!H&$JqCjM1kSnRiY$)ni1zbUz4SQl>E$~){D`*Cw
zBu*khy0AmgcIyDG*|}&}*1<{JsVM&y5$pkTczO))4rY=lBi!uJby1=kxeY(ZWuamJ
z1MiCv@&{Cb2r=CL=M_bYpB_JN??Pt$nT}|%?a~dwG74ffkA+UKAafulYfwkNeKz4;
zF@JtWzFJ!uxs@@A<}c14GS;uzvJ+tHLf2nY1QglOy6|5rVCt0wd*Xbr2GG;ADHv_P
zo@p4qtubjxVrdci7*cwG3j%lL<%0i~P@%bKw)E_1urB7!w2hwi!MIMls+<H&8Y9Hy
zT4iFg`C3BiA3u09&@gWMdD&p#31BiO4~2SMD*U`4iJQ-nR-p%9MAxf{7>jTNifOr9
zhBNU$!SV|?f?tZMEZ)>%W0Ai*ifpALquvYemae?~4(`xJ04L|xY_m7DuKPn4FXI2~
z)&aubNu4i#MJaZO4ha7Fz?gfem0^m;6++VxrtdH&F@wFU!wD8(Wus3BEPy;cPtAyr
zKr=D<dadRBc(8dLmhb>tRMEH?jdGN>&F{)@>t*Dtym1Hf4~P#xHa?|GVqW$H@9Wh8
zGd1KK8UQJ<=ZKm84otg?Dvk5ThQ;U5;k2f3vPrCx1yZO<`0#TlvP8v@k6T))8JFiR
zP9giWXH8+`86Jl;FpI2fY*6I*1kz$(St_kq#l>wte*wT4G&}HVd&F^so3Ura2JN_P
zjHcLLmW-Z)!qDoKL~hiE_xCD&VE)&|)4jmOu^Q9Ay1nIB&cxP@7dKMAxVz92^_+Dk
zV4w3IPSGQpu#j@YxZ=?#OzsYbDe3Qi)dSFs%jJ+Nu+Mre5DD{iOncr1tN|xq+y$Qf
z7256F=BB0w7zLq`y9>AvAQN>fTNk|6MtL55ed-OEg#;=p_V<eji{Y|oD}!^{B+w;o
z(y4K#=z|-~JD(h8$Xg%dBytlPYv3bBfxGv{!2x2q8RHILm}J%5_&uWZ3`NOH`j>c%
z%$y;P{Kp*d1+3LF@S0>gG+hl~-7$5?st-qjt$RJ30fX?{yNGf*nfSo0dIgmti5Cx`
zEe~o?<DV}8VAecwE^pidlW#~_B#S#qF1Pqh#1KGt<r=Bx)*TN+4sn|U{=)@u39$@L
z-k|VfODEQ@%9I=-rX~?0k`@Xf*KJ}Sm(U)WJ&!uk_X%t@CN>l+oTBmg>pL&tLf}I7
zSQzPG)g>9qxT-cE)f7}UX%YF&Cpw4iGSgy+hc_LFAI%CZbnHm%1B_!G#6(uIlIFOG
zBS5F3bu(>C%x|Uah``>F8JCG%-`BOz$<gA(N^zxGv<g_-$MHoySd0S4o;>#cj(4tb
zXEW2zODf4{E8=0#P~0!4wgnL-aLPE%pO;}@++O0r3dq3=yvQx+5bQWDzv@<aHq;lB
zX4%>H><DoUnq{p9l70tAxcj1XXZEtuqT8%-u4NP9zpZBOetiZBh*AoOYjt^#Dl`od
zCF$P|g~di|RITC$$oAKoW$qOSehe&7@W?(ZyCbLQeSNOtkFoP-{EzTV$c1puFLq}L
z-zfZ)J4aDqYM@wq+RvkEziwMK%srWvlWw4+EXer-TPJ%NR)har;)gh_hCX^+n}G(%
z35Q<eHwr>#O?m_+u8c8zG*g@=qeWKmbBCF9Hxlmg{<#v1r~1U+$hTEF5-;}Zg@vyt
zcu=WQn?dJm0*QTtaJ;jIPFpPb$EjP2J#KhGVi?*uj&eXgpCo1E;7Ht-+tD4tOC*iu
z2(sT#3Ny?~N4Gy0aWU{Zo$1`n59s^V@Fd=_?eARIa&37(J&CCZ_(D@Ape|jIP5{A6
zhPYz(<HO11E;O)<(~Dd&7_oFHtmuc&nW2q-UR}|_P%Go=3hjJNB7S`lX?YT~Yu`7L
z!p^<wU~R3~QC<Z;;aD%>804!S;}l-tImhp8w6x3Q*LHt)XZ><w%r~XvZVh3GAb2LO
zKH2(|pg+0H#R=(!6ae)cPn?)AL*bK2Z4D+~e#Kg1tm~GR9Q5q)Jh;xUM}B6Qo;}-7
z`aM6|_Ev>Qu|3t9K;jZ$9fdeL%;6exWyC`4N`7f&k_M|zs?Si$QS}tq!&=|Nk+}Vy
zZWg9)>gxi%O26u^Dv@HDXzAsagbDE+wNvp<^lj=Z1?hNJh5O`HYz4ffY6swvK@f&_
z8McS_cB8-_C_F7K6yUTUBApKdV1<;s#ov!{0>R`UCz!HelEamK9*T@AIgInLI!S{c
zFge{5Z3F2B#F-v%4@wC-OwLNfy#6jjG*fX+6|ttdWDw(yL=o!7Ym9>HwhQB+RiHW@
zWMdOS6q5A(FafTK8^rTbp~yqox6pF8YLc}?*Y8NSDI*=-73K8L?0NEY1`u$-xpBY;
zrbYO)YON-7b4y$yjc@~4g@F(OHtLE7Cb{aNJL#S5XVZD(vX~#d4~)EXa-KFjDx|W|
zw3?!2?j;?RMrYovG7LzV4@fuQj3>alu$A}|C&mq5kG2i`?dK)$?~D!2j6rA9iQxu`
zHQgpfB!g3GN@!&4A~l|GjM$UA-p#GPBy%@__p{4{R<XsGEw=^I+LG<zaGA4z7lI1l
zpre_e-JEQTeuPHdxL6qM0y75|xf)3Gzkm#Yzd(A$hC+Qxq3iR)tjD&I^~xNS9su(a
zf4ll*iN|jxSSOfP(L))He{H<AB053WxX0k9Fd;u`Suf!CL64P(4ntKvIXI6p6c2zH
zKXRdf#+0e}$oy7>`w4HZ#RBCqTj9om7(f0D*5qsA_6Jp_MO@@p9oe-<D8Az3R?svS
zH3SS=t~ZFCUoq^J?YOipO@2G%m0&GnFNsl3A@Bz{D1c-qgyX@2A~f(lQB^eP#Ct7|
z^pk$`)4S%?z68M;zyk<=UsSKpxz1TO?%ziEpeS072sRB%WxZ(?$k_61ZRSq>o<4mK
zSAdZ<XXC5zf|+PDpzHEKSZ>$R<Ct3{e5DXJ8n6|G|DBs;8_O8+hfaxP{EM5W;~z=G
zwSBI*7`fb)9ibk~45<hNK{ieR@3rf%kG`u!CtgV+v&=hj=u$#Pz9<w@6eeau^|wYr
z1K}>SgbJFuaq8hB%`E9rLRLg*>0NgeBr?8l=dLr8H{Mh!@WKO(M-~JEDfJ}ySl92b
z*BOI9;iaX&kI6{MkY&|uM?}5lR*&~Q>><~+%N|1u?034vIM$!8@4MGu4gxLHuL)iM
zIFE{_dP6Jy_X&WebIY|dXm*xdu;a$BI;$1ZnQnoDPM50Pr2@!k-+<7kk9nZO_rG`O
z+*c}GYZ*#!eN)tc-Gki$QE!VB-}F?$dJHJOE}8;E{Xd}Be?|+>!y&2+YYL4D9m!n1
zzt=Be=+EpE78W)J5;j|d>uGmC+2et03qf@1!pS81uUiehHQXPrQ{k2PJ2<S*pt`xI
zUqX>qtl=FwEjaGNb2L!=XienVT(S}#Xc=I_31T9^Vw(RmSnjPov^z!U#%WH{>!S%h
zH=o;a=YeM28$Z=;QWSiQWMoO2=c-v+=+Zv=J$?`G03L(R5PkfUX%)cqJM_a`?AKPo
zi-XmJK<+1ZiF{@69ea^|gwO#nFs;JI27`P465Q97$$b79PHXL0$EmnO7hcvFn&^9n
z3h@>g-)hp_V%kkdbPrP|)0Ml;KQ8uWW0d?5ggH!KqyEL<ZdJqS^aIr~OjdY#<ZGWd
z$6sSYt$IC?nx;5o3`Twiy6%rfLEQ$=vjyt?W1>arN16>6Y>~|YeeRl1MxoLMXpTS-
zs59?GGArgcXjTz3IRs<=RcEZ5kOjyF|1cUUhj<>V+^-=>7ftZ;)-$g6)~7annwg&c
zZxjXG$`Y6bK_p*(pwipGZ--7LQQW1KvsDyRbFPfS;%`LtOuJSX;HeEzKvuOWjm8CY
za}~ooo>JTU+qtUbP~voW9Jy|jHuS$%4YEJ0_!M7V#F;&awLZZ~7imfc>6EMol|C~3
zcXhCTz}cZm@4G=MH4Q`L9?yPItP@Xaw3KtG#>RnIee?IitH1@g>-g;!P*c(G-F6F`
zO_~3fTmobT*%(?WsC4q5=c8`N<`cMOY4Q?+1GjAOBWGB+&bR7xLx*(0ZGV8I#c28j
zF^M9oO*FD4I=DChd<k}LD~$ECrvF(r#g}C=i6IOT2+eO(G`F1YG~3$Yj&uHldgK&R
z3H$-(%Xt&~IaSSL;y|B_+*IGQKA=SZAR}*{JCr`E_U9Y`n8nzArGQ0D$8z6~1V9BM
zBmXC(k1LO`NY@`MTC6Oc{;RX~eWPRsC|w469)Sf@uwB4|1>XVe+#07JT<)>&;@aA+
zSc1tvfY~`Z-qpN&v9dq&m<70X!40dbxBE7a{om*LT|$iEw$HLN?pbPL%@!AFF-uE^
zn8f{JQ$&$X!}Zs^TK4Q}5Jgln{?8mDnZbs+l@VWm90UJJtuRyc<6?Cn`;4$O%MrO6
z0tjFP8Q_p!WO&Op9G&}HYt2cA^Y#?Fe+UhOYo%2|goS`>pH}qAzGG%AG2Df#d<3(}
zWfW<!A<iKI;vOa-wH+c)9q<y_!!?N6gDY+Yt%F2XA~H-68)16`cUrn^+`X)s9XivR
z5S-fE&_njL0CM;51NS8n)R{QS8u3}2HXsL#fM-HSh$uaLaWBJVLXN|`=&v1#2KraB
zwV8K=<LeuB2)K@cq_cD!_up+LPhZU2T<;9IHIlfw?|%0*N`wC(=7AyNY}GG-HVycf
zCXS48!S_rWL9NPfU~GW<EG9T#9-`=6LcaGinCiKNfpREdl$!Vt4<0z3ve;tA)o*M;
zSqdF)u(k!ZX%NOu#|UDy5D`@t9Cx~R6TTGwa_`~eIPC$njO<Ms<Bx|R_f!4>81bV=
z!%J#6N&tNU&M_m14^!&NSP>h9>7O~kxjhG0h=FaPzU@ldkWTYx3|;=kO<ByQoX8)H
z0Z=SCT5I@CW(H|;L3=)t8z{>9U~s0SdER@%mdgDQXW}-s)De9-BOjzV-q%BKdZ!#e
zFmNY)l4fq+xGG{>&xe8nQu@~FK%#N@?y&F$%L;)MfYh`hcfi-&jRSf$UeF8m6!Fl~
zCed8ihziIU;h<}Jhx@7c!4b?#gB09W$iBt)iA^HppSrUaSsueGX>3yTCa}QnBg>DO
z!u=b8H4ISlijn4kFljFkuVpt(KC03`ahD1H&$h(*_8yzOMr;ts%ao>bPf*E}I#y9t
zB*Hy#W-ZI4<<edT$Rw3#X_iCd|GQHE@BNXgjQG~qPm0BXz#M3m0}jj8l6KwT!b<5q
z)OEv22}@;<hghm@Xkt^}011qjB9#T2qQ@YeyU*n@X+QbOZtD;=Vs6B?_3QPX2Ultb
zEOd@FfIAiHdT!&Nd;H~>E&{|~B*v2G7oKhZooza9@GK|@#))R%0?q`z8nT2qufzJ|
z*diGqS~p=ZdSPN~^9+~cF_4}8R}7ou(rSahM1p2px2nc52W9`YD|F=GL3-{g_i&;)
zw~EM{4*ieMOB24H>);yrmyU%0&Kp!S27dd3zM`7Sru)nNe{n@T$EP5sVx-Q910V_*
z0MgDB?NVTq*3!im{>6QjH^)WH>hdSX-dMPMr?c7_vSizVy_(~^X|AfqDcAL{m?7#3
zBE4?tO@OrReV%0gqHPvUg+xw{Hv-)+D#w2~Tiiyt($Zh&k*5z|pui@&u@YuV|Bf-3
z1xE@LXyR`CZ10Mz>ZCER-T0OE+ZQl*Ng#4?bJ@<$OY}7xKhO_H>8yE!srFCruc@mX
z2^!Q$YwQ>a475|uF}{a;Qrcqw7iGZVBH3zN_kSn>5EdQSLN}63b<t%z+h7sN({bti
z=t5n)WzbaVHAZvC<PpA@^k|Pke(QZDo!<Fi)=#BYAY^(-Y9W<lj7-RJg7!kV?|WGr
zhb3uV$N?F%&(joz_J}<FJF6hC^|46!^M%mdC%@`4-^XZdSgsAH{3s*$&8UDkL-+Pl
zf%QN;R>1KeGEMh=`8O>Yk6T~srRDHXP=a)7P}rOJLKCtYn|u7vR;(S<N_4Ohnmzy`
zS1o%i1QC^ZYBSlK3VoksaCaTjK+^FUfX<SatLte1)7QShu10f`jIH|MVu58u%WrNY
zshnelC@diD12T3ecc4>&V|C~hE?IZzf*W~%xuEqYMwf!N>dLGQWtxJ83=^!6U=g@H
z(Njd6<{ETep@(bDI%QETkfp#m<^U>l5lt?N5WxXsz85rWM=i~omI0F<v9{=Vn70YD
z00&d;7P^qh-`;6jU4L67gPUua*0)WHW<pdv5|Gh_gyVmSH=~kY!C}T&nqEhrZS~OX
z2}rya&panlG;&5TTt7Xp`M`bV&GjRReSaG>i=#oV85RGpbm;+=XTPp(M-1{7npK7^
z+`&|s7kk{n`5OA61a$;oM~E)=_HEKCSQ0@_Y5AaM%BHAwXYWKyP0ZHX45$C1bt=s3
zOGE)Dtb3qx*UuU2jU$K%NvLg*nIMBF1D!MRm{hh?jrTiwZqL}rQ|sENMqeVugYd`B
zg!ncOzleK1O-+I=yC~rSl=WiQ#p7;!wbAFkigmFo=X<kmdL(ll&W~Q^S(35@k1wPa
zsH+)60`N`-gm>85LhKvClv0w)<xPCbO`$A!GSfjWC)jrG?D6X8Mjw_9uT8y?v8rZ2
zzxwZ2gUiR5d9*v{hxY~KgDpwrb_mC@|AG4g&+Nu58@93w`%9xNEJFHuXT|}sJd<r?
zvmi!!JWc)^@l{Ax%hkZ{&Y(`yhDL-nu5kdLe%@iyWuj8EXN%EY8!j^8vyIg?oyA7K
z`}na>ioCqON&okHFK~Q`i8$A+y;+@(r=dwVclX?gPvC90Bd7e2|9R$rFaE#wk5qq{
zG~swUgqeXV7NGsV66gX${q+5yH^awxxCX4~vGTnDhP6NdaJ(UnGy3nBN3#K(LCre~
z%KjICAZ4xfDY{Awgpg`r%YFI>B_+Rx>U{Xv_`mKththNlY*hua@POO_($uk?pw?Cv
z%?PKv1AKBmKOr4%zdd<|+gB0Z;Fuaa_7D@5dORxLE!{JM`X_xFGj1$%DG;=uJs1yC
zONcm}kluuUx}?C+0oE}ZENZMKo|p3wq>e#-0La%G+HO|X$5DdHSr5dohQX%8fMp(Z
zUioR%R0ZcIT^A!f^(vw?fR6-AbX!KCX6!Qbgc{Ubk>lnTa8>Fg;O|0K?E5&C?H9Ks
z5&YcE$L=ub5IjT(@LM~o9sB{cRR;iDwSo<ApO?)S{08903K>iAMX{XBWOh4a@B79-
zQ_E>urKSc~>Ihj&IqHKNY*V<?xuSqX8hr<@BqxO)q;7>6i=7uLKrQaBw9&(4-#qTV
zpa{4NE>qglgPq!OU;1v3>Z$n!D@X@(fs7mS-{KgoRD+vT8$YPu-SybhhUC>3j;*;1
z1L2MY0|vVlz}r%#5PbIpwQ7O?nf(NQJDaH4Inr3oQS?}f9ZVjCxjU=i0vB^S9tLcF
zh(~?x0@@j@3oW9_^D!|#;w`StYbxyv*gy<6`@iH5{8sK-?Qkpx&5~SIX-x?x;|%0W
zUL>ZTRiA$V>KNVy<F?{bwClLd!{)BNz48E_Y78tx0D=^X5nkX16_ZK|KHpTiPkXyf
z&S?9>Q|2<hKR{r?0D?Xr9SDbQD0o4z8{8S}`%x#T6k;h7(t`n|BOk5zGrp=)XO-Z*
zxy2G}JG&%i$YGZ1fQQJyqmXVO+1Fv`3^F`J|J6w45O^w`^pzFNl^UJbckbZ5aGK^a
zV!H4Y_^}U?<D9ZVjcAAP<x?C!GM=FNlO!uO$Ac3k9MH+YqNI2D5B6+uBMk6(^8J;o
z@37Zb9JUW)zt0ZGM(CkP`Wy9TprYYA>&|M_Eo_?P+6A?iw_-zrXoi%&KyhgAbMW07
z&cQPO-3#D10z~BRydOMjz>1lN$>==*K5r1s&ji+<qOrb3Xg8LEIgasA9EZZ0f8$fF
z5U@jCOiXMUH7e_42?qHx8tqtSvzKlq16;3zHLL<_rvK;q|K9lj{{S=k|0m)9p-DKV
zQ`)7M<GmfL0~O-%5L9JKbYI5#0>5hz;PaODby#20h2p2C@B4Q9XMG2k1P>nRC~iFy
zB4}EVDX`7D`jWZV-@&%_V>GhrLNR)EN^SjI(&D*BjWEIPJo4!$ud3--8;)v;L1L|X
zcx@_0(geZl5}MpujqKdLXKA_IXn~EcU&t5(;Ds8go!$-`jXka|q~3Z{PWvP7!gg%@
zT+^7JY5Bq4*!UBt^0$uLn<7CL<sp(9=Zw)lBj(fuMT$nnF6^hovjU*Uf~=M-_pmld
z@FeIkD_6otv#(8{Ni<l*;FN~2=H#7<it;ICm!Ztg?xOj2tymCkt+Hz19z(~{kIf}%
z_v~QM=jC<8WfzC&`48&pq(Z0v@xr^5_vJ*WiG4<PfAgUkZ=4{$nObwh04*pMh$GAo
zu-p~9Zo)UUl--Hcam9H<LJ=lJ)9j~TI~rrN+br3TlAo*_|02*qo6>FPp`A#L>509b
z?B2eJP2z5_U~kYYi@_YVKOfWaF^@<+vAI8#WCUjQ{%-Av)tF~}<KfHWrI!@yyl&)o
zTpLn6AEE6MtAmU5-luFX=)=5j$r%!WvUT3yqF#8KAwUb$hu?N(P7AFbmXV*f_7lwd
zB}z`H*;cVOC-l7TxsOR%|BZ3vO+)|i+nzISTC6u89O?||$78FiD*&=Q*q&4DPYBXF
z&7TFA36JTRw$PI2v+kZV`d=S|EMs;q_goCh*!9?`_qfuM4y1rUIecs(`9_HCG0M$j
zpy*sDvRV%zlxv?jeZs(GF~xLfV$c0kQjs>j!5X`v=%9e-ZEdM6B2i&BwEI5B{V5&b
zX?jCeP5X$JI>0w+rt^VN_$9;!UixQO+n1FlzN&n-+js>D-jmA>N4oLHr{{+~uDb^E
zYf<b?LRl*_r_$JVZIDdV1o`xubITMNI?gxBp_Q|Yq=qjYV!eP#*kVQ~@2TF)Ip{YJ
zmCQLrz$IW=s_)bWZ9r*$w4xD1oT|~6396)tn+G)KWQ%C30L6AMhrI5b6{vmTmR3Bx
zraWF<e!3Qx0J?L2tO_x0pHnYB1Bv~@gfjqr${SJiw^0LOIKoROK1~R7o+G)3iKl1U
z7<jDp2sHbJkUz_-4_<5!#;9Fip7>j^fcONU*x?eQRdokd2JT6HT6L~Ak3r0b2gSD#
zgF^O;JcXXfH;yfj>(n2o3L}2y?w?><4BgB7WsGzXCvy&q8%?bky9rQKv4JVa9l;(X
zi^uV#5fAk`J8#Dx@z7$=^=UG4HRj0?II><CS7WZdiZ#c@s@wh^V2$7d@eVSJahqu;
zoimMerBjyf!Tvcv$Y@P95FR<^$^rEsUIr{`H)_0Mq<@acWzKYuUTh~;epp1&1K&|C
zHCF=Up^asAi$-yd*~4wlQ4+#IX@?ELcosGfsSxfsxqVf0t(5~241Wt5dQHHhlexSs
zig(^r)>)fn0eLEeW=?QiRWzsqSg1RBSA7~_4v;oYf^=oK0~+zLlbR!!2hr3Ex3s8x
znqqApCK%ch$pm7zMg;J16js<yED;0BZt4}}F3y2xmb@OoO9*K^J6uAi#(j$d6-t~i
z3pE3stsgM$ig#>(L|_;hhuWF7slZjEQS7NjWFT^diqMjX<;WLg=94aC0KH}gLApBc
zz~%$6mg{%qcH%RX-E7V)ifp%S`^Nj+?e13zYwm1X|DX20JD%$Hjla&9vMM7~X33s~
zc<hv&S@uXt_KIvrM@1!sL`KL+PF7jrpoB_xvJWMD9I|J>>vN8t=lT8j`}g;HJ^j_|
z_>B8=-Pe8H*Lc6Ln-0bSCv*TTck0!v#6+GV?<>y?<EcWGcu;jnaf7Fb;<nN%xdDn>
zekEZ{@(ms21-2KIHQC=;x{Bry<7Pa78E_f%SFfNP@^e3({6>v6K!U0A>{>@(&#R;T
zPFH&)lrm8KZ=V@GKU3qH@r5c?nNv9P@iP&R5j!f0N}?n#B9izduxf+pteiPM@O$kX
z0dZd?QP`1_A!=B&&f~{A0LL$;@oD+7QW2efeC^MMs7$L$e-$Uh(K-i{!tT9cpsaKG
z;h^nhDx4<pApyWdXB8DH&N@kpA{%3r)*gE*>Sm?UD8&njp5KF4k2dcWBqE*jnZUX3
z`^dfs?6$=L+f?I@1z3XyoOzi~vnc@nQYgLmQ&qhw)&Y{s2_0kjhAnb_q^|;GMj%lt
zg?q}C&8VJXadI)+5Mi6l(w4iCsmjVI3;J_%KJC7((<1hv{gbEXlx<IeGD0BR4^FyF
zn?{Q3)nkJ(s&A1>M4KT-0yQ#MCu`|a?aeT8N9kB|@M-jypc01JE_D=voX2y@bbAGN
z&ls^hg|zUwcg0qVV*;W|ul{7Jop4yCP68a{IWDo&)B4|wwT4&QJu}w(ySUB7<7ypq
ze*EQpD(hw243Rpt2=moEK0Xl+<>V8FB|hzqc%-`ANXEk@7HB$cQs&^wON5pxFRSqO
z<wlc<&=)3jsGLTw+Jgy&u^$VWy;(F#?UtyEoCS=jA~R~l-qe~J?ZQ4c%~$eI#vKc)
z98k?kfr_U?;?qwI0+Nh5MCc!<dl4Y$>dz=VHRKcyp$qxT{ra*efDdOG)w#sbiuW__
zL*4R=u$V^VAtDYHDjbHD+4lAq!|bU++`k}E)Kumc&(OQ3Q>h~M<aU7(0?%|;e8@p(
zq34o&{1NsR%dNL7&O;++L6x;yLu?-)<bXOO)IKC>2CzQ{9SDX#)K8QO$UC?~zyRXT
z(8^)_$OiT#18CZXSv}*eynp|SRR<IrD7>s7dRVmVdA^4yD&6mEsfy)u2qYx<#B$M8
z4tv4&qdF-wS#GJ!Pi%NOuFNGW`7eD-##&BG&LU-j7swQMSqi((bO%fq-CQ*vP}W9b
z8sInXP5VTs*=RC4fw3UpIpT6xAn=Kk?~fDnM%G=)*cNicOp|C1g9>rm*MI5+q;8nM
zLcjta-o{)tXyto&@lY^BxrMc-oAATjye6Mt{7?;?tDKD0zD$K=S$DyiUWI2z)LL>y
zWqNLClhCCOneEf<>6!Sg$C?wE+KFpYst*2<>|Q0bLsaFHvzHJz`Oowk7G<=%7W`lo
z0;ww;R%b}l9i!WxXHaC|bQgG}I{x(8$fdd=9Nj%BTyt4p5}t_<u4Cc{E2KWlI(=G3
zw9$%@0pUf%HiQ=2u66c~oVu+vs^72R_2x(`-H{ZU7Qb$DM3teFA?Pwd@>z4Gi%N*O
zT^>}|L_d`AZ`~%68suWT?C0NAqEEIlV>Ue=<IOIIF!Ca6PYBXYZl_xOzQu@K$en7E
zyUl>47{FyQRP?KIRFw@I6`c1^{vz&URV^>{8cX(252yJNiLf}uvOo(TTYD=C4(n{1
z9w<PzRUPZY#?{;YZrg*cRsfy8)#wrsOtr*TOVL%Gy7vdNKxV;2mBg;()aD*r;xkJJ
zvt@k@)8$Sd>pyww91EtJI&<B-)3NOgYMaSKlKWhZ?w)p}w1U8MD^xZO@PlDK7Rjqw
zZ|XH})m}jHV;20q_+CoIKD&K`zK~N%2gm=!k1W^S?pfU~?zja(hjh*RAKS}(veUjd
zeh&r>joZe*uf}ep_lY{92xJ!GRT=ZoyHO5v4qRmcK~xk(XgT8gyzDJ_4KKsisAwS^
z{M9-f$I0dEtDe{5$vf`t&<cgNk1Bj!@dy2T8=7x?$pNG?kq5h^TO~TO)-t&jGY)79
ze}27)YDpgh(EzKqcU+-xI$<#Ve9vsE^cFELeM3Evu&t-IVwA==^7C5;KJ>T#Fw~in
zb>~Ob2mu*2C>4*dL&GZQ^xB*ae&;#1u-mhB)T;}7F#}`|9x;8G7+Db@`^|Jgrh4Of
z6mRX_Q>hBxvIBFyB{mC9cX^O}b}On{Ypb_Tml?juQhnrhIJrMaU;2tM+uhgF2h-(P
zE7z3K3zOd&AU(o#q(08ACQ=Z+V`JX2dX+o%=Lux{^7V{aohqF?cKmQy`n_(-^v8uY
zQv-to=HZne6f-^zWhBfW=<*LNxEy8s8%;lQuyrJL$643s%m%|Nb);f<1m><@di<hR
z1ue@c+JhY(&OF*W!uO$We)98`i9xonfjY*~wD#$>j?(uvAoJz5HrVlgu07L?Tt}6q
z<Vp9F_YE3VVl*mMM!*Mg)p{e-9(ljJ@jCyy>|d9E+-oU!KR;*g-<Rb^i5u9w6bO@G
z5(1h@-&Sd9o6S5PtK-M|IWE2Ndqq&Fqdevt^`-A`=4J3=M?OUR$N1+FL=GftS=;1i
znESW~UMm#xvE-F#I~A+n<nZ&?jxS?Rcg9)Pw`GhR-7Q{s>`K~iJwJhD6w>TKjpe83
z-`26&`t6OO_nSm*`?_)<425ACl;N`9+V(ZYIhpd7xs~H>aAHQRQ|O7v0a2rU^nTPb
z)VxwM9fZbhX~Kl+kqB>_8-#H3uIdEGj+(sy$a9?%3N=TV2awqnfXuG*MUSjcd7jYO
zXguNLrk3vpr)4I`IQ<i8P&V*y%74we+L>X~$+GFxqx8naM9uVfjy#hyiT#q4z34O`
z)od#FG+-9{h#vcwORV40jR)#N$l@)uhDjm6?Nd?V#d|7Bjl-&*T%?*(*LzO==gp0W
zUwu)7%z!GY&%~!~V(#6l-H*!9*POT+z;an|D+mkio;o%FzaN$)IPHOd&mn%FPp8|$
z>-X<yXPI-zIYJZJunMF$UH;13;qv<Zo=f{$kc}-D>kLi&?Ht%_phYs+{|ACY-oIC;
z_g`5r8b=v6#xn9h9XCt2<n{1By!uJ{-G-ra57t}KHT2s<<F%CU(qSN5Fs)@Ec%8fa
zWHQy9s+wbiLQ?Oq{TSu{Q7Q;l>ll--=MBD>-GxOzm<9C=2el2f#)MZao|cwMn28Q1
z&juP4)cuaS&~LXw+=Nw;P54T4ahrb0x89FBv3^F6XPlWGr7>T~jp{zxOFug)zo>M#
zn;8=+a#fFMh~;TF#!~_wgEnyMB5WN@c1nb*35E%_#gcN*zV70yc|k4}s^J|cKSRsJ
zYk0}R8Rc8G9b_H3VFhYoTG-3=WK;A#1Ljz4PW_XMTlBGhmEn08UBsz>KKj~pMJDN~
zY#Rod8nFV<-l`CsOm&7&zp>Gr`q=W+c}5{9#b#!L`Kz1Tmo^F=zMa^-?onTlyM3^<
za!C8xg^Z5xXqLR?%KxblH|s?xqBm!Bzp&|~Dzh8_Dn_!O<&3loPn#2%|Iz+ID{6}B
zew5*U<8tBfAi*J@rD845sVudu%C~tp-}IUhEA%c1NcEhkSNZ|Vz>}QKNvqfFYN)IF
zkdIcRe3(nPYT!2iVs%R?O%SCr(WhN&{5`f~S=qRyV6pEhdz{Y2S6(jI_x|09uW-m`
zwIQ_Ql_ix*^V2euef546z;$xHln2{6(z9-gS8&Mc$4JHsm6xzaH0+IbWw`Oqo90HZ
zX!0waoK~<h@msD3QbG|WP@<ssZwZ;Ee5}$q$C-UUuk26(b21Kjg#iXY?lJztvn<UO
zCTZpxR2hpRbDvy;PFK%`cL%5R<wjaw_MtMifhGJ1AquWo4s`Bmx>5Ebni^X4fd>ZD
zexyPs%E2n=c;YnG;jX@$J}&Rjtr0CwXGOnu-I=reo%fBgf=D#lWpgd|o|x+x5qFrA
z%UHZVZ3itD+Y~UxzYxyE=CN!QG7;LG_jb&I9SvovWkvdZ5*bRoYLm@JuyrtA1TsSJ
zk5eSir)<k>v<vNi_}LX%J)ugPQ-eX$GpaTvF-mp-0V!6_6&A&urjccA8^f!<=))4Z
zX+SOl)VbH)(62mtk40LX>MjA3M3}yu!?+qwi-p27;AD~loH%NF`+O`!i%Xrx?0ep|
zh_P=wM$)sA*d;Q@p;~v})$uG>c;u`1l70g#<>Xfrk#)8~4wS`HFQsy7thwoPw5{_>
zV-iJjgbpU<E3a!YJbGn$4EF%Bgx31-3E?qw{_>L^1tQKW?t8oMqB~T<g#ZJhXu9t0
zt)NElE2_s{9XxAz9hJXdd|Ho)B!t1y`*S4uzUV}Ww8#zy9n(#71z>|z<81S%^h~Qr
zHo<Iis;URn_H3es3WmZ4!<}(;Dn?S5Ei)q4BYh+g-(?ASWCaECsZIk%Wz8ja^(sJD
zk#H>IE47m??^4SPjcpgBS#d3?h&!g1R)VV6cS_2>vPew>wZNfmKYZKM%W9N}W<I(P
zs=&j>|Bz4b&X6>G(=Zo?S9Ws&*T{hzT9)d#L;>s9^3b_WN+FdrnlP=G##!MEIRYB}
z^$ytkNC5K$K=Wl}UWR8*>M=GRh<gQLEMSM1-f>>v4xaQs!cn5gy*#JDie9Rgq7c%u
z_Ueex&oK0TD|BL6L_JN6%JXaoi3Y_DF@-RtRmlO0@_ziD+!K`7PR={{@ph^e&Narl
z`G`;Prvn04=$mZ&)^iDeECZXQ8rSjytM5S~9!Lb1{LS?EV&q&nvN2|LPl3G0w@uox
z>(oxBlo?Z%fXOccY-xF<lEWSR%><e1R*%O1f^|d!O2Y=AO3){zM|iK`fH$_L_(?52
z8E};jyS{Q3N*^1;vKnq0Rl7VhJ@AwwbBMgOiu~2pWS`#;B9V86+<6vDOtAz1xB6pz
zz0}ctxMKkD3~k1h(AY2_XWd<=`{;IlMTjbrSS=KST-NIuqq9UTR~8E3w+UZ2cRGS9
z*1tREsJ7Mt%S$S$pbJKpbFudQk(-VJL<sZ0X>qhBk89txxW1ZNc%Ex+BJVKTKV)M7
z82Q?DsG>}-bNC`1b&yYMV}mc7TZ(&P#cdrjjlB~H*^V%jE(gsoi}g~VcLhmriCKV0
zPD?I8eN~!RtN`tw1EYSk=8%fJ0Ng}mX^TYwFNmu()2f^UxY~)K@2iP|Bb64s&VeGb
zY-b`AOwP8)weFj?Cj9%0*0y+b3vzLV>wNXsNeF1-J^vt);A*i9rDNX%Y;0{BGWvsh
za{3NkCghb>Mw|V8b|KhD30Nsa-xWUT7o)lc?)4f^-5%q*q}V!uMnAdYjKsr#zE=yr
z*UGyx4OyJS7Ql_Ua$zbcc+PGR?J0Q)Og}KfUBl9s|26uPdnx6|iHKQRX+ihGH!Q({
zfh&1JR>p{%obVM&J^wu251!uQla8E;sg&l8d2wi;Uw)u@5FM!Zx4A4OqR2^CGa(gD
zJ=ZwoZZKl5PgwkTmfvr?6WWdJHqM?yhPONBHTB^JHG=OhP?F*bkPq_@${rErqkHdY
zbP^IeXE<;)4lPO$EW)Vm%@D|Qry*aek}9e(zy0)7^S*P@ZBDet?L_H&AlA1#faTQ7
z)gf8-PmRqShMT8KGaf<9ZRCw`U<w#EZKeWelpp2cnh(CAe)T64dB_0Ne<$}eGAbzB
zJ)Rc`cl$*-VR;fe(jEpjlz?9d*%dJI3>{>tJx`J#LB<6hv1<#56XN?quM1p0U}&-K
zUFd^-`U7%Kf8V0S08^-)BS37%^os$wei3KoTSN+TH{`b1WB;&wh}X*?n6sz(9S9Jc
z)}*4gbN_8Q<LbO>3gGX=&tdoeYvTUZzzE*tM*c4uKSA$u@`)3*4R4<%a0wGTZJeP5
z3m6Lg#iXTN?dIGpVUV!e)F3qYz5CCcaJD6YQM4&WdUfo90%phOGAW}orz6~sRO8KC
zCC>a)m<F;gpq|5B4<pP~AaHPUF9XBuZg+p+UF>%-<#BFFVMfR~yvRu4S*Eb~ug4+z
z3it&`L=Bnv)uYO<Lc6&%a5S<;L>dEJw-@CHLLP08dQQB{mXdX5rXiO@6uZ$dm6zLU
zW8l_fvQ8Y`?xU>{bk);IRw9yx3{NE&B=+&fXg^fOMPg2UMQGH26s{QhJ{4GQr%NKg
zLCPp;RP~7lj&?2#+6&}+hyUxu?~nTMX{0C|KFtcD#l8ZYx`3@W#=A!VDO1{jpi@`E
zw+lBWj?@W>vlxgQIV?a;L>mE7Ex0;8c9570luF7+EZgp2egWjB39G0=%(pi&5!d$h
z-e&u>ov!(@51-2p)Cv%ljCezBF=7ZF^pcXh7TiGNd#HgU6!hiYPAzDNbK_o?>G4P;
zrl*iMJc@@YwA$t;a<uHj5qs(Ud8Ab0MX5JLz_7Q!%9A7i*Wwl{0mt*}wS%OgbsvVL
z{-e>)WroYP7AI|dwaF|0b*&zf4Q@_*Kr(B=^yQ|m*Pec*{*LYmlvum?3jIgc@SWDj
zVbloO3z?`Tqg^2$`Hh{S0b-;_CO&262R*`pB?$%d1aYXVZc7kZzo%){1&8n^y&pMa
z7L|dTxcaSivo_!#`B6w9%jF@~fM`!@Q^^es3WTcH7n4l4ieV2jSw9n=Ptr_8;s7Rv
zDoV%2J|bdjka<`A1`qwrpg<DhG5#Dyf9w!)Inq*~xm*D0(1*Y|5!<Nf8@Ln3hAtx|
zyu-NKy#5RvIT-^WSQm^PkUS2>H7>*hXo_>gPBoRQH;5&n=@In&pN|ABDJiyr{z&lK
zY36^6?_<^Koqw!9^xUBL*BT`@-S~f!9;}*@OfCtcHTCCvWK@kSdL8ZXlc;;yMU=!B
zlC;SHR^pS-1vijEP2j-ijDxLP=2d8H?D!QZpw;!<fxZ#DL;k;pL3?j^&sLBP7YJlB
zu9gQ@X1*Qy-<KC&gSE)*b8Ct;D<;F%c2Yar(y|eVy+glFwX{I}vtt#WM=t(>B_Wfx
zG=_mOR0@;6dDeiSn=-rqkIWzw2AZ+ki~{iVHOPkClxZcoamHEU*w;hZ=l{8K8-O0u
zms7)$-d1FNLeM<psL|)M&Ofkcq&%}rBXU#UL;m?fqYSaF;qH|9fS?I{RV2+7rX%T{
zy@u12O9Nki;3nijaCZg%#!cQ*ssUZv=o)%XbiVQ_GBd4A13Tl!blO{p=`0B4FS6Po
z2U7o8>n$)fDevY<>$zAHgmNU-f2b^1`=&%TRVvV?&S~Ie#Nvp68sx4vH4u!#N<{)9
z#WY!vd1X;iRAuL|Q)zLo!l9Z}ll7HE3jmt@nI(54fR2GBCB8B(0`YQQTdbeCv-ur=
zD8}DKZoHW2t|9|U>q1GH4a!99-pqrNYKmB}$#uA9u47IVs0`KQ0`Vk5ifaOTTQLsS
z?@#E}DCx6yUCyD0#-wdcMaK2S`Cdo1lZLJ<`@z^>p>dVO?osQ~z2ZrbW_5ni1Bqy`
zLrJxrDG>w8^uRI#l<9DEzwPR+4U%fyBySKL${%<;H<!}qM#>%HF1maJ5BiVTw2(F;
z^i__e>o1@j4x5_>igy;xD%eXVf5^mxv-k&hNfN{ps3w$cDYTIeixo>zN_5NT3r?O(
zJ2+!`x3yuBOmpgH+8YU?n~c1~`YB9&(^q4pFCHKt4TnDsmHkMMvXieWY0OelL@V~X
zxok=x2UC;Aq(lu9Z`MYMgh}w*b^0|gTfxKi1>$V|bGPTh0u<G!N-Cp@iLNp6`S+0(
z{J~g~^n5MOyug4r0~9K2F8Me5eBDXvTU_MO_xJKa+DX8W=JqZVk?oLMH!yIst@<^K
z^?TqjS_JzJxP9%POC1o}EJ;onZZIgqbeFp%sexW)1xQhtStTi=5C7T2pnzpIB|9#o
z{8!!(q4OSOL3eLV+Yc|2pZJNtBTZH2&wy0|DbJ_ZzFWBhxFCf<+1shcbs86@OxMrc
z&Ue<JP$~Hq^ThrSEb9N>am{#OJEBopw`nqy4ED^OH}#d5Nv`4K24gW9`1;S*Ap^aW
zpkdJ0K;pom49gol^gvN@r!(NMEj`23u*ySWf89B;5AxvLdQT&5^}kLLBZj-M@`aNv
z5Kac@?iGx#ajCNYR-e0Y6W<OR94?=uj978;y;1IV-_n^w-}ry$h14f9J#4^(o%Y@D
zxMPZGZ|F^}0(VBqjp)rZML@LoTAY;S;;bwuD>lI>hD4i(GhPmKi75@2GDeQ6rw{@p
zq+9xc0BNC6)58uOxA3{Ffa%i6kKCig2-jo4@0)~KlemaJj^R;pklJ^0<i?+n$d9+H
zSrO0G@0qY0evVWRpjknW0@bMWOP_ZK+0dKBK$m*c?Gjr_q2ais!)%olE<RdG@-&rr
z#@t~l<SBtrlw2*k?^7Y5cgNh)r2=tIpr0BffgvL$VYKs$%IW}b#+7-K!C(HvRf$b;
z@#DC`iq!!!XUq7nLups@c21M9y<~mJM)|C|Eyj<$gX$i!47-LH<|EK_AWCs!O?Gm1
z2a*<z8Esox6einV{4>;f#eF9BH~)M(l=sZV%BPMoK|>1r@_qHlNRm*xJJpOVJLO3c
zHJM#dPhR~#A0r=l9vIJEprhXS{rINywGsFWG6qMGxpR*O7Xyl5gq&M(uCjd|iQ2bn
zPmn2C_EJIAb|Tlzoo$ubB6aEpZH}tX4T^I#;}ioyJt@_*Emg7ON&&>Z>j_dIxv(wL
zH5ey)YwW{hhiMj2MTE@$Syt_a*eE4x@-t>VJleTxX|j~K{4cVmx;1=6B)%gUFD#w-
z^z+>L*DMQ$mlHT~Eb>_pxd~~2>uLn%sM^ec`chI^t%u!vY_6!KxL0;rwv#>GnQYlw
zJV^lqVATvxiwjr7L2FTM7AikIA<r*@w7AiWjP;ifqeagGf4{LLzV{j?|7hY@OP$_H
zkA8u`(&W!wq^N+@J!sms`;wRK9jj~k?~TfeN)R`a8hl~}8ry|tl%oMTW`(N!y1m=b
zm%i7}k9_f;Fo@Ku2`9lOtoOm@aJ0?ePn|AOhQY_I>x*Mq%B08vIMwPtvODWNRum~B
z&uzJwCL85hdHv%w%>_Z`7iup_cmG-UR-w`|N0&~!o`uN-906~zZbl-oMH99uErj&E
z#(Au%u1fUbq?uB^G$CzKQaz*dtMVdmNCQ&u<^UmVPmHf;uo@0lNFVx+Uh{Vg+Nq6$
zb%$Yx-mI?~D_$r19jZ8YFP!Nfwd2v=8vCV<=_HHQ!GfA$9<3RZUzHkENDs1GwO`>;
z7h{)~ZrvEQ9X}B)-bb)Vl0^3ICZhW%B&AG;HdkGq`f>sCFDc<UGDp4hn~!bT?d=W<
zUYUm)8Ms?u_2Yw>yP1YPT)2f_rTI2)<1_N^8ood}Nx`XCq^b2Md)2g^Gy8@z(@>wV
zJ*+zH?BAs57>Hvo*sLhMd1~EaiSo*xJuEXC=g(dml(ZohAsb+DM}1uL(%GCjy3O#<
zsj#`0QFsw5b9tn^ISh>$(ph<zWjG$}dBU&9F7jsO>2$v8P-x{L!k56R|HX4XVlUC|
z4zL^meG6~?b{&R8Yaa&Qv+PDXOWwrTmL~T5H3=GU7Y3ESX~JKHOoy#E#Q>14<$8Cj
zQrLaq``DpDiWxmZ)^sJfW<~W_Hpk`7Y^KrnO%9}!Du}5Q5=YwOU8}e#SxUr;0s~v8
z)G`B%c_9sw0pR=05wBk&BThRpm9s;+4TyppN0>jEG^O$WI(VFWv18fN-=YHB&wEz6
z02}mT5E&r`Mo2A_F0Rcd6W9(7C;)>YWl$h)mlO&NBxj=8*7mKMxt>##ff{7(3Vwh)
zrpl|PI+b#xc%I<%smeE~dvMlJ-7|i-3E)GJqWJse#lpyz`<{KKhRdUCI{A%mx++@;
z=c|bvu>pfRUo6;Db(0u!a`U6)WY}JowX?>=*wL$dj^QFHyS?6&cAB>@|5lU9D*$K#
z?Z>kaorPIhSkN?vV{_9JJL-oByp0R`i4mcWdPvRn7oB>B8U)4Z6g8s^kJXt@=v|9`
zrOvgy!*+&aR^-D4Ze!}qF6U0Jc1!e^6$wqjfoDJ?2XR9A6Ug#(`SD>{e|h{`Gmv_#
zRI^%Ft>zx!$3qQ$I351pj~x!aacd>NkvJ0!U8r8nO5YH7zd!Dk*f~F!k?;|_a#gV6
z?Vg6Pz>JottJ`8HAk75I9s+JR6AgZQ>UBAsUJF>U*=xmCRf}_{2If)|Pr$<Z3j-Lt
zyEl@*I^`ea9_M~!q}Ae}#kJLGkAvNj>5GYVV<dxLdmywnJbvl2P$6XJ1dJhl0cWg(
zg?$7;oYl9%es%Y-h{qLG$|LqT-|?WWBd!-_OuJnD<kLX``-C6SO8||&k_Aq=q31(8
z7za2yG;e#{;E!Oc+?>}D<`(#AgSnOz^J3(@Rr&9QgKWXP@(UfaU1_rTy@?3^SdPr~
zCtWBX6Hg&MbAzwv>%u7}llGHE%sL%5k~IzfVaMweRkIL81{{WkxCN_dlS2-7-b6qz
zNQcNm{f|zUx+)VIGwQ4FX}nnC+gMyk)ipktXSQ+BeuJ6+zVTz0;}7Sqol?Wwq71i!
z>qvb7#*j&2DD(+?LDv2Ahh)^cR?Bqlr(B1Ckq@>HO85?r3}8+bF*5|(`tpDBVNYCz
zpeCXg`ry<D?{}^DU1X8$OwzHql(sO`?3E!z5Vky&^_zLFv3=*tjf-MdQg;MeWG&e5
z>i$?hml)QuV#TTL`Af|t>V9R39^=Bkvy7K(f|5&*;f6#B#;uD7b-j>{ppXJ=unOO}
zv04SiWE1n-F5mQZ+p3FOqib3k6)jbp^Da@>*ZK6(cGIU%XkulvGs7a3@=>Yz&fx1W
zscbD;oI7lM05y4PcEAmV{wT2%{A2bvv*CsLZFV2^?gNu_O}WxL?yFYY7MD(8m=#!f
z6^6*IZ~<LdW(Ntoq0*&<3OFKonsQCV0|>n2l=8gqgit}66P7;~S6qK_2dw41K*?{T
zJ38@mc0CRs+O6HVsuceEywhHeUU5&+ue`3F$REv^yY`|nDVSx*8(npLph-U|KPg}<
zxTfs|<NW3gvm*SQoBl(*_ckkLbs_%;s|Av2R(gV(q@MijJK8T1mJk66S6lzBuaJ3_
z#axve|53?-BY9qLz#(lG=pG;Gh%bM>_O_J_dRBnu@I4wc6mHazXC-T4Udz0|wFDtT
zGS%UoROzgFq6hv3`szugUJj1(_9?0f5=ElZWT3HRLU3v~^eYiw^C{zQ)X??}ImU|m
zL!--~(x?D!PG7{V=4eA==gjA4j9!o!p$qtuYd0ujf!r_nXh$1tAhG>Th#E}_8Ce6$
z_DBqApf|yIc5(N%-jGx6Y(+C8Zn^?f!mAnQliwOo<NY><*L~xR>B%;P=LLMpa6@*t
z;7~8l-TVhm02+6ocOf1W79vp5HcGZx?gl)GgDClft36HS<l4iy+C_A}>n3|GvDs7(
zz!D3rTG4S&c+MU25TPZdHPulL)y2?JqTNI%EQ<W|_eO$Wm{Jtk=eR+36+z_ON?Ma!
z;5(rnE#^Nzttm=4$ixN%&1Ts3N5@Q4bVLX^Uh2KRCuIp%OoMk(Om*c5I~ep-43ahY
zFJ1>(sS}tR?-O?n4ysJL0dPcDzw@H!-rS<o44T_UH(EWZ+}=kk4-cl0Kq^Cb9EUy&
zJs7OMD`bU?pj>%(XEL4{9Z{e>lGXhJ&onKIS(vD*^HKCC1+I<|uVE=)ch^I?S33kh
zEv_^Vw@P2O-Xfe^A6e({F9RCzB+!5Z*oxczkgi3DBdGx^iRb3#C2xJ#Wqu3j!v%&?
zlKk10{Pw2xT(Q#)+nOYO|6ZS>J*^an>syaU7?qN;x%-eBuF|Y+^hh|PAb#aF0U;M-
zu!u`}I%ZQKlRfBJOBk(CVn>Du!6nDlceQky9Qc|T6^O-!mEVfqd_2k-I)%cCZVT(c
zCt4W)?MBX4g!PEpV7wF(f~7_dGWD6H2~|gBEJiwjQG*9$!;2GRW^LY1KF<<b**rpu
z(uaYU@WJ$GLEv;lE8`{H+S(_bDl4(qHOxVSjhx|d3R&Ts{>HX?Vu~&taunvtHx(T<
znMEg0G?0v(!r`^X6@9)&4csBc1y2t0hcg75f>o}uxP^;?+xHCNAaF1{5+JOsb~_6X
zef<6QqnKz9W@;oaAx@q7mvPgNB<NFXt$=d4R-@*&IH?<bfvh8=baL!2DRm)%@bkpn
zMZ;6&{42YfdPrn!V``YK5uK<4d^>wDb*7qIr)Jt2=w|n!@uR$Bl8P=BlKr-XdhoQe
z=*^;t$tFM<^weiNAtY%EAtgxJV9vLok}LJ<o7a4wPs&uZUF`FHs${k_-nnp5AbxgK
z9MK<6y(HM2Tpm+xs6&uF!Y9vQ75wwZ0pw2!6zV^v8DeUE-#uPPw#lA$SM@R+?(%I<
z^%5cR*J?vR;7nwL{f-?enm&U8{o5$8C$(9q$tD8if#$fPJ^3#kQn=t5IcVY`vXq8>
zLvu=a#Rgv`RB5CKFR(`vmPrA;VWlZ()7Y;~=~DH`G;WZ0)G*NhwOr|4^kG5Z<K4e}
zD|>u`Ts_Tx^1|J_K_4;l@fF3!ex0^00|x*a<T52ZbUtbk5G*?;_-Jgngz851c9QwE
zk!yJ0=+uD|3`nMf!b=Gj`u|cMt1xgczn)M%i-fMHpk(q)>!(C^e_qHC@3P#3!MtbF
z#!lReyO|`2TOhg6!{2*G!$7n@pAl&*=SZi1Kbe-j+u(_Eh47;m@~Epmm4_Bxwy}Eo
zTWSeg)t{v_qmk91G>zOlr1Dg9UgG6AwfS{6K~@;X*ON#hQY3rHQ#*@4y9xDz+BPAq
ztO=K3+#f#QFWv6kQdPBKC;>8>$N?Ft$>w)9>uBIUF_+HjG^Qht76PPgKFz(1cFA_n
z^40`jx<m70OjXKMsT_;>7QJi!EA!?vt$0QRIaa|3`c-e$l+~>3y)t6iQWNS`)=AQB
z9ddls*qN}tml~<Rb;j#rQ)ExQ99OkYZM|*VV8t{P1`V2zr-bhUgy})YpLm^jOFC7(
z$WHKP8jZq9(h?gv1`0i@mQFf1YZI?fvpA=k)}9okaDeGpz%l-0R|Srl8IfWuV$o?2
z#t9a=<^Mj39H4$ksQMk`B=@ec-T#1%AQES>(W^@ZDIf95sZZ=HR+8a;HuI{HF}fzo
z@aVhVVxQoqDC)}}JcUx6Vu#Lc$I&9q1fXFU%x8&ZXI*F(WoW9LiDxvvuA2EY{7Hn~
zcVpOZ%jbJixWWor7tmoZPe;y|eKgY5y`@@*mQyHu_}S^O>32kyVl`llw?Z{@%sDNU
zf+}8*of@dP5(f!iOe7U7LYpQIpW@}jK`3voEciy}K{Fxcd(=!l6koV$ThqNnvhMbG
zytO4MrZCdv%Wwa3sULx(ZabVV04GmPhFG^%RBTs!F#30>F%&{F>2@66g*<*(bS%H~
zsu{+s<spOL0;}eD49Otu61ltjuV>3<5>#jEyJo)>b@yL9I}D?xkZL-6p=V1o1dfN}
zKN@RPCv3b!uNchwyGq7K(TzSKnPsxQujXOv(fe}a#QKky-mvQa{#T!Z4y$vmDEDyu
z?nSy+#-0rf;@vTg2qxwO+xBCY+}?5Sun;>_cN2aqEUgQj(qWHh{opxjgq$((u;aZz
z7xSCLqX}QgI_#@X$Q??3+*<du@AR8JcZrpfAlPK4FS?D>PyZB|`YxSZdFY}6VJS+~
z=j~Dv0HYw!ptM21bMwL!4myrjuHk~CV^{0??=*`U(A16L&2p~ZDA4Sti3z~T$n!*9
z;b?gKG&PB(z*t@sNj&a`l6LIYX4_&PWb?rJUVYCOiKkw0W1hZG1nUZsBgJtjdVc76
zW_vU>ZHhVJVPAg~IU!07_R-gLmxu0Wl$^O5LwK_xc<Dz6Swqw)bJ!_Nz!7FsSqXYK
z2l@1?@FH4!6VRwD*7c%#!!sXomu4M83aF+}y(^mw3Bm-W3&153!jD`hoE0{B9_FSd
z=4-A$rM$pi5*U0=Og=G*KG3#kXC>RZ%2jOR4Hu4mTtg^Q`RKtBLI@XSRpe6Qbz~O>
z*gF6&#RM|rP#ipK23))vK)`bpwpy#N2`|z6P&1ekbrM-}Tfb)q-)Yy09o}c%Xd&%Q
zrfN-AI!qy3i=wGL$VzunOj-3KMM~QDUOIhhb;IZ!=OxnzQ)ljPtS)l<dknOYS#elh
z&BkkIR!<APEf=N?6rPWBzPXJnKQ2wkw_zH(&c77L=5brEs6Z+Cjj&4PaTgn*hVtv-
z-E!GY6XyE~$s@y+Fl|UzB63{AzVpe7Owuc&*Gq=WQjfEL@1jT+5lca9hS~izi5IB1
z(bg^-@U6~X*q~Tl@lAD2Z8Y<8P+a(mK2M3QHQ@7)LibjewT28;*!eIHzGf@+>&bk}
zwD*wW@7c=J46`+*r|U#6J9nr0%p|(V>%E}H$jRM|zNn6Jp}64k;nBa!yvUj-ZubBE
zhv+l@Ck@y){u9D~LO=q5|1{x0A^f*H{I?4JTLu5Eg8x>*|EH?}lS;0zN1*SsxtnCn
R>pk#KLq+F&zOr@5{{e@yhEo6l

literal 0
HcmV?d00001

diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/index.md b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/index.md
new file mode 100644
index 0000000..6e3003a
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/index.md
@@ -0,0 +1,9 @@
+![cnoe logo](./images/cnoe-logo.png)
+
+# Example Spark Application
+
+Thanks for trying out this demo! In this example, we deployed a simple Apache Spark job through Argo Workflows.
+
+To learn more about Spark Operators, check out [this link](https://github.com/kubeflow/spark-operator)
+
+To learn more about Argo Workflows, see [this link](https://argoproj.github.io/workflows/)
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/spark-operator.md b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/spark-operator.md
new file mode 100644
index 0000000..c7ead4e
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/docs/spark-operator.md
@@ -0,0 +1,86 @@
+# Kubeflow Spark Operator
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubeflow/spark-operator)](https://goreportcard.com/report/github.com/kubeflow/spark-operator)
+
+## What is Spark Operator?
+
+The Kubernetes Operator for Apache Spark aims to make specifying and running [Spark](https://github.com/apache/spark) applications as easy and idiomatic as running other workloads on Kubernetes. It uses
+[Kubernetes custom resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) for specifying, running, and surfacing status of Spark applications.
+
+## Overview
+
+For a complete reference of the custom resource definitions, please refer to the [API Definition](docs/api-docs.md). For details on its design, please refer to the [Architecture](https://www.kubeflow.org/docs/components/spark-operator/overview/#architecture). It requires Spark 2.3 and above that supports Kubernetes as a native scheduler backend.
+
+The Kubernetes Operator for Apache Spark currently supports the following list of features:
+
+* Supports Spark 2.3 and up.
+* Enables declarative application specification and management of applications through custom resources.
+* Automatically runs `spark-submit` on behalf of users for each `SparkApplication` eligible for submission.
+* Provides native [cron](https://en.wikipedia.org/wiki/Cron) support for running scheduled applications.
+* Supports customization of Spark pods beyond what Spark natively is able to do through the mutating admission webhook, e.g., mounting ConfigMaps and volumes, and setting pod affinity/anti-affinity.
+* Supports automatic application re-submission for updated `SparkApplication` objects with updated specification.
+* Supports automatic application restart with a configurable restart policy.
+* Supports automatic retries of failed submissions with optional linear back-off.
+* Supports mounting local Hadoop configuration as a Kubernetes ConfigMap automatically via `sparkctl`.
+* Supports automatically staging local application dependencies to Google Cloud Storage (GCS) via `sparkctl`.
+* Supports collecting and exporting application-level metrics and driver/executor metrics to Prometheus.
+
+## Project Status
+
+**Project status:** *beta*
+
+**Current API version:** *`v1beta2`*
+
+**If you are currently using the `v1beta1` version of the APIs in your manifests, please update them to use the `v1beta2` version by changing `apiVersion: "sparkoperator.k8s.io/<version>"` to `apiVersion: "sparkoperator.k8s.io/v1beta2"`. You will also need to delete the `previous` version of the CustomResourceDefinitions named `sparkapplications.sparkoperator.k8s.io` and `scheduledsparkapplications.sparkoperator.k8s.io`, and replace them with the `v1beta2` version either by installing the latest version of the operator or by running `kubectl create -f config/crd/bases`.**
+
+## Prerequisites
+
+* Version >= 1.13 of Kubernetes to use the [`subresource` support for CustomResourceDefinitions](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#subresources), which became beta in 1.13 and is enabled by default in 1.13 and higher.
+
+* Version >= 1.16 of Kubernetes to use the `MutatingWebhook` and `ValidatingWebhook` of `apiVersion: admissionregistration.k8s.io/v1`.
+
+## Getting Started
+
+For getting started with Spark operator, please refer to [Getting Started](https://www.kubeflow.org/docs/components/spark-operator/getting-started/).
+
+## User Guide
+
+For detailed user guide and API documentation, please refer to [User Guide](https://www.kubeflow.org/docs/components/spark-operator/user-guide/) and [API Specification](docs/api-docs.md).
+
+If you are running Spark operator on Google Kubernetes Engine (GKE) and want to use Google Cloud Storage (GCS) and/or BigQuery for reading/writing data, also refer to the [GCP guide](https://www.kubeflow.org/docs/components/spark-operator/user-guide/gcp/).
+
+## Version Matrix
+
+The following table lists the most recent few versions of the operator.
+
+| Operator Version | API Version | Kubernetes Version | Base Spark Version |
+| ------------- | ------------- | ------------- | ------------- |
+| `v1beta2-1.6.x-3.5.0` | `v1beta2` | 1.16+ | `3.5.0` |
+| `v1beta2-1.5.x-3.5.0` | `v1beta2` | 1.16+ | `3.5.0` |
+| `v1beta2-1.4.x-3.5.0` | `v1beta2` | 1.16+ | `3.5.0` |
+| `v1beta2-1.3.x-3.1.1` | `v1beta2` | 1.16+ | `3.1.1` |
+| `v1beta2-1.2.3-3.1.1` | `v1beta2` | 1.13+ | `3.1.1` |
+| `v1beta2-1.2.2-3.0.0` | `v1beta2` | 1.13+ | `3.0.0` |
+| `v1beta2-1.2.1-3.0.0` | `v1beta2` | 1.13+ | `3.0.0` |
+| `v1beta2-1.2.0-3.0.0` | `v1beta2` | 1.13+ | `3.0.0` |
+| `v1beta2-1.1.x-2.4.5` | `v1beta2` | 1.13+ | `2.4.5` |
+| `v1beta2-1.0.x-2.4.4` | `v1beta2` | 1.13+ | `2.4.4` |
+
+## Developer Guide
+
+For developing with Spark Operator, please refer to [Developer Guide](https://www.kubeflow.org/docs/components/spark-operator/developer-guide/).
+
+## Contributor Guide
+
+For contributing to Spark Operator, please refer to [Contributor Guide](CONTRIBUTING.md).
+
+## Community
+
+* Join the [CNCF Slack Channel](https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels) and then join `#kubeflow-spark-operator` Channel.
+* Check out our blog post [Announcing the Kubeflow Spark Operator: Building a Stronger Spark on Kubernetes Community](https://blog.kubeflow.org/operators/2024/04/15/kubeflow-spark-operator.html).
+* Join our monthly community meeting [Kubeflow Spark Operator Meeting Notes](https://bit.ly/3VGzP4n).
+
+## Adopters
+
+Check out [adopters of Spark Operator](ADOPTERS.md).
+
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/mkdocs.yml b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/mkdocs.yml
new file mode 100644
index 0000000..ba91633
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/mkdocs.yml
@@ -0,0 +1,8 @@
+site_name: 'Argo Spark Example'
+nav:
+  - Home: index.md
+  - Argo-Workflows: argo-workflows.md
+  - Apache Spark Operator: spark-operator.md
+plugins:
+  - techdocs-core
+
diff --git a/ref-implementation/backstage-templates/entities/basic/mkdocs.yml b/ref-implementation/backstage-templates/entities/basic/mkdocs.yml
new file mode 100644
index 0000000..c8ae223
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/basic/mkdocs.yml
@@ -0,0 +1,6 @@
+site_name: 'Argo Spark Example'
+nav:
+  - Home: index.md
+  - idpBuilder: idpbuilder.md
+plugins:
+  - techdocs-core
diff --git a/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
index cf9b024..8893792 100644
--- a/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
@@ -3,8 +3,9 @@ apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
   name: ${{values.name | dump}}
-  description: This is for testing purposes
+  description: This is a basic example application
   annotations:
+    backstage.io/techdocs-ref: dir:.
     backstage.io/kubernetes-label-selector: 'entity-id=${{values.name}}'
     backstage.io/kubernetes-namespace: default
     argocd/app-name: ${{values.name | dump}}
@@ -12,6 +13,23 @@ metadata:
     - url: https://cnoe.localtest.me:8443/gitea
       title: Repo URL
       icon: github
+spec:
+  owner: guest
+  lifecycle: experimental
+  type: service
+  system: ${{values.name | dump}}
+---
+apiVersion: backstage.io/v1alpha1
+kind: System
+metadata:
+  name: ${{values.name | dump}}
+  description: An example system for demonstration purposes
+  annotations:
+    backstage.io/techdocs-ref: dir:.
+  links:
+    - url: https://github.com/cnoe-io/stacks/tree/main/ref-implementation
+      title: CNOE Repo 
+      icon: github
 spec:
   owner: guest
   lifecycle: experimental
diff --git a/ref-implementation/backstage-templates/entities/basic/skeleton/docs/idpbuilder.md b/ref-implementation/backstage-templates/entities/basic/skeleton/docs/idpbuilder.md
new file mode 100644
index 0000000..3ec74fb
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/basic/skeleton/docs/idpbuilder.md
@@ -0,0 +1,46 @@
+[![Codespell][codespell-badge]][codespell-link]
+[![E2E][e2e-badge]][e2e-link]
+[![Go Report Card][report-badge]][report-link]
+[![Commit Activity][commit-activity-badge]][commit-activity-link]
+
+# IDP Builder
+
+Internal development platform binary launcher.
+
+> **WORK IN PROGRESS**: This tool is in a pre-release stage and is under active development.
+
+## About
+
+Spin up a complete internal developer platform using industry standard technologies like Kubernetes, Argo, and backstage with only Docker required as a dependency.
+
+This can be useful in several ways:
+* Create a single binary which can demonstrate an IDP reference implementation.
+* Use within CI to perform integration testing.
+* Use as a local development environment for platform engineers.
+
+## Getting Started
+
+Checkout our [documentation website](https://cnoe.io/docs/reference-implementation/installations/idpbuilder) for getting started with idpbuilder.
+
+## Community
+
+- If you have questions or concerns about this tool, please feel free to reach out to us on the [CNCF Slack Channel](https://cloud-native.slack.com/archives/C05TN9WFN5S).
+- You can also join our community meetings to meet the team and ask any questions. Checkout [this calendar](https://calendar.google.com/calendar/embed?src=064a2adfce866ccb02e61663a09f99147f22f06374e7a8994066bdc81e066986%40group.calendar.google.com&ctz=America%2FLos_Angeles) for more information.
+
+## Contribution
+
+Checkout the [contribution doc](./CONTRIBUTING.md) for contribution guidelines and more information on how to set up your local environment.
+
+
+<!-- JUST BADGES & LINKS -->
+[codespell-badge]: https://github.com/cnoe-io/idpbuilder/actions/workflows/codespell.yaml/badge.svg
+[codespell-link]: https://github.com/cnoe-io/idpbuilder/actions/workflows/codespell.yaml
+
+[e2e-badge]: https://github.com/cnoe-io/idpbuilder/actions/workflows/e2e.yaml/badge.svg
+[e2e-link]: https://github.com/cnoe-io/idpbuilder/actions/workflows/e2e.yaml
+
+[report-badge]: https://goreportcard.com/badge/github.com/cnoe-io/idpbuilder
+[report-link]: https://goreportcard.com/report/github.com/cnoe-io/idpbuilder
+
+[commit-activity-badge]: https://img.shields.io/github/commit-activity/m/cnoe-io/idpbuilder
+[commit-activity-link]: https://github.com/cnoe-io/idpbuilder/pulse
diff --git a/ref-implementation/backstage-templates/entities/basic/skeleton/docs/images/cnoe-logo.png b/ref-implementation/backstage-templates/entities/basic/skeleton/docs/images/cnoe-logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..63b8f228ef58a42a758e570331053afc547df964
GIT binary patch
literal 58052
zcmeFZ`9G9v{68*{rH~?`;&6(H5g|JjN+C3sFl5PYWFKpjQ_5N?`&L5P_pyzovSr`*
zv9E)%jeYoDw@$s!`F`G?Kj8Ctocf`=d%2d^@_en=yt=QZOh?N`OGZXUcjxvkO)@fy
zbuzM}CDg~jo%lXaEpUV0>gLV+HaC@TB5je5S`Lp)&6UmV%^j^wHI;9WkzEfCh8tR*
zgEPs-l;rdO+2YrglJb^*U-Vspt!DdQ1GD?)`F2BB!fXo^UN<ZZ$5~wxnb`Yeby=24
z;bisa(Xi12{c4^+tkV|*1wIzs|48A-yVbU%{Go$|245nQUlvwugKZqzo{lB>%;21s
zaK~R4U(pZ8T_nH4mL)LNIi6oP{r$V7bG3IHop+l6f5>~j_m_^aPkgN$SR`=P;(9kQ
zn+F#7tozDGUJgI+%eel7Yuub{pSdQ_@F|7DZaqz}$rjCbDce}i@l)Rl$#hub8J6=}
zquvO=G*Z06n-;YHeefmK4EM%E3M!}N!4PTD&zYCG8WkJF(xcV5JF$MdzD0_|Hs1&R
z)I;-yyqQLh7H>rGIfjq<pG<&H4mrQf7PQK*IeB1SVnwsUO=ehD{@jsvMfSTX+_U`L
ztn-&N@%AeI)UGItlOulaF4fXMYL{;96<#%prFHSqj6E^UaDi-eoKGOfW0U(rj;a;k
z%f?_GOR>7ums`ctXC9M#F9}#!N%po$BtH&NxUv*DvC62OD*IjMOMJu)l92$0srI7G
z3q<S*=XxQRJ>rh5PFxiA_*)5<<7`0}VcLZ&H|l+L3VA-AG%9lT4ILk<R~-!daU`KK
zfo<x37)RKmf$VqY$lwO~>c3D6%tFSeZ@uPZu=3J3PD-U^o3;Efn{4@Et9x`|<m=__
zeKO1g>-~ECY`f5nlmqVNwzRJVOE`D=2_KYYx=S0)V+Zc8t9M{`-ui8w;|iM;I{QZw
z=UbizEwdoAc1aa_(YkOhC$qJZ_Ab;BZp{So!1BOZH-*}L3$w`4g4P<91o4x7t$nRF
zKi>D+BP6};bpp$jv=hpDoaUVWv|zIqaIPQdigRo|_-ZuMn`1O1{_w;;mCsRM{Gc{Q
z6o0Kro7TG&ssCMhO-9X3Hdz2}`zSx@qn@bt4mn37nRkhM8MVbR{k_S}2D!I34V!N{
zF8NO2CS}K3oDv)po{T)LHyjmoG;%b0!r_#lY~6(-T(eoqPRga7wu;agO1SZ`Pe7X2
z?77U>Z(q&ss?RdN_>1Nd%)?bY{d6#kVcD^|9Hd#gcg9neFHQ^g8Tmb9au1ZkkMVe=
zOb|qls@YHc#eGNaEZ1|pGLOF&i7Bo=cVz~$(X~!1w$hX)UPfNmWSQi?I{2L(39Qgq
zSm|<{%WI?`53-6YD2$#D_|`BvVM3cN%y;I*R8=A`zI3+iTzd+AVT9!rS&pah^{>b~
z`y`e@RI<5K!m;anJW`tvizFCEGmf_HS~iM3wV1#X$TDP8+&47cdA^&BkYDfi`&O-^
z&eodFfhX#_+h4?y^?6|t2fHK>@3o^{BV@&i2S*Psx*xAG?P&x6am!ry&SO<oGCpuk
zO-6p?6xmU5bp-q+^S2_SIJ_n!y9E9vBO^~F|8<9AJ@M$T>!T&m!vb|GN$?7#)dO8;
zUDbP%rbs)%M`lP9b3u1I2j~SdX?IC*X=m>Ih|}H9*4|0dU54xM4M}hf-G*^-9=_si
zBg3VudY|(q($Sn#Oi)Nrh)b51lao{0(d@CL<}IbaKL`Jl;j(mgc94X@+}zv*-9!YD
zjux=15)u+HAz_%XumE^NzzJpV{K#Fv-iiC?Aiu`BW$t9^XyxE+g|z2{#(iXhba9s9
z;({jn{paU8ovj}K&rJ4Ce{TzH5C%PgT@@69{coR{yIcKVK7*e8{OoXFKc|z129s2G
zv@!<^hL$CJRr+v(f8G0^<w--MNZz+{H@DTjWo2h>?{xT$u-J8J*#G+IfBjVNe?FBE
z75V3v|9JBEm(nnZQ2!v@Pp%x^1#FR}m4^Lhu`I3Z(#0AwGI_E)w-g?@A6XcdvpuI%
z%Dbhddc;P;JzQ+K%B$)a`xQ>y7Ugt};If#A%+cFl{~Z4m6Uina9(R|U&AsHy_tz9n
zFX<5l$A{u=!~FS8#VegR#B^_~{3$1ISU57L9r*6M+;BI1xO=#g+)}J8O)YLM{Zi)s
zj?~QE2BoKDN60CtPjbrtckv$){*#3NwBSE2_)iP|(}MrB;6E++PYeFjg8wJAfdAtC
zj4sO)FaG7)mvZOqE<f~;=~Kg+;0;qlwC0JO6J;yIhY^4aCB^#u4~fu!ebI7;m2#Ed
zWF{`3;dW@p47=yt@=~MIhG#VNmf*>gZDnM2g8w2=q~@qP1E#~+;a%GL)J2O56&<mn
z&Q`YsBgfcbD9BiT^YkfBnbYUbe?}YVXmSY=f@;4y+{N_cnSgcu($d_ET1YMdDn?HE
zQLH?H#Le*U0Hx{*c{UZ*X{xnV7soRrG1k7}cO@ghqVT+&iI@<#;YgZ)2yR<J)go0{
z`y|R{I?lH+t!bto8qApX$Pw)2oO3GwQgRFGNtd-Bd@R+U^S$5L%ME2YeRKkE=VXzS
zd*D50f@A(kA64k(V^fc=5fw?(KNfdpB*UOJ@Hm*0Uf6#BS4`CwDUT3`B{u{Z$GWxi
z*~MWR*AB_?<>?8mx~lZee=Q=6y30_UFj16ly*rV*cMp0tbDU|0kmvu;*(s=FxnK7-
zdrHmL;m)QE#9NnPRtSKhb*b?yub~%P7+-&IqYp~`CoSYh&!Lrins<xs@Uz}m#w`Hz
zVtF_d-Qt60{{5OQT3mx7DebX7SV(yKS4j_!n5`&iA=K2faYrYt{>Am{H%EK?u+-Du
z-nH@l@o9WVu>BNqs!yxfXsBm1+ndE6{PXRmKOJ_*Tq)Krv~<;$@aP!Dl{L~s&$r~|
z<q1dW<^I7r`KMJ;<QNY76h{Z=>57#2rsra|5ZN5Q04YkoMgPy3wJQ4fBo`|@$`952
zpg<-x{|e=LOa6*9po1EXfdsMd=0Dc}1o2B1zFI-L-<B~*J^St3udEhd+(W?r5~%Cj
zcK`Z*`d{2zMsTuJ-=1sPO&Ih_6jF*Q9k?WK{G5VfU3>O18|^>CXEtWbLh4#Q893|2
z73Nk*d`*Fvg)08!;_pE(Pmwd*u~c7g)O!?^|3F&#DH)mp3@1CfeDt5AQGYU^Fui}_
z#jP?$p_Y%@zsEcZ#$>p@_fH)<LO!QTv6hxb;$pSXLdKH{EFgXwU*Sv?4_}V^m)vNU
zqU5O7DiExSQAI4Sb}W|wnco7o3N!?FsQ!~m1%eK{)%FIavdng^?DsV6;{TRfp;Nr_
z|KbuE`W^p3xSy|;(#I`jzK+6yPFJ~+;&^&Og>4G#;U8f9d7An*eXOVTt=}X77m;d-
z4FN@pD>ggjnA6qeGo3EuUG0^rnObtF+mO(60P*pr7+3!1nlj#3<$PQm<*gmMr8uZ#
zm4uOM%EB|(6`oJml+PB6KTUH|mkP~~7rJfw8)7UqIH``xHl;|Yg%U1c+!a+%bGE&c
z-zRx%ZD_r(u>IUHyuLQ<7KOt4sQ3}^h5EKVQmuMmdAbaM%*5hWr8|FXrzL_@y`BBt
z?i_Kn(>fBfbP%pd;Ds~tZh0jk1u~|$3vVYfqI>=PEN7Is?T7&!9TT1soyhX@p&a)}
z*fg_Q)!=Cga*Cci@)|)drGvG<kjGMmQ|IfI^n^=D`(pWhje9lt1T(@tpCWFWla>mj
z)1+^fM75g&aw_VTgQQQHF`Mb?@i7apblP!+4fHNdKwf&(<>is2r4q)|e=Ee}(~;Oy
z)9JHS8uQGg`f+?rywu>LgBbcDxfazFtXM_x*^@$y_v1@T%~Yg!Y1x9;clQkWhU1Z@
z3`fXqV8%Zd2P!GZesMU3>GLsvt@xFdG1M4I>dhESl!D(odzmfKWa_1<xf1nCDH%h;
z#2S!r`P1a8$JR7GT<nFAeZBM7E4q)*2KP)aFvP5I{I42r!0WKKujUsx6DkOY=lbaE
ztBj<?Y;qUr?41hTO_@Qs^DO*%U!61Cd)swc3mYaUfrppoJ#l@E+iEkIE6S*qQ{Bc6
z#jaBLgN+;80R`%r)@JAZTZ0mhpg&^HM>*47b5=MFC%P<<B%jg0!LrndrX4OkLGexS
zw=x*)dM7Ypf~Qz1*LGOW3wKu_a^1G0Bd=ywxF!!4NWgv10RTpeo;um4pA=*F`EU6}
zM^R22qViOXloFIXos5*V+uc3vHO|!xc#@*(l7JE5ayZr0sD-l_2^hBrcoduXVS*+^
zV)wPMT>|!7J~T=q?~C5wdRa9|o`1zbZX13{W)*&~b+N9R^x)P84xo8h{Oomdn~R60
z`?Spi`c#a#@M=E)Kzy(BunMN6uQtq6e?}CK0tC*;2iC-;Vz*Z9Z-LddN5i<}uSUn~
z(_N@Yh>zi)^{HqVmvJjWX5qyDY;zaN-ct7PK)R*jrm76$j7{R4QsyK50C41#lVhhA
zOXGhD6!ppL7lq>EV><HJJ(jsrW@Obd91E$^-EB(7=P9G<r>ClhX0UNzE~l?M&O6oe
z4EYpG_{>T{jEDtzDwVtZ^4Cs{-%~ics=v4Y<hbnpp!K|Js{ofLtcHt}GLzL2Cl<a&
zfqUm)C_K?(Pk@&Wlofwm?4PO0Hn<lE>(rT9teD(x?(_9(xatZqd=X;!QaHQN-wZbv
zpj7H~O8*=mgM+uK<}M+a@c~isW#O=w?>W|+cO@btQa_33Vu4FCPr0_*ZPCz{{v-C$
zU~6+9<PVJA0_NxYSMFb6gLYwLRcjTf3?B1g?{v~C-5%w*Y(cOCOabmp_Hn-_S)b*>
z#^>8q?Ia?_8wrZ-p7Cj0GU@rua}VP>V}V6S!&!jP5T$Ir{uY`e<fo}07%84<*O{}U
zU#eLjGSE$m;Gb1`+PXeOvv;oJEIP#xg&l7dp<GiEsw?#VQDC@hz;g<0^*Qj)w6~_&
z*#6$?Q+WY2Y&=8iO9t1s%j&J(%Qh;ELyetI2|g?~%l*{O4-$ioaTA{YBB5ebHAq}S
z$yqu`ovU5}yZP$5^6&Lf$THX0h-&T!%#}#+YA{uPpQxBCNzg<+Mgz0E5b~@om^h|k
z%@rxWq?YwsYR`~O?&{oTeS9G>Y)`9rfKQb0+Wpxt)+RndbCJ%x$<b9#9|$ROIySUw
zpLFA>5ku+>uJl0vUiTun@;Rd@2F!v14n4QsK^yc8B`4Z<p!_DdbkNwd<jW30#*G89
zR@S{d+;;8=`CZukgV6a7hG8;@L5DIued#`P-P{~DZj1=LGqo>6A@abT4T>uv?yMfC
z3$!VZiQn~D?%bU#QGCK=Lm<MCRg4smnRH(m;}R~|Cu61#bUi--6LTG7wCi<9T1tqt
z%PDN9e!)g3d6K-2+)i<V<8(8=+Ep6&iZ5THe$!kUfwPmA!LX^ddNX%A?Ou)a;p6gD
ze-b=}%{E*_byk;43v5^;v)jjTKE-GIGf0+emFdIw62;no^H33*XuX#0%r9}hOrfOp
zAoOGQHh*$#gUHJT>^nct?%wS$7jYHt;xDqbMBO86JDt{a<wj;>ZWMoaD>`n7<cY)#
z&*Fut7DnD}yLlE_ZD39K2UtnLv(K=yfJTW&0Z+~s)0F;p4VKkLXUbY9H1;J~Wy4Zu
zw7b<*ayJl}l*Ez3!RN?{xssA+OL(_#r$B1WbuLfjwI#uIO^$E{<Fn6D{VOi?({#sw
zT=7ejg@o`6(6{h;*SRadHqcC=mNJtvwmvk{825Ry<UB3oWXx5(Mf*DmdA(%zFXy~C
zx}5+zIz5FEcT#2qccz`Uc7mzaJ{mW7Bl4qAQ3PPysHa7>J`@E78L~s8dU0|lZXWUH
z_|0!gexc}iPgYW+5f2#XNpK1|)wdTcs|oGvLwq&YCStKH-A-C&OK|g%^`YlOq4tP^
zIb(!Mc1LZkT2iNN{!nJ+h3__-YT}H<03fF6f85Wg6$<(-vBrYr;vDOE%GLniTki)K
zwRhdue3*J>Yecn;J(hUxk45Bfig9@Y?NoQ}8Gj}A3<aVYc3&CMk=FJ_@13~KESr@Z
z;<w2uE-}CUApYgu#P4O73M{XeMP}{TkL?X==!qyk3690;(523{6!9K>RlcCblD-aq
zaJ*UTtPx#Ze<QQAYOCQ^W|T5jG{al0N+VNKjDM~TV5e~dh1ZW<Gx2+Fznt^q%(IR!
zaEd}D9`;eaBaJpsL<_Qd6?<c5Dn9-)$VrLQ(%DN7?T!z5<gh5r`O_g%;*1gd=Ru&L
zEH_9KZ`8k)TANS9eybbu9i|09`4Bgr1zgadY!&iFhs~EHjk9G_4JOT%Fix_=6XJXm
zqD#kfb_h9dXEDHp=3>VqEK89d_F7fPZFyM2Kc`*l{ixq!jHsYAFD<H)8tVWEGaLK#
zDPqR{6+HwNVDMn-y%`pxl!NdKiuwnC;7%s&i?_y5yYI;{e&3cLcC4*86MeXQJL^}e
zg92=VQfHQufwl!yAp#b#@W^<5xP~rwfXyTj*kUE-YOJ)(W<GD;Rkq#Lp>&s}xf~VS
zc^@I<=2+o+X-!l4W;WV!jdb%cYUB*>Im9byf7+^}1lYdTi8<fU(I&Hlp0jFtL8Ay}
zBZ>Nm7wC$J^xBSk_i&dVi`V=rNe;VRJD%bx5`}AZA*nNGYBW5&FeBUhSvFJ=mm@bX
zrFbyp-_ozp!;br}Z{d6zb=sj=BV5Ti&v#O=*}?hUPkQRwpe<lUT)YvfpG8mpb=fB{
zRJKl`!l!uJR#u_H1;kSO7un1??CP{M6vQo-lVR!v#A;nOmwq9K>1^Hl#JN!^#Og|h
z(kA6vOGPNTheertI2pQ-85ov9edOpNkb_7h9$S0{9ZsU2^d4OLOtIZjO1UoUqcHXS
zfJ#Hg?V60Zx}9NM=54^v63yiqcJEH787~{B<t^1Hx!0DfF5NBBsHo{4zoZwt9yIPN
zq3i3ojf+(Ms=$O5GJ=_6^z9OV&ZI~gkL^=6cR87~YjTy_AfI!jlnTuB2Ka&S!Z6ME
zl_Oj3o0<o)fL@G4c*PCe=g;+;45^)Q9KgGxt9&tVd|EU?@p|<lV_OVa!ymw9f${-t
z!?rgs9?A&+MWJYf=Sk$#%6VMz3x$e_dbS`F3PSIs)Dl9@X8pE2!K>ihyKR{On|Hw8
zX*si;F_Wzf6j?Z{+S+`iq6>0#{U+;DX{WufIBv8`_^mg%#aIy5A;kK(lZ>7^6FIm(
zP#fha|7UgsW=KKy2)4n972qM9e#zzPvh?<SSqWh(9Zi5O8Yim(0=QrDF<EDmFo<p{
z*Y^!((D;GmxnR^uB};1A?M+cFRDN33LA&KwT!2xlJ5<&xHd<-VH~9(lrjy5`5rf6s
ztCZUy#ZpOaj|=_EhFzpyvJ*d7^<^Zrwk2rpwS*^<J8$z|Yur6isx=(_&J%|)-`0Vc
z$DX?i2;69D!?E5D4RQ~GYHPrKb0)x(+Om|^pF9}`-0ur&DvGV?sGcjN8wvWjg}mBx
zz*hZcVrxe(iFnZUWxkZ$qj_j~kU?B4V4O|DGn-AV-A?#(=RFQQW|dDZxNy^v(y-I1
z)r_f0Dr~BQC);)}?CDCf3J9=`RUt2HQi=W2Aw1}+prx@z_dGAdM_}d$>~qc<wOa?F
z>vaeFzBZpq^w<Gk;mZqaPES*t@Py>W;*oUb;uhdxP;9QQ52cROuzA^36o$<eNk^f!
ziT5#2?;$4=Oi8u-(Us3mBmj-MiRM4|3q|9YSk<yssTha0^1?_l`l)FMgL%1>O6=Cb
z$Ew<cQ~e&TGp<%F(Fs+S(etyoX)c;yh?U;qctC%`Py8Eg)$e#Bhg29FU$#_Tel0fI
zn>BkbVS2N1N(E3*SM|tQk93q#Fk~PosIO#KNvdXNx<r8RjU$`TD_Qs|%xqTl!*xS;
zl!rYt8q3u0nJy+H&eF?zCg9bHiq?<ywPV8(onu$p+r<eSN=U-Bfr$l7Zf@s~Yh8m3
z7%hpdh}xYPk+rOiqE5o)JPn(o!N5x2P{N{k4-XxHM&nn&F9_e7o|F7Z;LArkZFnl<
zwu7I%ab<a%$&)C)?QM;(KW8bS=Sxu1kI=ha2BcK+Nr9#ozdp@0_W0{UMhZKR;L0aL
zuuYe6`43NVH+%#P-;ts1X(Js6n|D9z{FD<ckdv49Uh{h7Zh#re7g4mP@ApMh#stOm
zkzbc2GajMa*-S{5E^@)CGby}T8j~j~n4{wL0Sb%jpj##uexgxGU1Q<Y?%Jgu`i!#2
zL#QN~^PEzI$kJBv^G$c>x`jjte=fTlU~F2rfj*;81Jd%Gx$w6ESUbb2nl1BEyv(R|
zw}amai?YBswBa}I@=%!`JA^5>LZ58l@i<Wqw~Ft?CB#dWviRF@G?nG$k{aHPg24A-
z<!uzHh6l)!6XY)RAmm@*eut`PN}9dJ8XvxNZ1E1u@%d_N1J~Hh%}o|Lr58Ou_r4hp
zi`HvTgcM2zgpIRNeLFri7Yt`U@|w@rXlbq_Y2jP>vEevgwznObRH*rFjd_4wmP3mJ
zYMmZydiE3Pasjp&toF00=FO7rA7$`Tu@{F)6}%wGH!fw9P4FDT*V>uc@$~@{UDQ?b
zpj=%~Mx)CW;R0J4@R5|XzB{dm$wK1JT1947uLe47uEgrP%;qMbvyuZ$z1?ubc!xLA
zo16BEmt1UojL4=3`|k0C=otR~it~G2U-`#1Ja&fdk1wWlc?rRi^M%)H<2cOqeI)kV
z-JpOa5&<#*9wHWhyU8vTwVgJNA!^y@DXVulPS`Pd8GPh4BAQcNJh)gGm8rwj%H6l!
zO{M0eOAna-*uTAhPn32X*j5030wkH{s0uf(VoaF5TwkEdXMfa7rxAO(`lz}QjKlC0
z?KCk!&L~n;kGXCoIz~28=Ru4>pY>ayJa;bxV!Xqs{!BPly``DV$jy^{iGcO4517-f
zf{7#2L#LlncG{z?KV|BZbEvmsQF634>qXpcrxYrZ<KlM}_cFIH3vVEl#0I^LoJ!u>
z=?z=$U78uy)j#q>On7Zzfsn`IZM9ePK>=`I56Ywbj&`U25TczXT?@TiBkB{H-I`LN
z9q+j7j~~=Z5SJb656pCD?Q|Yd?<HB6+l-9_e%vl3+RN1Id30vfZSV!K+7{(4^?pU`
z6dZ-pjq8Gk5NViY?3I-vncZuk|K4`(ZhG@*AD17hFcAM&Lnoo!zd4%@NTCf3I8cj5
z<cBdz;u`sOvk798FS$8Vtt8Il3rA?^L>$6*%tldBS#SuL=?y^<!q;!n{d#*RqZAKp
z3WyxhR>%PDijsZlkQO5zeVu1sc4m0H^;Nb<B-Vvb3h{>3<zW%En$jL#o7Z<xTT3?A
zWH10*Yeo{MA_2iXw3d_(7{=4F0#r4)6OKLe>z&H5rS5cH1_z$~+D({j#xzdx*qUR+
z+Cklqt~dr+YhlS?z^p)~<+)leqT$bkw!tNbevf+~6Q`mm2RHX!>TDFmd*TxK`%|=g
z!X!&}J}1^7n4Y;`u&H~l7+hHOxVcSguDK>u_QdM&s|rNf)?Y6+&(tLG?!3uFv<$6&
zI)WAx33`0tuVdCUlMH7O3`HOc;I8lW5=z&`$jV$6Mke3}_t&>y#5dHy2J}=Cx94+G
z{iWv!OLI<wo<o5Q4=#)hRxadh?!tC`2X~LQx;vOpBnTQL5Q4O%6`{ZyvVb*Z*7qP}
z%V8t$RJRFw!jN8gAvw4n$DSEls2f;W8R=?0eT@`+BAkmVm3}0li})0`8&d06>Mb*@
zgstlr(D^Ep=C<=CUkM!-d!+ER5r+j{X8u-9yVfu<=OP-4^d2)Jm0x>EWv#B*d`LcS
z)M1<TX=k#m`EE!W#xwkBm!eJ+M+Xx&Hp<Pb{ZZj&A!E~BtDR@(^S6j%`z3`<H3K<n
zAO~5sM|rO#uCjz5giv7Vjg<BzA}5Y>q<F6?H1y>{0bj~h?D<c+O#AQ!nSfDM-$$KJ
zsrnX+6V<T?PVD%vpke_Z3=2Fa9r$z{_9ipps3$R>s07z?^Ou*ne?P_M>iZ>go@Wi|
zuDzww@fypQsa)4|RDcX8JoL@39m##fpMQ`V&}-T`c>U$D(n{dDrm}%Sdpi#gooA@+
z_y;R)Uk|H4A|TV+{C&pkF!|B;Ox{PtfWE>maVqwrlf?s<tK?oF*?9(y)x}><nE@#z
z<f5wS(erYcSDl?Utupl?uPD;y@$OpQv5xI;FXa(SUo%R!SDo)Ft+E`(_!w9~7G?TM
z3s=ub41RrR9F=6+9Q6|UBgry9m~$#=eG+G%M3NcSjd+GCF;ax(VI~glia{&+EWnwl
z6VvkQ(0(OeMCT15lc&bm=Y*+fD}#yITz-UVxfjR7Ho5A15ki+NXr`;iGX_&TZ7l5C
zxAhWBY-QppT28T=Kbhv#-DhL&WxYil0wFfz1A8ZawiC0#vX%{|mg9te|0F>VxfCAX
z{@vw<W4`kbg^<%9-p7cDe}D{f##7*+(hl9adB{EHQ>+4cvZ+6OuL7fZ_6pSqNNJq8
zDvGH`mU=eBTbu1#c2b7d2R4jGRW0y^Bc?jK+URzFs@9}ks&9Wx%Im=wKRuWth_jv7
z)(FbFYLkSyuuwD7;GZw%G`;=p<5gb?X(yx8>RARt$d`Hj6v1MUcrSpEzR`z@2)RcT
z+RB{js-7Z!Mr}_kSdZb-n9hpOfh^Uy>TXUmTN0Zfy_~^>K;<^35XPyW?QN>Fr8{co
zVGnW^q@O;sR9V}PI*WvZwVe6+pywBB@l){bxHZ@VPj$2N$jNaQ(tv=0tI7V;*+ot&
z(U>N_*b1^*b5g<K+}1Ro9rXj7@BCy3C0Z|SzpyQiA^IF;ZwStuK$Poq>u2!wWyEi&
ziWUl{%$?bt3++v9&HAD*A(q{|39vYVF1ejV+}#nA9^AiQv@c`HbjQ?2;B|f@a1Qx&
zG(v*L8!-KTYDqR6V)3Gpb+6M2_P2zxvB~rwh3-(S{g_W}Xt*Tl=-S&EQG%+JBu#t|
z^{*cA+&#@fkcU|HS$^<<)j&h+8`q&VraL}a)6-au_?9WwYY<PXGxdB_UA0y9a>{J&
zj%N~W#EcQYj;89jFPJC$7xguy1H{WbMc@eR<f*%rWoi3&`2r3k&0jkYJW^ItCkpY6
zP2V_HVp+RVKzBX9s_Adzg$Ttiy4%?&oV9F3=ke|PNRtF*y&@kq_M)V&2c3y-vSoMq
zyr@#N&DVIciQQ@o21!&C$Z?1tjn_Ji668(ErySDk){qz2@uO69!62UkV%?fjO>u%;
zKw63CjCM0=dZ+QaCqD`JHsy@13XSS@5^0Ds4s?>w0><#q`%IO}Vq<C#Qk%6-GfcFp
z%fKXkqrKr~itxGZWn6bdWbE|Akc$pcRlN7bX?vy^6f_5d(uVaJhosbW#6s8`+-=0Q
zN{3a7`jO|Kq2PN5-w*L%B`O^<5`fdX8C9P>#w)KBofa`7!OK73D%R<U`7FKTDuWt9
zrh6|IrgA!##CsE3hx~@*Nmdz+*QPc;W%uW+_zPIzgYBDnXZiHA->{@9N%9C8z_O(S
z7|y3e4M=SZfxNhfBf)s}wDq|X+v@UCEqkpiZ<g0_u5^E-LaC2r3bWbFuElGthpSLQ
zr`c|*;=Jxx-1e*1xME%DVxNLos^is%;jYbCmlj1)D#hm!AHV3TdU$-20gk8}$#%^%
zG?n=gS+qZiDDz#j$H@f+4NK9D)IIKPvMF|o1`cXf>GAcR^Hp0v<Fy-<j!KG%1bgNp
zKJO?W*rxU)-n-&2kXanbh}^R_cv6Ssh^Ys`!4B(lZ+qBw`(ZRsTSZkSm1nMxRm*F8
zpLq`i3}zwNTADIqP789)9jlaUd7+0?v_4Kf+nwUXbx6=i4NmnHzI4B{`g1*VQx3u9
z_CzZ~kFb2=>VOA!JciY=h1MF`XoG*>ZE1(y$ognbzDP4!S&6wYNjt<aSaSQ`aqK{u
z*V$)!u!;<jb6n!X#=2~^0ROW}5=@i1HZ1P?H{W<;GPg5c*M!UmuBS%2+UUntdF2x;
zLS2q0C>O<hRuoGu{ph5ftkggrYt`5H%$p@$H<(ylw)Z@ee(rVob|S}3ql%_-D?-Es
zM4!=npcp2iC;hV)_V7$SGh5^QZhzLPvz)nnhF&rO!a9}BJ=%U25pxgyGOf}=s_qow
z<We6L><-jx)i%x>DZ_*C&OH(o)4Z=!`+!qxW9IMO{}pbe_+lZUGpur<ux;Z`m_+1e
z$^zzom8nEe6aSvv^kmH_BPga^N#w1S9Pu`Vyliw0%{2|`q~1aGP{M}kN#$?oNzO-n
zn2F$dHM4lzI;Zq-lK8olgL{80HxtWyhPBfINbag$QZ-Sc^uc7r5u=4$4iY+Fy%9-A
zQcqf{b5d0!l$i&m4a<WCd_U*q<~ms=6ZEp<4q7VDhD_9EsCql^J5sDUrs|jv_lMd)
z<p8u0$^<5%z$E0S&!0~_84xfvia#5JS{ICT>u3Tso0V^4W!cwacOHgIeYrO%VCMMU
z-1hDtLTP`Mv7oU@?gHm(Z9W7yePUGfNis|ZLCVdY2_h+ZxxJyA#S#->w?)_6I9QVN
z)$Q~TRNC^Of?Txq#<yr`#p1<`ua|1G=^+08vszxINh9r<D>Jh%8`_i<A!6jTu}~h_
zQ<&>(CFfHSlmAI6O7q*oyJ}ZHkHI%JEN8tk?}?Wc+@;q|d}@oO94}k{N&!6mP=@;z
z$i<yC+82e)pmOyW$H7#NC<h%>0g|@?CMdJrIue3}hm7tU;}0p4=uLh!$LV6y-`_Rp
zn;kLQJEcXtX`_C*2`}C(Y4};^+$~q!%5&15`;6t2jU;zT-^JvW^&!XWqHa9#HewSK
z6ZqW{cJj5>9(L7jfN)R5$<|HmC{{;``BGBC--r&hg!A7aC_UESj~Q5U1yyLXX;Rmg
z;*08XPyb+yl$D?2N_pYswy=%rClE-P98tXbD~9e-<IJYi)~@?zjQe=Z2yVo1oD5J$
z%7w)-+yK6)?v0x}y(+1iK%`fbgX5pjQ_F^kJA%?`aJJ3dk6O9pkHu24lG^DCJOc0K
zTYB)xnZ+}5MMDG_7nyJ0s^~TK(VOUVWc>bc+d-OX=9=skaVM#L*A|{g9qn|Mrbf4n
z&j=s)iM?A;#<LUDzG9Rbb0LG7a~<RX#kgPhgwi{6hh3?x_ShJ|E=+VxxHO16;fKm6
zR=ylRmSkJjkR>sv0dn2S)n7F(jeWbL?lyFawuxUK#_~sfwfl47@MXn3Gs6pTUzwl-
z9j{@NR*vL!ELMA;-gjs&W^+w<$!l-DNe(6{f}B2Ld6?79d-^oK_XvbNSNyAZ8!d{A
zbvwDwpJBZnb6PYe)%U$0l1Fl5$j@Yq7z-B<&77@y@VQz#YmzMxH2)-vC%vxmVQSi{
zc)#>c1BEJ&H|1w(n;kel`IQBE%s(@WK{8vu&$795Z%hSLKy<z}eQl?@ZgcSV2&Adz
zEJ9PR{e;AQs9JX(s{6I9&JCUEzQGgcp&#xq;&z~7_Pmd};Nt7_j*S3m;!bZZOk+}|
zQH)%GW@rbm;AOlD%LJu5O)8Y$Gn7}N@DJey|98fSyD*k!s2~9csVVI#H8v`+Ic>ef
z1qY$T=tQK1)1S@fUVFVWgJ-O!m$RETcA6YGc=MmZ?0jH9-*KFrg?jQwHs-=Du_qFy
z8*7xkya7fX-NBh9d!*(Gl-9<?(F}H$_0KJWQ7D(L!!lk7z*U#MV{;cE8lIrca_M`t
z)=>e!N@rWN2;cF#>58*`(Gste*ldfn+8NU&pP`v_ksYDmFMK}Q+raGfA(3a(bvh4$
zpr6K`zsAwjcou_|p!`#PQW|no&=S<TH<9%9f(j6`Y_16L39d}tBgc*#3nF<f=0An$
zs2M-_Zj#<zNYtipe)^DwHA|W8E^9%_iJS2zWx2T`5gFwt!qZowG(oW;{j}kt-R^<%
zL>?OmJ>+?S4Rsk8o25A9es0xDiFd2bAMkHKie@f2&V}sNuC8E7cSD`X&_xtx_`-|n
z!&a25RDVv5qK@8WjrE;EspU3fi%G_EeEqbbcS?Byv~rN4oxrHSTY!Y#$iE3`ky#>+
za&9zhM`2VzC(?1-x*>|%eh<hOd@ov2(L3~F?8aR_q0o%-cL+s=NK&Lp%z=HYMH%Wq
z=ow0trLx}JmuaFeu9ef^IRr6hE`pF+V>Rn8L=t|^`+MOPB|gs6@~a-VMRYD-*?$x7
z<L0_+f#?dOc*x@3zr$?sw8{#-Z8k+>gWF<e&NMal50*sMH64Urrz7sKByAnkF6}00
z6RUIjy3*)dih()`MS)UzL+m*aO@aw!nP-#Z)Dyfmn+8`$hrGj<iaQ2l*6-Ir>A7SI
zM{NYNuX6f4Ub_yy?sHFvTZ91G;Iy+v?7egwTtTPXwZVb3i48Sh4(63e(t%9s;QAp_
zO7e3i_V(*1nL_&C_6V)>MQ1_D6}Kh=%1rw$O*Ya~;!$!VGG!zY*!&$JS{W~^c=?fX
zN+N@ADOsG#1BT1y8jL~&WizU=66p(e6l(*lI@w!J85oZ~W2ETe%FlxeGk%M%Lk2Pl
zv+v{)rgOZ^R&vi!bu$|ox8J}WmvDDn%h?_W-E;h83ZW1m`I;U-tiVLVuhmn^sqshS
zrUla{ufDID0Su8Jxd;<wq%#9Oe?sEotSc{{{Y_lC7knlUdMOYqt#k##*5fgF(%nHe
z_?1{YJ~$%M8_`)Qc>eWKh@?~y3ly(p7fWFZS8HucwiLTnRswat6&{#5g(iDLF3Llw
zA*_2*Oc&bjhpImnic@q~Z_H#<d5VbYd>WbFf9#Y(F9r3PiBLE3^Jnw=sIp^+O9ahd
zA0#XT&p`96Wax}F($h|EZ~KbgTay<?QmLn)3_#jYR;~9n+CwrtgF3sMO^ZYm0)mGH
zPbfmw#J18Zp(NBYQY2f#Lr>ZNIm~0wiEesooF$v8E|X$y_1ze#bx!RH1d{S}uq3cJ
zG>{L`;)WN8jYv)>>jUE={G{>?FXKMxQCW%IumC+o-srteVVxX-boNYFF$?J#hC9<F
zH{yohFt5+mT`Fmd327B|!eTtO@vz+^M-3QJyfY^FJtT1hr+FJmQS5{oXCWw)sSP*2
zPFXk*${<%^=lxP~<*r%oVv9@|zQ>6BzFv_?1!CpqgS=tna0?~G4dcsDC3akF?kA%j
za$1<a>(&t=UR9^@^xAY!5sQUdR<dY^$}7Wgw|XAFf6UM3yuF2}`J*iN%v}4FznJ@X
z2fFT6USS4{UEgYy;XJc%h%s&qRVJej=>r~g1Y&$Phh9RCU!oP7Z?UOwGTm8}Z*Txi
zpJPp4GOHMm(1#l-3uO=6Y3QL)*m7~dbMm&_x?kSfm1VPKLV#}t<+V3@=B^(~lM-j8
zMw~f6SEL1+phppR_o+M!rII3S<D-pH!4S5_Y-&oOumpj~GSgpo{TNyIq|qn((A&ER
zrFy=`q%<BH(HrF3bc11@RQ%VtZvG)}JWM$aUpJXOSM%5EPEw$5USczGRq4I0n^#}{
zQsuo`uo?6kSVapa_h;v10qp*|<3<4FlsCeJ43q_X8e&SuH*YazYqr=UzEg48Wk*E3
zRVg}+r8oyHIGT6{OitKEt{+Z*8(oeA{gos|*Xlw*nYNdZ_diE8mK(74^soz%$HA^L
zyCDD2LrLr|6CJSSuC-sb6uDu_!4S*NLuHgPL3Zv#YG@_iZY}G-iUk&+>M!z%xkAwS
z`c>qygzXcXsVT%vqPc|o^+qzm>znX-yM>Hye`)hV6x!bqT80DE!*Nj_>VP@KE^ur4
zO_f(_Z%E#1R_#MnATQ^;x}6m1bK3Kymml76tUXL)zgm<)$m;i(u6b;YU4O#ucAFc5
zi%+0F%YzJ5`#U`k-TGW5o!XmH(3epzCo|;1(qzMP^r|`s;z43w5)3wcXs;T;MlLxy
zLbYQ^77wWe>NMvk?-jyk$Tc8<Oj@qt%3EC}L(283B9rQs_3`A>D>B=GUvGC-L^>)Z
z9R@{jpT@HsdL@U0Kpn22YbYvBSSOpbv**V)r1fb;GdH&^hd7B-=gC^Sc0H|AwZ;Rb
z$VA*~9Gl~jiNBwy0^^bHcm$TAYXyRn_Z8S<zpL2ti7E2*wj{*#jguq2wvTo?J!%-{
zfU%oXx19}IVH$k*FxrH@`bRLYPp&I|O4Ql++F=VW0Z0o@%l$WH0ekLqs*8IMk2`m&
zM+W+S;>Tj2A1fV*H;FL`((#l!9&=;wRS6G72;(S7-nW<Lr2dC8mndK0C#L{+rOsL>
zY!KmmCUNDUdhyUDuzw)IgdOgY8L`>WERYuYgVc~8e@ILkFv_LB99h92J({Eafs1GA
zykmj+8#39A2926z=sT3Fk|=W&Yo|?R^!mGFA)fDKNBZ<FYX=+xpti_W^P>|I=`{GM
zxa7A9=?_KZ2m$dB@~S|{`*%2fjdOWHasRuQTpBCx)rsI^Y~_isKv_+IIR0?NK(2h0
zw+z})q5wKJZX;zNR33-1GaL_dWiebg8Tz2lu<<cq@!Lvhuy5-`0Rl0R!AK)*|3O0)
z^2p{OU|I^FgIcm4GP!S<h(B{j4Ro>yAf_I4c1L`<Czo7V=Mq?O8ZGl4uQuln&=uW7
zQA-I!Fl>yoIqk$GI2H|5-v~sQwLLm1lE(;)ZjV>sc!Vwt>Gq-DKa<YBnr<^-f^xHJ
z3erFtz;?BvV{uT7LIssUUm4@nkI&tK*Dz&ssiOuE^+Zqz1AzAD>p;2kv$rm7oJ*CS
zCevY5gk2bsLGZdDxPhhy*m){6DeBA{^5z6WT2)mJb}@Z%Q4-RKyeg3F;EHrBZWEkN
zM6{f|MsodtsjdNSrjO8%ssj}=!dUv-*9J<3v0|Z{Jw{1=%IR8x+()07@;nPCp;iPJ
zU0&FT(T5l9N`j_5v><4+br}<!g}Qvtz;aF-TEg@nb*#L%lB1W2U3Y*Sj;B==<PxuS
z!clSM^)KQFdxGZ*QN<<8HJs|X0>}cf9nj|?e9}pXP+Vw}q5Ul;UG!WM)L^>@<YpSV
z6acL`UY;4>>tYg^@dj!=xJy9slqNw9&AN}#v6S%l68xFi!g1h=|5zUw!f1>IlH9v+
z{@RL!y7ftz=eA>!1ogZ3zT8dd{)=F+3V;%ugf|x;_Ff?GoqqC$Cc8bk;$EM*KUi(z
zP4c9<APH_li-Bi%@?7B>uh*N8^~&%1UK-=t4dQx9CfMKzyqfVIn7$quKm--IfCL>7
zKwH6>^?RBlCt*;6VFu0@KmwWI>ey`0jVXKF$g8g`{<--z8Rd~CWsGoJ--_M61vMa0
zps!<`v;pPPtIWZ85j6dWCTs1?a>H(UjbSJmsO;CH%SRfq)Fz8H@&m_B;xgBHy(@Af
z=m~=RNH<q^nd>j@i{hfTcnyOCu!gK_{hMZI<A)7isLeyzTnaj-d#B2hkPyA3(BtCx
znap8Tabt3ddD<)2UhC{}8@@`^))DS<919iymQfDFJE}P#1lMyTE{sUUj_UdsTwK=k
zz-f05fR2VLVW4#aox>eEkiSz=H8#)CP7P%clB&3lq5y~a7L!vqLmr<~bV?oBu@T&B
zU%F-rw~Z+?$}jp;#8F#e<}_yx7uY7hBR8ENpxIs6>yay@v7P;n&~H$|sVxN@ZP+~?
z{V*oKlb%b;uCjSdwR;2VbW=dFzV|}jbHNo*rJG1)_D$7ASnaO*ojVLOSirIjKbdlX
z{Zcn68%KiP#?7^AS7y+^qB#m2m<LnOSl}^QDy=CEM>5kj)<52j(vZjjO}M1~^Y#mR
za9j2y+l&uh>W9tvCn2^TgV>sL8@=U^GV`i$(w~%Zu!D%1(<YBtxeMW5om;5X&1)?`
z_|skUS2Z&jw@}DbErq6*p}!PeKjrw~xVAwp3atiK<}&X(djc#i{GRbUJ&aC%FO0eB
z^W~XqKw|Wb%asuDMZrJ0VO04ZSkUl7l%kYL$S7yh3iO@r>Ka!Y{wqaN%TBcWtt+&k
ze;(Utrk+eRsEkS}xB(PVl!cXQ6~VAdb<wEFkej8P*TmYcH?6pZpC1<LYigP*^4@c1
zpF9#zIdiZRk6$(j0>obgabO{Gf%bnSxP?X6nG=?*^GzNHoRS$gM+ML6_wRMSuY-D=
zp_VO+a{>?67DnWe={n3(xB$3<SAMJgZKc{&(Sj7Kj#C4z9#nD1&6@d@D95CJ{T2W}
zj7mgnKvjL|yvv$m-ZN||$wBJ9AM?4$KcKLr0#JR8=qmc#3cIirlN?0I*+6%?F%Rz<
zQR1@3j+be+6T1A|q}S<guMtqtIWQMC;CH}iDas9StUDTgP=Q5wl6gRG(lmg)==`o<
zO_1Qu8f7iI+|glX&+p;L8ZS}Iu{v;~C;QqWrQ>u@O!cF*j)=~9N#Y8v(LL3kKANe~
zhl@o4xV3>9$v1#h{Fi_SX(Ha`@LSm>F9}7Purk}QoUO+@hz(rl&yKyRjmT=LV6>Sc
zdFdEiYE)hVy^Lw%u=#l?@I$|cI*+3CtvG*^JMI+gvDF_?lT%@_58Y9e1b232v8;i^
zRLrKE$^6QrbM5<G6CXECOWELF420++RJFj|R@OwwrursWhLAX*eu+leNl54+2&#HW
zJ>-)Ulcr0Rb*@0pW!<1HglhFgXK3TMcWE1baf&+v%<QPl^8FG6*CzEu75ze3PtBL{
zLaK>dkk)_=ipM16Lmu)^H|$ni7w`14X9)|sJo2GF&7|RabTQEwsmo+`K@W9VMny+T
zcW;6#0Y0LWY?Cf~YXZtYOGAd{!vfpyEv8?7Ez+E34ND1LswEpt5c7yPX}OW!f$;Dk
z%$DCgv%hz!+Ge0=6D+Yl1vfAimmy`9U2u}0oxB*p=VLLyekD)M4jOJ5bOaD&p8o@G
zFEP#D`VcsacaXHoIKH`s8~aNp;o#B4M;7GF{dKO;EMA{Gz;k<ExH|2d%~LWioyMx(
z!B7YGXWRgJHhahBWq*_I9OdecySbT<KtY>gklR^u)OL|sHaPj<el2vNMnfAHMsIQX
zahMCv(P5LA7%#6Oo$dB9AFL`T8i?)xG~0l|6ECA5z0fORr#xq}h*8W6WjXpVS{`vv
zQP9-GPQw2q%eE{CQfY@rd=frzDrsOB_Q{CQ;ik3IC);8Y3i*Hgu2;gUa!%om<%9!V
zKMt<d3zf;IPQY#IWH?x;E>n$!CRlHmWt4}brMmW>`0sq=2PD!h29ESsB%1y=3!PQK
zX$$I6=8{u*oj^kGTZ&cT2d<u{J8fnPm7+7sYbvEvmlR55h?fcKv*#;)XAj-iKaa@3
z$bV_!5%Sd3Zu+B|g+Cm`W{Yp3%O71by_c<e73+Gzb|Rpn=ZDQQv4}#I`1Ug9u0xFT
z8#44Z0KDebf%k_Z2{uMidTBY;Uw>}VIGerGTBPL^<?6H?R?Hn#DAP5%btnh3NS9Q5
z5`^v4T}RI<le{*!&$fC%txGl_+kh#;;HrL!B*-OYY3~*t@3i*c9Mb@CL@I#bi1Dl@
zj0Z@xb|Am>_0c8lYi`X>_LD1?YKsJlWWTpOY}?TSOiC4!{(XQ3xH{6J*Axo}9Cb5Y
zs}%)tQZPME!kFuW?BN7`;y_auzt3%uPc@su`Zix7_@$L<WUoD6DEDw^;rc&Y*AuzP
z>y9si(Ca=EV?DbUw#_HjU=L35g+83`_WRV{ijZe4Q==^nLJxf&Fjb}m<LrgI^UP-@
zMCCl_y32GQk^Ua`J&;N5?IkuSdWLA1cn8gQUeT#j$45Z3vcdjdSI>3!>@-(@xK29i
zflcuz3)Fxm2+_K6W18kM!#+72)#X^$;qp8-BSkV-IhhhShgYA68~<GP97r1;=90<w
z&H_h?ICDM%Qt*42(gi}S0rRvK%frs62rnv^X;HWajC6?iGO!aGQFN{_cEa!uk}=W4
z3+Y2Yvwd%EuT5A{8$q19mfGxWtFd?LIcy{Ru|Rdyu`+v}h?qiU191GnZU$h9wl?V9
zF-K;if5|f2nJrNATVJR_P`LX<7f&Gu;<oxqsa&tJBd>>FOw;uo@X_7I1T7TLr$<ws
zP{WAzgFa~8WNiHpsptg?Wq}V>j~8WGWX^gNuEgGcT9rl%JpcJP(O(BO<=M$42ABE+
zuW8)R*4dNDTida7Htl<yRq#-$Drezd^1#Y{j%0pzs=JsCefpqqKhnBu2!7H$_Yhgn
z2Kl=gg&grVQb1e3xQw}cK0EQ{p*^|;&^2lcN<17AO7|vO<38cKaN33zvz`G5@|#sy
zE+GcrY|%ZrkgI@TK>|q%_)^K?mba3i{9I5oBXo0X>B&SUrr%gld)f1BRD_cu4@`;a
zY><wLN9IQsJKXS6fnl;up;W$YrB)%;JOsk`K=+k+$$M~4>TeLPB~NN9TdePCM0Q|m
z)$2BA80$Sz^E3S%A>?XO-!4ZXsl*>6bE?m*K4>?ndeq-j$9{V9N}U1LHO+;wj;D7&
z-Y+3n4fi(lvaV;b+Buq7#=V5UF6l@WL7e$Njyo8epf#4W<W^QX&qW3be=0bABvq<2
zRxH6Z!r8n0Y6}-FA}EUld7c&?i(5(=4V&%GOCEmklS%P0019<cfMD+{YmNa9sZdW|
zer$dZ{^dvJgGs_0y0Fx&6C66J`EW#yd#EOoTYY;z`+FbVGmwxtRgc_Dw}zdWYdniG
za<yHasLXxy24mJ~UH2L^eWd0Msjppef0G@TpP|%kv%9T4I6!0DbKwb$Xp?}4NS2WU
zwKI$u+~k%wrlC|yFh<rq_;fC3Fo1DVyhz*xy&6{ifQMlsG89uD-xa4zHK$fe?BxLU
zx$iM1kg7=vzE16`cqO{hkyBMO$8fo{eMLG`jG1cAIwKU5@tpkyy5qBfK7B>J$b9<P
zyGfo+`e`r22>d(w5}BKBAr{wrzd*>V2kjkOcueVOl_vEG7B`N4Za1mCi(JQ%LO+x)
z%LR9-%EYJbi4B+g3doS`-R7O*pvV_RJrqJ5OdESQfTD`J#BM0KqyhJzYj9Hzi)*V+
zQsQ7*WRRPUa@%~69fxsu%hu73Axia1W%*`_K$=_%SsqVha1e;XXeY0{>-Afl9cWp`
zFLGLR6_yO&!Eme#NaHT$7SWuHR530WMC?oHYTF&q#irR1=tF|?>c8`IaU=CoyQk5y
z53)!V^j~dfJ|m=JM)=|lZEL9_h{rbcm<DqH|Dqy59W+uUX!2+?Z6K8Ke31~}VVo?C
zekA5tIN0v8qGZaNwGz(t5;OT;rw(1->xX6S^E#T+h*)vU)5%Y=rs>LXi0MdAj+;g_
zHbAWxkp=)R9Ql=@cuW#4-F&$w`aZn;mEq*qrR{<3=Ji%L@2@h$=bf*iizq`T$c+lU
z-#jn$-9e5Hx;4^V$q)gj>K;sv|ER6*I0!Z{<AhNedc0}h(j&+(PYv}B>@2aW?q*5s
zf2}mM{vi=ehVF*WFp)fM{{lXbzVRD8bDVgO!5_U!PvtQb0iTC-6&YjZFiREH&Ata|
zpVbDt$IqDJ;k=GlFWlYtk?P^{0<9|b{>rGhY7OGRM5p0uWYuMKvsP%Tr!MuZD%G?l
zNORl)8;V;h%00!|mQ`ixU2dR|)55;)x|`wxtRb%hQ=H_>?70-hGvAy_MdHnA#)H3K
zNXFGZ$_VZy(2t&wX+W2kXWY>9mbl3;svhjJ3c`Z-xfx$Z3+_-n{^Fp2Ufq%M(2F?_
zEJn{t7Q4t1^5(;{5jBDvNn>-kNb!-=0w9Teg?z-oHwq*Xf{mN<8_Ep!UW2rY^!AFt
zd5LJ;Sw#WOb>Fr{t8eMy!4b$g5We*^*vv&(KaYt^{%Y5bw^v%F9TA4qN&?D(Ovuh%
zJVI{BTpx8A<Z8~I8uq!Fe#1b=NMWaN3Cts>;_JC`Q>A+|LX)W`Y26>c8*!nx=g2m}
zFyLMcUs`9y1+U>Ab2e)?m!4WFy1aV%c$ZbR5t`6cM&5wTEw_$q7P05>Be0*nwWHiX
zokHdJpk&G`N^mSHr0Jcsc@|y|6?#QecE!+z6TN+W@9Hz>R)ln@Ehf^(bGoa6T8(*^
zu?ZX*n<<;(#0h7-64ySflSayLE70`aJi}h!SbBKipWj^4r+EukArBw^jACTAxA_VQ
z1rZ$m*ALybeMdokP2ly2!F#`iX#1k)8y{CkYkiI{f^JasB}&H>go-j_-(Wx$&Q-cX
z%(jB%xkyC`jzc!S*Ed|?WrRpw0PYdr#~<^cV7_J&-RN@WLOpv{7^ciI%c%q<D9ps_
zy`^{hrb1A(gBl>~Kl;$=XhFra8<gd<Y;98$bQb9B{V<wZ6p}ok<UiA%x+glac=#g(
z#SY&4IUnuCn!R>o)6=!PA9?H;(!a>+DVmkX33cXTQb%j7u^DHCqtk}cyodMDFAfuv
zE#Pp4R75RwCO!6#oNLwPZhFkmP!>bC)EPO2m{^akqz&t`AbGIoy-Jw)B--9}JSt^7
zivng*P%$BOZu09<)EuVXIp{~>CVlE$ktt0q?7nTSCix7Z!ctwY`QTe{;Lc&>EeS%1
z-dy&NQc$hM_?q3PyHO~VVP?CWYv2~*0c>KV31&Lq|7K3(ywCYLHnbv?&OaT&;f+1-
z>`iLT?Xpx^RC>aCwl011nD2wD?yx*MZmHEKQKmY2J0FG#>Pg_!v`s4(U|*2K3*nw!
zpxft{4L}1Mz&2!d^G~R*v-bi|%pp@c8mu~a%WN=t{yH&W;++SnD==}Gui{Hwc+Cn$
zG_x*NUSs1dWuWVe_f{Y$_qgGqz1{oNuK1xC?3QmMVz2n~sC7m@n+=0ckCbjhP+hpu
z$LNGxi96PBlUk%}D_vU5R-jr%Ex=$?nh^lU4sWXPtGuq5gBR&9=hWaCXTwC6#JJpN
zIPzJBnRlsUFTOtN)LDtXawf-qSPzRFFX_aOVG(bM%eYV}7|Tg5Yn@D$#od(}zd;R&
z>+j2s(@!csb0gF_i{`CrKbc>(LWZ*N2<a;XZ3%TAHZ=Vs<B?b85HN5eLC7eL6=@v!
z+1@H`Az70i{HB2X8+tC@{l(-uZ}+P7&wqMujcMK8=yd0^V`O%WFqbL6`edJzTQR&Z
z?SQTcgvL1>MsBq?joLPqzs=92YcsklL<)MMtFBO9U8RaS>|ZRt4`Q$z7o@;`Pm(8*
zDdaQZSC19xiDohu8;r)_>*feBpCDrWC5Cxoz;Gk`QXiwl^#_Vq1DTGLcWPOshY;7w
zmrfiUtMy1oFBQbiJqgWwXW}i5F7Lc@AsbADpJApo$*AW4eiE204FIA_@~I$SG)^vo
zPgXG!6aOI{m%+kJLD-0~(Ygzrty}iTdop&Fok3?cihS^>N#K@(sed8-f9!qrTa;bb
zwvM2Lq9`RuE8U1R3@V|5bT^`ufOLZ+<xL1mH%fQsFn}T<9nvtAbPnBo`x@`(dEbBG
zJHGEXj^T=Z?Y;JjbFFpm^XLm2Qq+2EVa=WIU$0(pby+Vdw=tJ~_Mi&1!U(>jXk&Mf
zL2EkPk=S{B-r&F#%sfsGDIrn4O%YV`b(Fh3<mHC~r8l(nhKlVnOaLdSZ6fC+tZyKO
zJ;-n_^boC6_m8-^O&C7M^XZ$zE(22rKdF9LO4hz>IgV+zEzuaa!Pz+uUYX4p7H20c
zV&fJscy%r0gR5}(!7g$hFR`1z^+f9YLWbxMr_d5xxZrAm<N0-1nu&>^WtGv5nK4ID
zWozUGy?@bwiWO8{5QLob9`BWBdD(jw9ny=}S6%$t0pNP7K0?w!@+0BBbbyMg-c?nV
z9q$165#Z23t%dbXB~J9T{R}?m5~JIF`S#d$mHa1_`W<vI9BsqKj;LEU<nPuJKuis2
zoY713jA3Oe1~}IG&;MKkCQM^`&&Xq;WO3OuY?Hcs;?q@7yvohf{$q96Hno|5r@T|G
zMZ}f(r>Oqt$_0)JG7op{0q}wjhPlTe0V#?ZxEq%mQzB4fC}R*2KNhb}cV0L+N%AwB
zeNhZNTplcKmreD|Z8{!*xIvy}^s@B_H&r9i$i{fQ)8!cr%Ii~0EmJXUW;2{Zcn>2^
z^3+JqjH5PszBM+3&J_NNN_pl*_*?aj=CcIxV2=em!arT|*@y+)m!;pbY>{jy11W#5
zL#|;8Pz%SC4vc`?LIn|*TejydA9i6cw48AdG&cni{JCD3h|rYT;!@1;LjJy7=NU1?
ze}_9v%(iI{qeAp&l0v+s?SkMBr^-|X_nqt&#hP_%v4(u76UaNKdvIC22#S&unU&NM
zcyAP<ohwGLm_WW?Bj$O?w{E(Z*S4ZPsOtvO40q_zJS<2msZqQ?>eOx7ByFN+v%A&4
zFyT8j8-e5imm&B_?eb2o7Ru0dLwMmv^b$aIl8Ccay8OH5x`sp)#8*3S41AWsrI}jK
zN;q(!GpoJSQj5BaWO=W7a0MY_YueSa?Iq6}`bg1BH)f@rR(0N@VxA7><||6Osngj5
za|^a}8O*_z=^&8z8e8&v>};SQoJCAm><tvys!LC3>?OoL?s?HZ_Y48f0>e8J%{Z=D
zWs*RL<<W0krMZ{u*0f0)T6~Tz7&m5mT!s%6oU$?pi42#*`lCX9E9#kpkG)(bYhmL~
ziXl74{E4d&KT3WSn0}o}8{Y?T(3UEFoU&j~O-|oi*$8NNl--<|x%joC4T$i(hD6Pg
zx(?PCj>N$vR*$26BRVHvcQ;Zo68X9=^N@ZHt?C|_uurWFVy#e*%NlyQ?@miqd2j~B
z|3!OV7Cjmr)&ze(NIF%0tE#7E`Yqr9s#^XRbYQNSdYm$DrQ3n6)BAM6nn_(xy*rmn
zeoc6rq$?D?(XS}jGr$oj&7tBMcFADUDHWEVHh!#;DZUy2*{8UF+;rB5&DISX9n$s)
zaJR|en_oilI!nC`HsA&u-?97V4p=jVpMU7UN6SChl9YEU_r-VArc*>sgsx=_`zE@%
zpm)b*mn}_qILF663$y3ldn@fc=8Ush$@pYd=5%5nsa#|`)O6Bo4YhlE+#Pitv>}l=
z=BxLq_TiO8JqNWju`{)A8)Snq_Jf54ot55b$yyPPGmyRnNoSnhT35~8e=Z?D;gN99
zDV$g2h^l7vs2KQy^k7p?j}r`p2O+TQ$mRW}Gvj@o=Lt<V(Stj?M>0MZFp$|TWUKnN
zIgUYk@p)CU1vY6HTs*z(&p<6bWI8owwYjlY-PXKXNK*6Bd)~;(z=cmyoxDxA!0`JX
zb(iz{*Ms~N&2gxnJwF3lY_zj4*lP?322|);sJm{IcSuf959)Ja>tg;Vf{-CC(KYi;
zi8YPneRY|wLN<o?RX;{unA5xk)%k;TJjqsP@QFfA?H{2N>;(<3c+lqixXxC_%BH~$
z^1~K=Q<^6(X<927MepsXcwREb;yO^L8B?Y`9awReEkl#ei;|)0yp^dN!_*zCVFk_=
zZEYsy#9GCTt}Ac3Ke)`dT1^dxwsX76N9akAm$zxVqVT2*_NU^WJ(Lj33?6lDqLEoJ
zEs7!3-<4b|PJt@r_jWX<nJ8f(yM7;lQSvS?41r}Tf=8WiRvV$-qqDONulu?SZf<5~
zO;LAM?Wh{AyCq@<f19aiw#r*C_>JOp6QHAfmA`+o_xE+t<}`DfpQ=gbsN*+$dQ_nt
zC7RUHLglot3@AY8w%iwzcK+nzX-V3uZ=~CS`0hT~nlJ3r93w6vaPfBCFN8DAy#(i?
z98zbru_5fBNkiGdbdcjM#0T3f8Y}Kn-&)kX#mAkIZ6_J2jGV$Z?tT7xtM}?WZocBI
zJ0MvUUoyxTvr|m__HL7Bs7>@^NZlMJqW%uR!q&%Lm3bRjivaq7VhDy`_1Fwe1f3l?
z5-)lNRy&B|-}$I}C!o`lSfcy71R_8bk$8SS+nT*EB&`Gt()`Xs$$X=6Tz$&1iZpN0
z`&aedNvtOa?d3>SlR1G+6_N=G#RUDBPNeE};?pAm70mHxiy^}go#+Aal+8KgM+W)9
zn)7=YhFEmy^9n{^WAz!lS^ZF><cjNyC$;Y?nhDefhxbIMuM{3TcLU3)j~nDfU2O+d
zWH2CfZyGdHHTwwmmE58IJtGha#^n}r(30_lHAr?D*k*3=!e3XI*2kBv_Je#rrM|k@
zRV@&sdHv;VT+RA`f$sPaeXh2c|Kod&-1kijD=p5d{6~!MN&VTGT)PT>jPy|YT9ljR
zB%V!dRoqdv%p*b6an-+>we`p)!ZGQo_e$2cL-f@~U8s0ODmLuYm;a^f(F9F`f2p+)
zzi@JQi|nQ~BdEoe0ochKbzs<EaMB>nlcsyu!>77F>U`fs5*_L7(`{~IX<?dtI^%wi
zf3ZLgiII_*3j0-g&oNOJbU`vHW+Bg}dvfx<<BJ_Gw1SNcynSQZyLg0u)q0%Sppd+3
zF?@L~UX}+Q@=YPv>qx9-NR>N(sC9N!>_m={-0d#9=E5cEN-wKLYfHbzHO7j_ZEwgD
zsJeH(3LD**gEb!r5>AHT7?z;Kl6`e{-@^WwzJ0~zg)`q7kr!0W#>`~$7q4(ulTkt;
z7Ga_#co%O%#7lEbj_p8CU}n9y!`W-kl#6{RTq*kX;Z5_q$r4nJGpNRE!dsC(W#e<?
zGEm%9KCTm-s;{_#v70XZ*oizn=DKEW=yrEZ5`WtIXC&XCIWyACjbJ}@EYvVN@$<pF
zDRUPlJ5gKv=hPa=CuI(H_f2Mqa41<1ZzS&RSPlpSw0Vy#e5?+AFtvn#t6Cm#c8OK2
z&b$s3sPw7!))0xTaX>7Uk?UfvUQ8##S6O^{u00^H2p!%(=DEd7utI`axWG)Ff2(~o
z;MA)6I?tZH^dX~>rgethv`uD!=7#Czy4otoLu5qW?}fJ$TrYFFt_0sCbjJvaT-yRE
zi4dF>4pF<Y4NzlyR6O_aV=IJZK&}lRvn;Tzg|M<heEwivq7Bl|#KXZBZl&%LQJn}>
zqPP}O8J=q0uZ<q-p!F=2c9NM)(UDb7%y1>)6r28woD7b^L8Uv53G))k`N36pr0R;y
zEOMJ297tEw9AD2hPR)`<383mAI+K_6e||DId6KTaY`HMQrY`@dlH2GE#|B*_!n4#z
z)ox(m!JfIU?UHw;%JdnMr@Nf}T3V_;m;C3T!=Mmka27$UjV{ip4`I<FeV<}x?~spF
z$Z&H)y@=zP)k}|sC4)Q-(Sn4zVMQ>%X?J1UVGOBNNN;l)s3vO^x3ClKM+Sgo;HDob
zOwJC!J7$R7{K-6B!s40#BAU=L#Fs#N^QiyjoE|2o`$vGF-T;>&YJz6}t9;s~@W94i
zj?;R(UB3INmuvY&B3WBpsrsH6AKA%=<t$@MF$w(H^`E0hwmO<svN=`61C}w4?w*?J
zdsa@kZ+;b0pIhteQ!)Zm08aoSY`tO$60W4gZKFbiF-er2JdHwY1H(B%m%6%6`cPWq
ztmGKELA(6#%x%LtR6|B)+d9&$nRmnZ*X#$ft~fWPDB`Yf_f)dt1X!i-F}j|MdDZu6
zZW$5OmJzMH+XdUDv`TZSa9`X0)T(&$@_pk2z^Zcg;F^B9=o@M*-%e^YC@kQ7#0=J6
z16EUO6;)eXIgq1EJgPYtR5wRA#e*ysqABE#>9;ebpw8+s5d#r+vPfT3Azq^CkhM(A
z_VBXNq{iuP^R=i~Q)VMK!gf<EaAiiT&W!0Mc1JDtx+TvYZ*8up>e2>yPON@Ad~j|<
zlgT_q?N!$S8t3Kj7xVWin^8ydr{ebZe8B*=85}0S@s#lKmlQD1Rq*p&*R3-Z$`Jme
z_T9nki_bNCA~chADS6)|!uA>sS~Q8YS`OM)R-0XLh2l|zo4$@Uqb{mOd7v_$*#142
z&69j%!Q_7Z_I#@N@|~1ED+zMN&tAiITPnC1le_-kghFl#na&AZJnx;Y#V09Af1>Wv
z>&AKoo6PtP@Q1v=p1&-eS@}HOh^2Ljw|e(duvBQ-O$QCbyOKAvHd_v6#*CZZPq8cs
zQeI$qI=CebvZkl1!+*BXC89|qT`zX3i=T=qKUE*et>s1UNy$u}Fe{=?g!i`2Y;IEC
zauviywXIG`7we?fULFXG*UF?b*r<J57iN=6i{Hr-esQ()i$C)7mDRtEc<f5Q#rxbK
z=$0L!dk{8drd%-Cm_@NBbjkHNGVzAfP&9wKI~8}&*x;c9?X{_whSQFj6U&S0o@em1
z9mx<v%|8P73us3-)<vj)Qkg|pdNhyf^bF*xepOk28`RD8uCfsjwWQ~s?yn`qNSv_c
zjvF9%S*}5_eq#-cZ?`+61gd_>!evnEt@uHag&g*8%_{3}IdhX7bUFQ*v$>OK;J%^b
z&_DNb^7Fhai>u(piDRwE`nZ(ofwOn;^5C*u##r|hGqs*O!rm-^{$AI+LRD;B0>Z|+
z>tH+b#K9$rPTWhMP)omu^TV<-yB0ohfd-QV3r%)%g6mnatyFuZW1r@>srFyv%}NW-
z?e)J1TrNX@{vr9@m=Tm=<PTUo^!}yN{GVpZAsITwxelw&!O@`Ei%@|<iD1>3KMHn9
zQX+wk*I`+Cyo<{t0GBCn6ZADpQni(wxJPE4!|?vVy;zLa;Lq?U7`f9%wF5{t^SEmM
z$+2NivE5xwUI8&7-Yp7zttUO~2rw%V02ng#@m?6%3~~gG68TM42U6eto)xVN!PptM
zxK_E;TbuSa?EB&X*_q}W*N%tbiN>ljOa?@=Ndm9yk*|0&Dv<{=Jwwt!Umd3Is9nys
zXh|acEmjj#=7UWo^Z0^V*t=Va&)+x3<A)4w)GAy32FZq2$L~!-2RxzVQAO>OhuT91
zbR!zdbTAiT^I`T+Y4`0VWn!~BTV9Pn#%)=hA+_+xT!{>(cuE8#;Z^8~9Ftx`G9m6D
z68m(CR?a+Fs=oMy{e4*(@QgeCD1p1;g%jkB!(w@U#aT$;L3h|X#ADRp(Nu&<Sk2JM
zV!Qc6#)#z>Xl?nx3v<!;l1fZ|4oXrRHs73i&K)Rp&P$!sJ@C1u^0U?z_QQeRg%}n?
zcwI8Q?zDL4Q=60<cB^$l^oaalLA0(#g~(lN)oLgZK=YLvcaJ4|$6P3j9tT=?&*tSO
zX|=K`B2KpRo5W>}=wVH3zjyfvh<4|WTR+>mB+5tWw-v-LecQZ<eySX-U24u$t3`Ni
z-U*{pH^UutMXHX>Q{b7A1|oN?VCt!<t?rwz5-Ctd;@xwA4v_=|g2k*>O0B|(q3;>G
zwjGJ)6?IP?*z{z7Fq8BidqMkV5HvLz{)`EQd%&`Moz-zR?dd57OviU@O6S8a3?hAB
zpL$@}3>*S2(uCA*W&9!!ti*fB!DHp5J77&!PY?RsjFNCknza^@wrfD|alczVw_9JU
zLAOZCRzCAN4sN;I<aA&%W}|N1JjRdFziP<YS|Q0wp5FGomgOnEdDTQwfS7*6l64k|
zwyP6)reR%UcC~c33e9VF?s{2wutA$)Rp;*Exuxj0{uB1Lb5k94sMrw$D7a$-W&A3v
zt-xubBUEc*4Rl#CPSlaL9lI*Cx-lP;(^m=TXphCM0TJ50iQrA*r8|G9R`XX6TvkV$
zw`5gc?f9PGO0%JJb1l7ad_3)?B+1sF>2kM0ee|C~g;9K|I@a&^UZ(28N;u>uIn6%k
z5|$Mv?|`km1r^9L--pU68*yPMmJnr)J(&AqL7L0=`R+*p9iL3vlbvC6s%uBNd@#@E
z1)c=%Ysd1#)JGf#K8hclq%mTogB=vzb~tOF7+nwgNt);DYs~h~=Pb%?W9%u{UClqZ
zLKr4T8QdVH>|SSS%jOK<O+yIO>=gh&eBmVV89h984kkR8)9keS=I)ucRK1-?nvb91
z3sB$!`;yS~-jI0e^<Jny*^W5(xglw5Q*hW7CuUXSoq^WUy8$A37b(VY2|mO2*vAQ3
zgFXA1HG~EqT=lC7kD)BLeX*#jgXXIwd8`CKWHP#eYGDz0`o3`tkHeB0Rrx+J4sO8@
z!%KT_SpPD)MK{BWSgX47=c+@+17|5@39thNL2ETG-)je?MD99m`VSpT5ly3Lo^BOZ
zQ8&CBXW#Z<`dBr@ZRu<1h5*osvn%SGC@4sGx3@K$54{f6UO12dwkz4UF#z_H#(ASH
zTa>#k`Q{|)3q^sM!)c+S?Bc$)SjNHG<tBm4vXbi3M5orMsVG_w)vMFhKUSA7hXl(e
zdKcy=w|+o#D~dnx-2i)l9MAJ!qlb7kub8{=@OM#hC8@drN}4-b>WJ~1&Wyg*20Yve
z**3`BqU&?utq9<~5dL%l9JJADM$t~Y_DtQSHq5H-t&B?$)uy=O<>Z5XZ8c}=P-C>F
zGs=miEv{(ZXw~Z~dIe`|n`&pu<g6u4jYPJB-KA*G>PIZJmQjS;oyA^cKKxk6us0jt
zXKqCaT%|@4ybyHuh3@)S?|M6Zqnt`WG3uylB;+Jss?lmST`+bWDI6>yt(+P<t3(`a
zQ;)M31lr}w&XKK-<3l!~0iaOS77B2@E<!=TAOdp>S}8bD?xY*c+uirz@J#79PI@64
z2%!;wI0lTRmsyOIr5CK-atW*lKTC8^glgU4Q;c9|D0}lzz-NI>01SwaAQH*HSDQ;@
zCNlL4C=a@KnLyy<IFcc<f!8p%6}hAJ*Rn}9l4e_gUh3K0GZ-M!De@7_zfFC)PR)z-
za@|X3r<RwYLronW1b>$8GP8TymK|a23`*)q{*XWF?#D^XmHd}Ppgx5~0M#Th&q3sp
zdiRy0&PMdPQ)Axf1ulH^9tEJ_8Z4^}1gsuz;uNpvqS+(dT}&P(KerOEyK^TDP(~70
zyZL18hxjS8e{f@thiG6@mB9{?5f%W6-!VMT`o1v1Bd5R<>EnSW&Q+zsc?TNARov}O
z6K$J}+>b?iIc~4ZHedE`yKB^pRpyj4Gl56EOK$9T6J>Hg2N}$#t-@Gd$xKkDpAg@P
z4<-W-Ax65s;OldJ>U8)rYvAgVc#%UcU~tZ6<tY^N;B#_jM^P7fReczBd6j9WK9;Ec
zc4b_v8E~j@-J#$Ve79KI)IA9Tvs2GukhH)pg}jb3s6uC9@hw1NwduIY3^R%>iPf4c
zs!l4poj|=@3}GT^9Tj<@R&!1nZE)L<6Rn?+f5{F?!35V?X=x1Gx=(KXR0Lx)R|6e2
z$}dB)9xoNj+w|Z!mA(3;obYt2y{WjQ8L<%O)^ho1tjr15jt%t(mr;{CGJt*z6kQJk
zFp9KMr3nSA{yKHHz1t$T{<Rrw1M-s*s90_Xcl+TN-2<OIl$N7FqVwv&>W=?9{nl4_
z^7)=eP{qb}yo(zOY2qNXe&%K5<)78%%|iSnEa$CyzHbbBf9B!4?}1ln36J6~A+&Mc
za0YxX^HXn6o+lE5IJN%==El>b3!hTTQgiW&TNl!VbKiQ4BSB1IHknZ#*Iu3!WVz#2
zF?w*VNcj>diTvz89QO4<wVSAtYw$!90qW4o>6O-+uQBaW73MY_GmAo0**HwZEKI^}
zyjUsz1V6_S%`jVBL!B=72o|2;oY*tT<`=_>CQ#IGWiqu*C#CoGiKgdSmn(0voPTyd
zdg5z*)xZ;q$&H9$X##Q=1^ZF<S1}QrkE~KQp<;(yv2uVQ=&3x>@x>_82QBmorQAEH
zfE#`1`3Y`kguW3uPY*NCl&N63Cl?*@%ZJ^M_}#K69J%6lnYUPkQ*ja*g(nj3iHxuH
zYw1nD;ZCwH|8lznA%s%r|Mv97sUZI(|Ky<JmC^wIN%cLCT!p>U+FGa(3+S?1dkWbb
z`dc#s=<`>nBkNm~9%KISDqODT6G;+W<1sZGT<g;KbuZjJLGgzPjtn!>L0yfcspgXl
zmdaG`1^n@*j=VF}9D)n8@Q(Ee^ZvvbR9|Nl)-jcw?<`v9$((X~>0{%l@J7(P)ycF{
z^~1GE7~gFdGZ9tT=JkLWFxgUcXEYaQ_r<+<PWGSGNS=KE1eJ3kRte;m^flYP!Q@oS
zrQ-F>rG4OM+RY6O4%(AIXb>bat^Y9RtmKxUNg&Jl_zS7zg~{s6%~It~I-hJeBAaBv
zuageW14Y)XxCUWYF&_t6!$goLuT=j@oZo^-;k)qVmITc5Okp_gjDWYAXXjN_9(`BS
z!S44R^gI0WGnmDBdSpJ5&0_dmE_(FGL9iCdyt1DE{=2wPWkDbhh0IFU`nC;(`)ry4
z<esyjgcxjHZTRD&H%iUKbiGdyzUy;`BkM&D@_&4obDu5kZT;5PY0FAmlVPr63RWhm
znms~F7(9C<P9qvGEQKl$k2bK2$B`&-*Kdh3?}%+IBUtZ8J_X%su_{J8eRLtYJ(*%F
zXB*O(yae)1;W`K*9)R6;S0H3hxrC_4yZ$QGga2y6ZTCm8J^XZB78wlhh$TscqXiez
zlCv<jcAv}G#hE?^ljv-l61?ZSM&h-#j~P{VBI%zMvXD@KEOaf0l7B%>yrJLOf0kGN
z0o_+Y(wHR31w_D=TikYEzEN0mTib_e*!s}D6Dj3Fof((f)LA9Aa#?4ww`LA+esRP!
zBZrr-j91{kl$|1NR@V9_Y=p|o#acuZ6ipB#x=^7)A}2e-Iwx$Nw~PF-Cajp}GCs;*
zIq%~oL_Y3<*IFgZ)xK8$cSFp-9(+&wlufnCHx_%k=d3n)7<ef3Ha`7yt*v(V9EmfD
zB%ec_nQ<XB?H<l4v&_wv(KBsI;LFNPb<Hn>GWc3L9?JFZ!Oqf=1Ef8d)HMiLv;?op
z`E?HxFhbk_OvI?nvie{QeQ5pm2-?3o>1cZL!|g0i?}XGBlJ&a8&ZkZHpT!s?Q!B@K
zdsjXCjY>0LllF9c6k3-jW4D2fDtB$Rd!^0_^-x-q$O%TF6Fqqi2ij*mTSc)44`h;t
z_a<m`o?~U$sJ_+a$>A$UW-{@*Y}ZY0x#=`Nz1#zN6|S?xte+Eyp$CS394w#VI<+VT
zG^rh0lu)z0JnUicC4@g=o$zRUS$C^VKqu?cJ0NO+nd7VAmG~!+O)YG!3!BvVI_hT-
zPn$()-8?8SXmX-C)f}#ok@us+MKX(guJy*nZug(S@=NfV?M1Ji(e+8)GKs?2F_FD}
zss8mfOjhvYL@#a>*X*kT3-#f$1iuOG(879&osqXf(RHhqf|fwyLkZIpw9+C@90na;
zz4j@bqsA7{@#B;5Q-gdI_(CDWX>?j7Pr`c1xSC1LcFfqOeU_}7VOT(kzG3o|`R47V
zVz^E*LzkQ8&zcP;e6z4F=W0=bBmjaFPIw802y}n$4Q5P9*?7xQJ(!El0<akQB@aMl
zdQJqLCnMGZ-fNZhqLUG(Xk+;WF9WmKc8216h^ny8fE6K<*Uu-Yxw5D&K`#URD$FUQ
zo4sT5`h7oWp<e<`;#4~RFdlU9U>}6%OQGw9kCJQ&8+pD^vG3Pcyn|~p%k^NreO8D_
zS3Kn8-mrxI-f0jDGFaz$AupX52_A)pJHL9(^%yHfG(d{ncJKYQX91Y?Q5vKI<8r^H
z!^Mb%NW&5<S|M%6JH_MMDl1z#JHi6@{zfKgnIza_mc-ew91WD$hWg3;v6z88*u(rK
zSmz)H4}9eMGl7p8w)!efdlJWIri>fa?x>`7=~Q0CFBqwG{9>WI#ZUcL-2@O3{vNL7
z-J~l1I&c4dtir6ty}!FcrVjOfGlfl_i|sIw44U5}UQ}F)YIfJV5BIsH6%LP|;wp?z
zB+HTuYYX5LXY!~{ZCA(klMR#dh-}uX>_eDa9(a<@q&TJQd$<{H(3Y6mOvl~v2FgdY
zH+~>Qr}&SB^Y0?67}q7_#=LIdacx=`+U~}t%aU&Kh!owKO#ckY`*UC#*yvNBO-F`M
zY+tlHuRU{JdK*^vsU`T;b+eq~NnUmNx)D5iMnDYH^3?I(YfX8YFlu$#uX=74>5~sX
z?n6r%jN31UvVFPHGx*qHv8#CzY-_yVKrLy;q}xNnuR#~8ReQ4K=4sUuys#1+PV>*R
zu+8q;g2+J3H?N^I>X;0;jvs>!Ez?>^X-8=lF2u<dhJz02?`m<Y)TEy*FUJDq{osqE
z(YTc0jg_$ZcAk)hYC;2b-9DzXIO`Ye^Jp)UJ3_p|=BtRtaZ~;5PfxV(DawpR$<8%)
zy&m>GCx`e_3U7@}jDH+{u%mw`vbo-Ztnl4FFZh}4KHb+UI`csgb3H*sKCL;}s*2S*
zdYiels&y}o!)31dq`@qAN{W+Mh*~{{#-Ey7h<Mh7IYQRB<Iv#w1k}X}mRcQ_*0-UK
z)Wf(@CRO<~OGse*>u~W&2y<lxz+^9FH7=yZD&^HD2p^UnzS(Hz?T1mNtz^ZGPdC=$
zG6la#SD7jzNbnY+DY~9ukTJX?W+Tqp<OB3Nc=*%QPgV$#!e_e>IRV~pCNQ~F86Tj@
z{REG{X6v|}vgm2wRW-YmpCw8)JaIHT+5hU%;IDTJeILkUCKeUZ%nL09wzN)O%(oYL
zJR6?%qN=vA43%V@?>3F&gJ#O&@;HCk&iwMNhzoO}!@h(IyhJny1_rQ&Xhg~OJW=;L
z`i>mFz_hd*T6yI271#(;PTtj&$Q_!!RdTqv7JcODk(F1Sd_x!|p?`mN?IbI#BDsDM
zGo*^|10?J{JO*b&d@N{~-ors)bg8c95KD#6gmZrvlpI2Qpxp!$Ua_~$d%Eid=2u&1
zmVLiRw*E$XP|mmvJ`$-RC4Z&WU|AI>alupLtWB@+7A4<m2IiHnml^RLU9ffX%kH|H
z(?W4*cS2k@0{p{V1z7rL`me#er`3$mvicJGHP-4is`A*;0F5<#yZWHXJ6mSTz-lVk
znNMVs;qE516>?znDps1pU_{3ZO2CnNeD<nbU>HLLEhzNkgYX4Rl3*P9tX};!(I)Tj
z|3rhICvS!KuF6PSfI7V-a+W{`f1cd?y9+Q!tPgf;DX!7{VWQ}4=|mFpIxe)Na7Lh2
zLW|j;hC*7rdv9r5U1)r^HXceA26V~#S`Zau*`2`GsUk3^s2wiHD49iT+I=;p5$MxU
z@BIu`k#bk?Z?(y!>fP-oeWAYI?NkSm?L*r16u18|h4e^@Xm9DgPW=EFB%!IiKq0o6
zlR}Aun>hXY8{ZE1d|iqzUXe-=Mvyub`Gko7d$%`!x|_>@K$GYAoRG+-Ydym~z}<Tp
zrT|p5Ku#WrT<|<ucn+v{e(1T=#veoN^<YS`c<KH;GJ`G-_H_g)h1KZTJAE_INOiy>
zSQyVki;&-Fno+H3HWk0&lz7w3!S+?{t2OMCaqxB@r$+np1fB6rc#jftOM!qSwF%4*
z^@f-NGdwj7_PS0f*^DaGc~N)*%YOpqF90^zT(+QxmxkBi@0&Dv-N_HC;8+9VRJy8i
z8Mt@uK%*VqcK^<T8agPs3dJ~=K-n91l!?RSCEwLYbWF<zvBU>ugmOz=Hj99J8$w6j
zLgq1VuQiCbv!MP8DfqzB+pgl2Ev_1i!8wNy#JsjV>-ql9O7QLQUfsxYcW5tar0R`|
zpUmwRh4v?)JBh*P1FY%^;$fAIx|gtv>1*NGe;2>;2N))qOaTLUVIr~6hy;-|W+%=i
z)5jtbz5C`9G}Oy5Vf=Ji>%54W3Hqq!1A6_0zj+RRFfB>TY&Raj=|mA=1xELB-b3$s
z-^hS#poz3YBYPHd`8fS}4^HbHDjL5-g8-1LANsmE5$NoMbHc8T2h#sMvRoJq=}(aD
z`8%DdNZ6dLwd_<kHCzYp6<@>VgfuHw*vXiIY80{(02+Au6`;&JJM6MR^Twbb>OiU=
zj8Yr#_g=Pj{CU%33hl((AHc%-fDxXpI)LLtdYLY#?T-DX8UsCYU=C~Pm0Hs(>FWrj
zYX(E#S3o46I1(h`y(dagjC)I~98R6KyCG3mw)6%B1z4%l`T#!`Y{;Ea9{)B{ajWI_
zv0@asGW!`2DkiyR@YzOh5F#?mq{coA$JAJI1yKI@gihR&>c_i{7P97|nO~o*0&D0=
zp~asE;RI)oK^J&}D>u(33#$CbBuZ9ylW_MhS?{g3m(zRZ6t8rWL<^(rd0g%iU}Yu)
z$USG2;XHI3yHYC)DtGKggy@0Rzq@4ur#}>#du+c^+&+7<6}FyM)1izVJcl~`v2D&N
z8`Lj-7vUzmoFTgJ6B5!d`eX$t3GlSG$J48*z1Yt2B+=;I?Dg;6r}LeYx3Jowu?|e)
z4uMEAc#;$TZ{Fv&YF^}z4u)1Nzd$Ax`WiC4MAzSyxTsVJs4$NL3L&rd31H<|LN$ik
zpA$Q$VWfRFSug*+m;-0yte94I(M!UGgQg-WLFqDdQ$*wQ1j;l{@F%$GV#nvKVaDfd
z>f$!_&|<Mx@at2`^H!ge6o<$eC1|){vPWSqv}pXVV+qK+5$e{0i(InMbLe_0FEj4y
z43JVny^vMFHg8OjNsm;)TPA|AQwS<J?!?M}<<0+kx#)wswUv<?4w!&3;35ncp7&CM
zhx@%N_PW>qig)L&`e7&R?#?9<NT&jhA?;L3@i0!UBqXVHiIw_z4Jmddhrmi!6ux)}
z;Wf(B5%!Yj2ZMTK7Ko5?wq$J8E%>77#>v1YorNyKX6~6^FKaW4AtwU<2Fz=mQ#R-%
zY<p@{ea4qAy0T+qE5kLrDBuV&t^+Yl2X<O2f5ZERdObl(w2LK+EOsaNK1O`=x9-0W
zT_Z$VeXu2z-fFfu8e}p)dE|D98u*#ucC!27GD8i*!XXu17unW$hW=SMlex3!bFoY}
zxP%m6tBl?aLJ$KR!sIp2;Q8XZo;uQ)uVmjX#r<EAH}`Ec+SCvdeuiIt6yYX)lxAu`
zC8ACRO>-hxWQWS<kYjlYZDUN|c*-J&xj=|alW@m7EHehUD!p;jjyS|kc0Ow#FiOq5
zxiR4U@NQlyB(6p_zy{RdW9KjcH^`oSh-V6R_v<mkghymMw%GuDg!LV{V54-Oyu~R4
z|0w%g{d#rStX&(><lL(pq#(Dc4cV)}Qea=m!qD9c*_WU>p;JP_y@HMWTv5fO=Otch
z9#o{*4Ows}yw^%U#vJOD>;}4Slv?t!L$|DI-F)9TYw_COV~Z%sfn$aTyrK9Nw|hj+
z0RmAOSf)Pn8t};-qH<Uy{-x3O(mImX%!8PAan!S1biCvf#32EmYk5bGeGK@lMxBPH
z@q(KJq^ee(+&MU4SdKEOOY$!Su=M$l|26mB3U;sNi)enu=_+Hz7jE<jQT}axwa+*^
zx5tcqT2U57FyHPjr|S4u<qE=Nmi999aG$@2lffd?R~Pi?7@sHpB)+`d;rFk!Y1P5K
ze%1ZnN0_2#kxHSE7*ztDTj~J^>@T-s0gb=qq*45n?#U{Gl;+Qun;ax}{xYD0MTP71
zRVIISvmg%HY#O-MlVFwq1zM}r0vNlsb*wYi_r-->%r%_#Y&D$G`h=#O#}MvUZ;W3&
zh~8m44ZGO)F+8|*0$m5@!T~Sc)Bx{bk!9xWt2D;JwRFd)-lvHjTA`(g_r&gAE7qVj
zB0Q|I%l?*c+(qAb?iitkiVYV22f~w&75>yhQ*@EBJ!kLRgedIkKLsF2wz3{JhlnJ&
zh_hGw#?}0fcDWGyfKLxRIa`YE!H&$JqCjM1kSnRiY$)ni1zbUz4SQl>E$~){D`*Cw
zBu*khy0AmgcIyDG*|}&}*1<{JsVM&y5$pkTczO))4rY=lBi!uJby1=kxeY(ZWuamJ
z1MiCv@&{Cb2r=CL=M_bYpB_JN??Pt$nT}|%?a~dwG74ffkA+UKAafulYfwkNeKz4;
zF@JtWzFJ!uxs@@A<}c14GS;uzvJ+tHLf2nY1QglOy6|5rVCt0wd*Xbr2GG;ADHv_P
zo@p4qtubjxVrdci7*cwG3j%lL<%0i~P@%bKw)E_1urB7!w2hwi!MIMls+<H&8Y9Hy
zT4iFg`C3BiA3u09&@gWMdD&p#31BiO4~2SMD*U`4iJQ-nR-p%9MAxf{7>jTNifOr9
zhBNU$!SV|?f?tZMEZ)>%W0Ai*ifpALquvYemae?~4(`xJ04L|xY_m7DuKPn4FXI2~
z)&aubNu4i#MJaZO4ha7Fz?gfem0^m;6++VxrtdH&F@wFU!wD8(Wus3BEPy;cPtAyr
zKr=D<dadRBc(8dLmhb>tRMEH?jdGN>&F{)@>t*Dtym1Hf4~P#xHa?|GVqW$H@9Wh8
zGd1KK8UQJ<=ZKm84otg?Dvk5ThQ;U5;k2f3vPrCx1yZO<`0#TlvP8v@k6T))8JFiR
zP9giWXH8+`86Jl;FpI2fY*6I*1kz$(St_kq#l>wte*wT4G&}HVd&F^so3Ura2JN_P
zjHcLLmW-Z)!qDoKL~hiE_xCD&VE)&|)4jmOu^Q9Ay1nIB&cxP@7dKMAxVz92^_+Dk
zV4w3IPSGQpu#j@YxZ=?#OzsYbDe3Qi)dSFs%jJ+Nu+Mre5DD{iOncr1tN|xq+y$Qf
z7256F=BB0w7zLq`y9>AvAQN>fTNk|6MtL55ed-OEg#;=p_V<eji{Y|oD}!^{B+w;o
z(y4K#=z|-~JD(h8$Xg%dBytlPYv3bBfxGv{!2x2q8RHILm}J%5_&uWZ3`NOH`j>c%
z%$y;P{Kp*d1+3LF@S0>gG+hl~-7$5?st-qjt$RJ30fX?{yNGf*nfSo0dIgmti5Cx`
zEe~o?<DV}8VAecwE^pidlW#~_B#S#qF1Pqh#1KGt<r=Bx)*TN+4sn|U{=)@u39$@L
z-k|VfODEQ@%9I=-rX~?0k`@Xf*KJ}Sm(U)WJ&!uk_X%t@CN>l+oTBmg>pL&tLf}I7
zSQzPG)g>9qxT-cE)f7}UX%YF&Cpw4iGSgy+hc_LFAI%CZbnHm%1B_!G#6(uIlIFOG
zBS5F3bu(>C%x|Uah``>F8JCG%-`BOz$<gA(N^zxGv<g_-$MHoySd0S4o;>#cj(4tb
zXEW2zODf4{E8=0#P~0!4wgnL-aLPE%pO;}@++O0r3dq3=yvQx+5bQWDzv@<aHq;lB
zX4%>H><DoUnq{p9l70tAxcj1XXZEtuqT8%-u4NP9zpZBOetiZBh*AoOYjt^#Dl`od
zCF$P|g~di|RITC$$oAKoW$qOSehe&7@W?(ZyCbLQeSNOtkFoP-{EzTV$c1puFLq}L
z-zfZ)J4aDqYM@wq+RvkEziwMK%srWvlWw4+EXer-TPJ%NR)har;)gh_hCX^+n}G(%
z35Q<eHwr>#O?m_+u8c8zG*g@=qeWKmbBCF9Hxlmg{<#v1r~1U+$hTEF5-;}Zg@vyt
zcu=WQn?dJm0*QTtaJ;jIPFpPb$EjP2J#KhGVi?*uj&eXgpCo1E;7Ht-+tD4tOC*iu
z2(sT#3Ny?~N4Gy0aWU{Zo$1`n59s^V@Fd=_?eARIa&37(J&CCZ_(D@Ape|jIP5{A6
zhPYz(<HO11E;O)<(~Dd&7_oFHtmuc&nW2q-UR}|_P%Go=3hjJNB7S`lX?YT~Yu`7L
z!p^<wU~R3~QC<Z;;aD%>804!S;}l-tImhp8w6x3Q*LHt)XZ><w%r~XvZVh3GAb2LO
zKH2(|pg+0H#R=(!6ae)cPn?)AL*bK2Z4D+~e#Kg1tm~GR9Q5q)Jh;xUM}B6Qo;}-7
z`aM6|_Ev>Qu|3t9K;jZ$9fdeL%;6exWyC`4N`7f&k_M|zs?Si$QS}tq!&=|Nk+}Vy
zZWg9)>gxi%O26u^Dv@HDXzAsagbDE+wNvp<^lj=Z1?hNJh5O`HYz4ffY6swvK@f&_
z8McS_cB8-_C_F7K6yUTUBApKdV1<;s#ov!{0>R`UCz!HelEamK9*T@AIgInLI!S{c
zFge{5Z3F2B#F-v%4@wC-OwLNfy#6jjG*fX+6|ttdWDw(yL=o!7Ym9>HwhQB+RiHW@
zWMdOS6q5A(FafTK8^rTbp~yqox6pF8YLc}?*Y8NSDI*=-73K8L?0NEY1`u$-xpBY;
zrbYO)YON-7b4y$yjc@~4g@F(OHtLE7Cb{aNJL#S5XVZD(vX~#d4~)EXa-KFjDx|W|
zw3?!2?j;?RMrYovG7LzV4@fuQj3>alu$A}|C&mq5kG2i`?dK)$?~D!2j6rA9iQxu`
zHQgpfB!g3GN@!&4A~l|GjM$UA-p#GPBy%@__p{4{R<XsGEw=^I+LG<zaGA4z7lI1l
zpre_e-JEQTeuPHdxL6qM0y75|xf)3Gzkm#Yzd(A$hC+Qxq3iR)tjD&I^~xNS9su(a
zf4ll*iN|jxSSOfP(L))He{H<AB053WxX0k9Fd;u`Suf!CL64P(4ntKvIXI6p6c2zH
zKXRdf#+0e}$oy7>`w4HZ#RBCqTj9om7(f0D*5qsA_6Jp_MO@@p9oe-<D8Az3R?svS
zH3SS=t~ZFCUoq^J?YOipO@2G%m0&GnFNsl3A@Bz{D1c-qgyX@2A~f(lQB^eP#Ct7|
z^pk$`)4S%?z68M;zyk<=UsSKpxz1TO?%ziEpeS072sRB%WxZ(?$k_61ZRSq>o<4mK
zSAdZ<XXC5zf|+PDpzHEKSZ>$R<Ct3{e5DXJ8n6|G|DBs;8_O8+hfaxP{EM5W;~z=G
zwSBI*7`fb)9ibk~45<hNK{ieR@3rf%kG`u!CtgV+v&=hj=u$#Pz9<w@6eeau^|wYr
z1K}>SgbJFuaq8hB%`E9rLRLg*>0NgeBr?8l=dLr8H{Mh!@WKO(M-~JEDfJ}ySl92b
z*BOI9;iaX&kI6{MkY&|uM?}5lR*&~Q>><~+%N|1u?034vIM$!8@4MGu4gxLHuL)iM
zIFE{_dP6Jy_X&WebIY|dXm*xdu;a$BI;$1ZnQnoDPM50Pr2@!k-+<7kk9nZO_rG`O
z+*c}GYZ*#!eN)tc-Gki$QE!VB-}F?$dJHJOE}8;E{Xd}Be?|+>!y&2+YYL4D9m!n1
zzt=Be=+EpE78W)J5;j|d>uGmC+2et03qf@1!pS81uUiehHQXPrQ{k2PJ2<S*pt`xI
zUqX>qtl=FwEjaGNb2L!=XienVT(S}#Xc=I_31T9^Vw(RmSnjPov^z!U#%WH{>!S%h
zH=o;a=YeM28$Z=;QWSiQWMoO2=c-v+=+Zv=J$?`G03L(R5PkfUX%)cqJM_a`?AKPo
zi-XmJK<+1ZiF{@69ea^|gwO#nFs;JI27`P465Q97$$b79PHXL0$EmnO7hcvFn&^9n
z3h@>g-)hp_V%kkdbPrP|)0Ml;KQ8uWW0d?5ggH!KqyEL<ZdJqS^aIr~OjdY#<ZGWd
z$6sSYt$IC?nx;5o3`Twiy6%rfLEQ$=vjyt?W1>arN16>6Y>~|YeeRl1MxoLMXpTS-
zs59?GGArgcXjTz3IRs<=RcEZ5kOjyF|1cUUhj<>V+^-=>7ftZ;)-$g6)~7annwg&c
zZxjXG$`Y6bK_p*(pwipGZ--7LQQW1KvsDyRbFPfS;%`LtOuJSX;HeEzKvuOWjm8CY
za}~ooo>JTU+qtUbP~voW9Jy|jHuS$%4YEJ0_!M7V#F;&awLZZ~7imfc>6EMol|C~3
zcXhCTz}cZm@4G=MH4Q`L9?yPItP@Xaw3KtG#>RnIee?IitH1@g>-g;!P*c(G-F6F`
zO_~3fTmobT*%(?WsC4q5=c8`N<`cMOY4Q?+1GjAOBWGB+&bR7xLx*(0ZGV8I#c28j
zF^M9oO*FD4I=DChd<k}LD~$ECrvF(r#g}C=i6IOT2+eO(G`F1YG~3$Yj&uHldgK&R
z3H$-(%Xt&~IaSSL;y|B_+*IGQKA=SZAR}*{JCr`E_U9Y`n8nzArGQ0D$8z6~1V9BM
zBmXC(k1LO`NY@`MTC6Oc{;RX~eWPRsC|w469)Sf@uwB4|1>XVe+#07JT<)>&;@aA+
zSc1tvfY~`Z-qpN&v9dq&m<70X!40dbxBE7a{om*LT|$iEw$HLN?pbPL%@!AFF-uE^
zn8f{JQ$&$X!}Zs^TK4Q}5Jgln{?8mDnZbs+l@VWm90UJJtuRyc<6?Cn`;4$O%MrO6
z0tjFP8Q_p!WO&Op9G&}HYt2cA^Y#?Fe+UhOYo%2|goS`>pH}qAzGG%AG2Df#d<3(}
zWfW<!A<iKI;vOa-wH+c)9q<y_!!?N6gDY+Yt%F2XA~H-68)16`cUrn^+`X)s9XivR
z5S-fE&_njL0CM;51NS8n)R{QS8u3}2HXsL#fM-HSh$uaLaWBJVLXN|`=&v1#2KraB
zwV8K=<LeuB2)K@cq_cD!_up+LPhZU2T<;9IHIlfw?|%0*N`wC(=7AyNY}GG-HVycf
zCXS48!S_rWL9NPfU~GW<EG9T#9-`=6LcaGinCiKNfpREdl$!Vt4<0z3ve;tA)o*M;
zSqdF)u(k!ZX%NOu#|UDy5D`@t9Cx~R6TTGwa_`~eIPC$njO<Ms<Bx|R_f!4>81bV=
z!%J#6N&tNU&M_m14^!&NSP>h9>7O~kxjhG0h=FaPzU@ldkWTYx3|;=kO<ByQoX8)H
z0Z=SCT5I@CW(H|;L3=)t8z{>9U~s0SdER@%mdgDQXW}-s)De9-BOjzV-q%BKdZ!#e
zFmNY)l4fq+xGG{>&xe8nQu@~FK%#N@?y&F$%L;)MfYh`hcfi-&jRSf$UeF8m6!Fl~
zCed8ihziIU;h<}Jhx@7c!4b?#gB09W$iBt)iA^HppSrUaSsueGX>3yTCa}QnBg>DO
z!u=b8H4ISlijn4kFljFkuVpt(KC03`ahD1H&$h(*_8yzOMr;ts%ao>bPf*E}I#y9t
zB*Hy#W-ZI4<<edT$Rw3#X_iCd|GQHE@BNXgjQG~qPm0BXz#M3m0}jj8l6KwT!b<5q
z)OEv22}@;<hghm@Xkt^}011qjB9#T2qQ@YeyU*n@X+QbOZtD;=Vs6B?_3QPX2Ultb
zEOd@FfIAiHdT!&Nd;H~>E&{|~B*v2G7oKhZooza9@GK|@#))R%0?q`z8nT2qufzJ|
z*diGqS~p=ZdSPN~^9+~cF_4}8R}7ou(rSahM1p2px2nc52W9`YD|F=GL3-{g_i&;)
zw~EM{4*ieMOB24H>);yrmyU%0&Kp!S27dd3zM`7Sru)nNe{n@T$EP5sVx-Q910V_*
z0MgDB?NVTq*3!im{>6QjH^)WH>hdSX-dMPMr?c7_vSizVy_(~^X|AfqDcAL{m?7#3
zBE4?tO@OrReV%0gqHPvUg+xw{Hv-)+D#w2~Tiiyt($Zh&k*5z|pui@&u@YuV|Bf-3
z1xE@LXyR`CZ10Mz>ZCER-T0OE+ZQl*Ng#4?bJ@<$OY}7xKhO_H>8yE!srFCruc@mX
z2^!Q$YwQ>a475|uF}{a;Qrcqw7iGZVBH3zN_kSn>5EdQSLN}63b<t%z+h7sN({bti
z=t5n)WzbaVHAZvC<PpA@^k|Pke(QZDo!<Fi)=#BYAY^(-Y9W<lj7-RJg7!kV?|WGr
zhb3uV$N?F%&(joz_J}<FJF6hC^|46!^M%mdC%@`4-^XZdSgsAH{3s*$&8UDkL-+Pl
zf%QN;R>1KeGEMh=`8O>Yk6T~srRDHXP=a)7P}rOJLKCtYn|u7vR;(S<N_4Ohnmzy`
zS1o%i1QC^ZYBSlK3VoksaCaTjK+^FUfX<SatLte1)7QShu10f`jIH|MVu58u%WrNY
zshnelC@diD12T3ecc4>&V|C~hE?IZzf*W~%xuEqYMwf!N>dLGQWtxJ83=^!6U=g@H
z(Njd6<{ETep@(bDI%QETkfp#m<^U>l5lt?N5WxXsz85rWM=i~omI0F<v9{=Vn70YD
z00&d;7P^qh-`;6jU4L67gPUua*0)WHW<pdv5|Gh_gyVmSH=~kY!C}T&nqEhrZS~OX
z2}rya&panlG;&5TTt7Xp`M`bV&GjRReSaG>i=#oV85RGpbm;+=XTPp(M-1{7npK7^
z+`&|s7kk{n`5OA61a$;oM~E)=_HEKCSQ0@_Y5AaM%BHAwXYWKyP0ZHX45$C1bt=s3
zOGE)Dtb3qx*UuU2jU$K%NvLg*nIMBF1D!MRm{hh?jrTiwZqL}rQ|sENMqeVugYd`B
zg!ncOzleK1O-+I=yC~rSl=WiQ#p7;!wbAFkigmFo=X<kmdL(ll&W~Q^S(35@k1wPa
zsH+)60`N`-gm>85LhKvClv0w)<xPCbO`$A!GSfjWC)jrG?D6X8Mjw_9uT8y?v8rZ2
zzxwZ2gUiR5d9*v{hxY~KgDpwrb_mC@|AG4g&+Nu58@93w`%9xNEJFHuXT|}sJd<r?
zvmi!!JWc)^@l{Ax%hkZ{&Y(`yhDL-nu5kdLe%@iyWuj8EXN%EY8!j^8vyIg?oyA7K
z`}na>ioCqON&okHFK~Q`i8$A+y;+@(r=dwVclX?gPvC90Bd7e2|9R$rFaE#wk5qq{
zG~swUgqeXV7NGsV66gX${q+5yH^awxxCX4~vGTnDhP6NdaJ(UnGy3nBN3#K(LCre~
z%KjICAZ4xfDY{Awgpg`r%YFI>B_+Rx>U{Xv_`mKththNlY*hua@POO_($uk?pw?Cv
z%?PKv1AKBmKOr4%zdd<|+gB0Z;Fuaa_7D@5dORxLE!{JM`X_xFGj1$%DG;=uJs1yC
zONcm}kluuUx}?C+0oE}ZENZMKo|p3wq>e#-0La%G+HO|X$5DdHSr5dohQX%8fMp(Z
zUioR%R0ZcIT^A!f^(vw?fR6-AbX!KCX6!Qbgc{Ubk>lnTa8>Fg;O|0K?E5&C?H9Ks
z5&YcE$L=ub5IjT(@LM~o9sB{cRR;iDwSo<ApO?)S{08903K>iAMX{XBWOh4a@B79-
zQ_E>urKSc~>Ihj&IqHKNY*V<?xuSqX8hr<@BqxO)q;7>6i=7uLKrQaBw9&(4-#qTV
zpa{4NE>qglgPq!OU;1v3>Z$n!D@X@(fs7mS-{KgoRD+vT8$YPu-SybhhUC>3j;*;1
z1L2MY0|vVlz}r%#5PbIpwQ7O?nf(NQJDaH4Inr3oQS?}f9ZVjCxjU=i0vB^S9tLcF
zh(~?x0@@j@3oW9_^D!|#;w`StYbxyv*gy<6`@iH5{8sK-?Qkpx&5~SIX-x?x;|%0W
zUL>ZTRiA$V>KNVy<F?{bwClLd!{)BNz48E_Y78tx0D=^X5nkX16_ZK|KHpTiPkXyf
z&S?9>Q|2<hKR{r?0D?Xr9SDbQD0o4z8{8S}`%x#T6k;h7(t`n|BOk5zGrp=)XO-Z*
zxy2G}JG&%i$YGZ1fQQJyqmXVO+1Fv`3^F`J|J6w45O^w`^pzFNl^UJbckbZ5aGK^a
zV!H4Y_^}U?<D9ZVjcAAP<x?C!GM=FNlO!uO$Ac3k9MH+YqNI2D5B6+uBMk6(^8J;o
z@37Zb9JUW)zt0ZGM(CkP`Wy9TprYYA>&|M_Eo_?P+6A?iw_-zrXoi%&KyhgAbMW07
z&cQPO-3#D10z~BRydOMjz>1lN$>==*K5r1s&ji+<qOrb3Xg8LEIgasA9EZZ0f8$fF
z5U@jCOiXMUH7e_42?qHx8tqtSvzKlq16;3zHLL<_rvK;q|K9lj{{S=k|0m)9p-DKV
zQ`)7M<GmfL0~O-%5L9JKbYI5#0>5hz;PaODby#20h2p2C@B4Q9XMG2k1P>nRC~iFy
zB4}EVDX`7D`jWZV-@&%_V>GhrLNR)EN^SjI(&D*BjWEIPJo4!$ud3--8;)v;L1L|X
zcx@_0(geZl5}MpujqKdLXKA_IXn~EcU&t5(;Ds8go!$-`jXka|q~3Z{PWvP7!gg%@
zT+^7JY5Bq4*!UBt^0$uLn<7CL<sp(9=Zw)lBj(fuMT$nnF6^hovjU*Uf~=M-_pmld
z@FeIkD_6otv#(8{Ni<l*;FN~2=H#7<it;ICm!Ztg?xOj2tymCkt+Hz19z(~{kIf}%
z_v~QM=jC<8WfzC&`48&pq(Z0v@xr^5_vJ*WiG4<PfAgUkZ=4{$nObwh04*pMh$GAo
zu-p~9Zo)UUl--Hcam9H<LJ=lJ)9j~TI~rrN+br3TlAo*_|02*qo6>FPp`A#L>509b
z?B2eJP2z5_U~kYYi@_YVKOfWaF^@<+vAI8#WCUjQ{%-Av)tF~}<KfHWrI!@yyl&)o
zTpLn6AEE6MtAmU5-luFX=)=5j$r%!WvUT3yqF#8KAwUb$hu?N(P7AFbmXV*f_7lwd
zB}z`H*;cVOC-l7TxsOR%|BZ3vO+)|i+nzISTC6u89O?||$78FiD*&=Q*q&4DPYBXF
z&7TFA36JTRw$PI2v+kZV`d=S|EMs;q_goCh*!9?`_qfuM4y1rUIecs(`9_HCG0M$j
zpy*sDvRV%zlxv?jeZs(GF~xLfV$c0kQjs>j!5X`v=%9e-ZEdM6B2i&BwEI5B{V5&b
zX?jCeP5X$JI>0w+rt^VN_$9;!UixQO+n1FlzN&n-+js>D-jmA>N4oLHr{{+~uDb^E
zYf<b?LRl*_r_$JVZIDdV1o`xubITMNI?gxBp_Q|Yq=qjYV!eP#*kVQ~@2TF)Ip{YJ
zmCQLrz$IW=s_)bWZ9r*$w4xD1oT|~6396)tn+G)KWQ%C30L6AMhrI5b6{vmTmR3Bx
zraWF<e!3Qx0J?L2tO_x0pHnYB1Bv~@gfjqr${SJiw^0LOIKoROK1~R7o+G)3iKl1U
z7<jDp2sHbJkUz_-4_<5!#;9Fip7>j^fcONU*x?eQRdokd2JT6HT6L~Ak3r0b2gSD#
zgF^O;JcXXfH;yfj>(n2o3L}2y?w?><4BgB7WsGzXCvy&q8%?bky9rQKv4JVa9l;(X
zi^uV#5fAk`J8#Dx@z7$=^=UG4HRj0?II><CS7WZdiZ#c@s@wh^V2$7d@eVSJahqu;
zoimMerBjyf!Tvcv$Y@P95FR<^$^rEsUIr{`H)_0Mq<@acWzKYuUTh~;epp1&1K&|C
zHCF=Up^asAi$-yd*~4wlQ4+#IX@?ELcosGfsSxfsxqVf0t(5~241Wt5dQHHhlexSs
zig(^r)>)fn0eLEeW=?QiRWzsqSg1RBSA7~_4v;oYf^=oK0~+zLlbR!!2hr3Ex3s8x
znqqApCK%ch$pm7zMg;J16js<yED;0BZt4}}F3y2xmb@OoO9*K^J6uAi#(j$d6-t~i
z3pE3stsgM$ig#>(L|_;hhuWF7slZjEQS7NjWFT^diqMjX<;WLg=94aC0KH}gLApBc
zz~%$6mg{%qcH%RX-E7V)ifp%S`^Nj+?e13zYwm1X|DX20JD%$Hjla&9vMM7~X33s~
zc<hv&S@uXt_KIvrM@1!sL`KL+PF7jrpoB_xvJWMD9I|J>>vN8t=lT8j`}g;HJ^j_|
z_>B8=-Pe8H*Lc6Ln-0bSCv*TTck0!v#6+GV?<>y?<EcWGcu;jnaf7Fb;<nN%xdDn>
zekEZ{@(ms21-2KIHQC=;x{Bry<7Pa78E_f%SFfNP@^e3({6>v6K!U0A>{>@(&#R;T
zPFH&)lrm8KZ=V@GKU3qH@r5c?nNv9P@iP&R5j!f0N}?n#B9izduxf+pteiPM@O$kX
z0dZd?QP`1_A!=B&&f~{A0LL$;@oD+7QW2efeC^MMs7$L$e-$Uh(K-i{!tT9cpsaKG
z;h^nhDx4<pApyWdXB8DH&N@kpA{%3r)*gE*>Sm?UD8&njp5KF4k2dcWBqE*jnZUX3
z`^dfs?6$=L+f?I@1z3XyoOzi~vnc@nQYgLmQ&qhw)&Y{s2_0kjhAnb_q^|;GMj%lt
zg?q}C&8VJXadI)+5Mi6l(w4iCsmjVI3;J_%KJC7((<1hv{gbEXlx<IeGD0BR4^FyF
zn?{Q3)nkJ(s&A1>M4KT-0yQ#MCu`|a?aeT8N9kB|@M-jypc01JE_D=voX2y@bbAGN
z&ls^hg|zUwcg0qVV*;W|ul{7Jop4yCP68a{IWDo&)B4|wwT4&QJu}w(ySUB7<7ypq
ze*EQpD(hw243Rpt2=moEK0Xl+<>V8FB|hzqc%-`ANXEk@7HB$cQs&^wON5pxFRSqO
z<wlc<&=)3jsGLTw+Jgy&u^$VWy;(F#?UtyEoCS=jA~R~l-qe~J?ZQ4c%~$eI#vKc)
z98k?kfr_U?;?qwI0+Nh5MCc!<dl4Y$>dz=VHRKcyp$qxT{ra*efDdOG)w#sbiuW__
zL*4R=u$V^VAtDYHDjbHD+4lAq!|bU++`k}E)Kumc&(OQ3Q>h~M<aU7(0?%|;e8@p(
zq34o&{1NsR%dNL7&O;++L6x;yLu?-)<bXOO)IKC>2CzQ{9SDX#)K8QO$UC?~zyRXT
z(8^)_$OiT#18CZXSv}*eynp|SRR<IrD7>s7dRVmVdA^4yD&6mEsfy)u2qYx<#B$M8
z4tv4&qdF-wS#GJ!Pi%NOuFNGW`7eD-##&BG&LU-j7swQMSqi((bO%fq-CQ*vP}W9b
z8sInXP5VTs*=RC4fw3UpIpT6xAn=Kk?~fDnM%G=)*cNicOp|C1g9>rm*MI5+q;8nM
zLcjta-o{)tXyto&@lY^BxrMc-oAATjye6Mt{7?;?tDKD0zD$K=S$DyiUWI2z)LL>y
zWqNLClhCCOneEf<>6!Sg$C?wE+KFpYst*2<>|Q0bLsaFHvzHJz`Oowk7G<=%7W`lo
z0;ww;R%b}l9i!WxXHaC|bQgG}I{x(8$fdd=9Nj%BTyt4p5}t_<u4Cc{E2KWlI(=G3
zw9$%@0pUf%HiQ=2u66c~oVu+vs^72R_2x(`-H{ZU7Qb$DM3teFA?Pwd@>z4Gi%N*O
zT^>}|L_d`AZ`~%68suWT?C0NAqEEIlV>Ue=<IOIIF!Ca6PYBXYZl_xOzQu@K$en7E
zyUl>47{FyQRP?KIRFw@I6`c1^{vz&URV^>{8cX(252yJNiLf}uvOo(TTYD=C4(n{1
z9w<PzRUPZY#?{;YZrg*cRsfy8)#wrsOtr*TOVL%Gy7vdNKxV;2mBg;()aD*r;xkJJ
zvt@k@)8$Sd>pyww91EtJI&<B-)3NOgYMaSKlKWhZ?w)p}w1U8MD^xZO@PlDK7Rjqw
zZ|XH})m}jHV;20q_+CoIKD&K`zK~N%2gm=!k1W^S?pfU~?zja(hjh*RAKS}(veUjd
zeh&r>joZe*uf}ep_lY{92xJ!GRT=ZoyHO5v4qRmcK~xk(XgT8gyzDJ_4KKsisAwS^
z{M9-f$I0dEtDe{5$vf`t&<cgNk1Bj!@dy2T8=7x?$pNG?kq5h^TO~TO)-t&jGY)79
ze}27)YDpgh(EzKqcU+-xI$<#Ve9vsE^cFELeM3Evu&t-IVwA==^7C5;KJ>T#Fw~in
zb>~Ob2mu*2C>4*dL&GZQ^xB*ae&;#1u-mhB)T;}7F#}`|9x;8G7+Db@`^|Jgrh4Of
z6mRX_Q>hBxvIBFyB{mC9cX^O}b}On{Ypb_Tml?juQhnrhIJrMaU;2tM+uhgF2h-(P
zE7z3K3zOd&AU(o#q(08ACQ=Z+V`JX2dX+o%=Lux{^7V{aohqF?cKmQy`n_(-^v8uY
zQv-to=HZne6f-^zWhBfW=<*LNxEy8s8%;lQuyrJL$643s%m%|Nb);f<1m><@di<hR
z1ue@c+JhY(&OF*W!uO$We)98`i9xonfjY*~wD#$>j?(uvAoJz5HrVlgu07L?Tt}6q
z<Vp9F_YE3VVl*mMM!*Mg)p{e-9(ljJ@jCyy>|d9E+-oU!KR;*g-<Rb^i5u9w6bO@G
z5(1h@-&Sd9o6S5PtK-M|IWE2Ndqq&Fqdevt^`-A`=4J3=M?OUR$N1+FL=GftS=;1i
znESW~UMm#xvE-F#I~A+n<nZ&?jxS?Rcg9)Pw`GhR-7Q{s>`K~iJwJhD6w>TKjpe83
z-`26&`t6OO_nSm*`?_)<425ACl;N`9+V(ZYIhpd7xs~H>aAHQRQ|O7v0a2rU^nTPb
z)VxwM9fZbhX~Kl+kqB>_8-#H3uIdEGj+(sy$a9?%3N=TV2awqnfXuG*MUSjcd7jYO
zXguNLrk3vpr)4I`IQ<i8P&V*y%74we+L>X~$+GFxqx8naM9uVfjy#hyiT#q4z34O`
z)od#FG+-9{h#vcwORV40jR)#N$l@)uhDjm6?Nd?V#d|7Bjl-&*T%?*(*LzO==gp0W
zUwu)7%z!GY&%~!~V(#6l-H*!9*POT+z;an|D+mkio;o%FzaN$)IPHOd&mn%FPp8|$
z>-X<yXPI-zIYJZJunMF$UH;13;qv<Zo=f{$kc}-D>kLi&?Ht%_phYs+{|ACY-oIC;
z_g`5r8b=v6#xn9h9XCt2<n{1By!uJ{-G-ra57t}KHT2s<<F%CU(qSN5Fs)@Ec%8fa
zWHQy9s+wbiLQ?Oq{TSu{Q7Q;l>ll--=MBD>-GxOzm<9C=2el2f#)MZao|cwMn28Q1
z&juP4)cuaS&~LXw+=Nw;P54T4ahrb0x89FBv3^F6XPlWGr7>T~jp{zxOFug)zo>M#
zn;8=+a#fFMh~;TF#!~_wgEnyMB5WN@c1nb*35E%_#gcN*zV70yc|k4}s^J|cKSRsJ
zYk0}R8Rc8G9b_H3VFhYoTG-3=WK;A#1Ljz4PW_XMTlBGhmEn08UBsz>KKj~pMJDN~
zY#Rod8nFV<-l`CsOm&7&zp>Gr`q=W+c}5{9#b#!L`Kz1Tmo^F=zMa^-?onTlyM3^<
za!C8xg^Z5xXqLR?%KxblH|s?xqBm!Bzp&|~Dzh8_Dn_!O<&3loPn#2%|Iz+ID{6}B
zew5*U<8tBfAi*J@rD845sVudu%C~tp-}IUhEA%c1NcEhkSNZ|Vz>}QKNvqfFYN)IF
zkdIcRe3(nPYT!2iVs%R?O%SCr(WhN&{5`f~S=qRyV6pEhdz{Y2S6(jI_x|09uW-m`
zwIQ_Ql_ix*^V2euef546z;$xHln2{6(z9-gS8&Mc$4JHsm6xzaH0+IbWw`Oqo90HZ
zX!0waoK~<h@msD3QbG|WP@<ssZwZ;Ee5}$q$C-UUuk26(b21Kjg#iXY?lJztvn<UO
zCTZpxR2hpRbDvy;PFK%`cL%5R<wjaw_MtMifhGJ1AquWo4s`Bmx>5Ebni^X4fd>ZD
zexyPs%E2n=c;YnG;jX@$J}&Rjtr0CwXGOnu-I=reo%fBgf=D#lWpgd|o|x+x5qFrA
z%UHZVZ3itD+Y~UxzYxyE=CN!QG7;LG_jb&I9SvovWkvdZ5*bRoYLm@JuyrtA1TsSJ
zk5eSir)<k>v<vNi_}LX%J)ugPQ-eX$GpaTvF-mp-0V!6_6&A&urjccA8^f!<=))4Z
zX+SOl)VbH)(62mtk40LX>MjA3M3}yu!?+qwi-p27;AD~loH%NF`+O`!i%Xrx?0ep|
zh_P=wM$)sA*d;Q@p;~v})$uG>c;u`1l70g#<>Xfrk#)8~4wS`HFQsy7thwoPw5{_>
zV-iJjgbpU<E3a!YJbGn$4EF%Bgx31-3E?qw{_>L^1tQKW?t8oMqB~T<g#ZJhXu9t0
zt)NElE2_s{9XxAz9hJXdd|Ho)B!t1y`*S4uzUV}Ww8#zy9n(#71z>|z<81S%^h~Qr
zHo<Iis;URn_H3es3WmZ4!<}(;Dn?S5Ei)q4BYh+g-(?ASWCaECsZIk%Wz8ja^(sJD
zk#H>IE47m??^4SPjcpgBS#d3?h&!g1R)VV6cS_2>vPew>wZNfmKYZKM%W9N}W<I(P
zs=&j>|Bz4b&X6>G(=Zo?S9Ws&*T{hzT9)d#L;>s9^3b_WN+FdrnlP=G##!MEIRYB}
z^$ytkNC5K$K=Wl}UWR8*>M=GRh<gQLEMSM1-f>>v4xaQs!cn5gy*#JDie9Rgq7c%u
z_Ueex&oK0TD|BL6L_JN6%JXaoi3Y_DF@-RtRmlO0@_ziD+!K`7PR={{@ph^e&Narl
z`G`;Prvn04=$mZ&)^iDeECZXQ8rSjytM5S~9!Lb1{LS?EV&q&nvN2|LPl3G0w@uox
z>(oxBlo?Z%fXOccY-xF<lEWSR%><e1R*%O1f^|d!O2Y=AO3){zM|iK`fH$_L_(?52
z8E};jyS{Q3N*^1;vKnq0Rl7VhJ@AwwbBMgOiu~2pWS`#;B9V86+<6vDOtAz1xB6pz
zz0}ctxMKkD3~k1h(AY2_XWd<=`{;IlMTjbrSS=KST-NIuqq9UTR~8E3w+UZ2cRGS9
z*1tREsJ7Mt%S$S$pbJKpbFudQk(-VJL<sZ0X>qhBk89txxW1ZNc%Ex+BJVKTKV)M7
z82Q?DsG>}-bNC`1b&yYMV}mc7TZ(&P#cdrjjlB~H*^V%jE(gsoi}g~VcLhmriCKV0
zPD?I8eN~!RtN`tw1EYSk=8%fJ0Ng}mX^TYwFNmu()2f^UxY~)K@2iP|Bb64s&VeGb
zY-b`AOwP8)weFj?Cj9%0*0y+b3vzLV>wNXsNeF1-J^vt);A*i9rDNX%Y;0{BGWvsh
za{3NkCghb>Mw|V8b|KhD30Nsa-xWUT7o)lc?)4f^-5%q*q}V!uMnAdYjKsr#zE=yr
z*UGyx4OyJS7Ql_Ua$zbcc+PGR?J0Q)Og}KfUBl9s|26uPdnx6|iHKQRX+ihGH!Q({
zfh&1JR>p{%obVM&J^wu251!uQla8E;sg&l8d2wi;Uw)u@5FM!Zx4A4OqR2^CGa(gD
zJ=ZwoZZKl5PgwkTmfvr?6WWdJHqM?yhPONBHTB^JHG=OhP?F*bkPq_@${rErqkHdY
zbP^IeXE<;)4lPO$EW)Vm%@D|Qry*aek}9e(zy0)7^S*P@ZBDet?L_H&AlA1#faTQ7
z)gf8-PmRqShMT8KGaf<9ZRCw`U<w#EZKeWelpp2cnh(CAe)T64dB_0Ne<$}eGAbzB
zJ)Rc`cl$*-VR;fe(jEpjlz?9d*%dJI3>{>tJx`J#LB<6hv1<#56XN?quM1p0U}&-K
zUFd^-`U7%Kf8V0S08^-)BS37%^os$wei3KoTSN+TH{`b1WB;&wh}X*?n6sz(9S9Jc
z)}*4gbN_8Q<LbO>3gGX=&tdoeYvTUZzzE*tM*c4uKSA$u@`)3*4R4<%a0wGTZJeP5
z3m6Lg#iXTN?dIGpVUV!e)F3qYz5CCcaJD6YQM4&WdUfo90%phOGAW}orz6~sRO8KC
zCC>a)m<F;gpq|5B4<pP~AaHPUF9XBuZg+p+UF>%-<#BFFVMfR~yvRu4S*Eb~ug4+z
z3it&`L=Bnv)uYO<Lc6&%a5S<;L>dEJw-@CHLLP08dQQB{mXdX5rXiO@6uZ$dm6zLU
zW8l_fvQ8Y`?xU>{bk);IRw9yx3{NE&B=+&fXg^fOMPg2UMQGH26s{QhJ{4GQr%NKg
zLCPp;RP~7lj&?2#+6&}+hyUxu?~nTMX{0C|KFtcD#l8ZYx`3@W#=A!VDO1{jpi@`E
zw+lBWj?@W>vlxgQIV?a;L>mE7Ex0;8c9570luF7+EZgp2egWjB39G0=%(pi&5!d$h
z-e&u>ov!(@51-2p)Cv%ljCezBF=7ZF^pcXh7TiGNd#HgU6!hiYPAzDNbK_o?>G4P;
zrl*iMJc@@YwA$t;a<uHj5qs(Ud8Ab0MX5JLz_7Q!%9A7i*Wwl{0mt*}wS%OgbsvVL
z{-e>)WroYP7AI|dwaF|0b*&zf4Q@_*Kr(B=^yQ|m*Pec*{*LYmlvum?3jIgc@SWDj
zVbloO3z?`Tqg^2$`Hh{S0b-;_CO&262R*`pB?$%d1aYXVZc7kZzo%){1&8n^y&pMa
z7L|dTxcaSivo_!#`B6w9%jF@~fM`!@Q^^es3WTcH7n4l4ieV2jSw9n=Ptr_8;s7Rv
zDoV%2J|bdjka<`A1`qwrpg<DhG5#Dyf9w!)Inq*~xm*D0(1*Y|5!<Nf8@Ln3hAtx|
zyu-NKy#5RvIT-^WSQm^PkUS2>H7>*hXo_>gPBoRQH;5&n=@In&pN|ABDJiyr{z&lK
zY36^6?_<^Koqw!9^xUBL*BT`@-S~f!9;}*@OfCtcHTCCvWK@kSdL8ZXlc;;yMU=!B
zlC;SHR^pS-1vijEP2j-ijDxLP=2d8H?D!QZpw;!<fxZ#DL;k;pL3?j^&sLBP7YJlB
zu9gQ@X1*Qy-<KC&gSE)*b8Ct;D<;F%c2Yar(y|eVy+glFwX{I}vtt#WM=t(>B_Wfx
zG=_mOR0@;6dDeiSn=-rqkIWzw2AZ+ki~{iVHOPkClxZcoamHEU*w;hZ=l{8K8-O0u
zms7)$-d1FNLeM<psL|)M&Ofkcq&%}rBXU#UL;m?fqYSaF;qH|9fS?I{RV2+7rX%T{
zy@u12O9Nki;3nijaCZg%#!cQ*ssUZv=o)%XbiVQ_GBd4A13Tl!blO{p=`0B4FS6Po
z2U7o8>n$)fDevY<>$zAHgmNU-f2b^1`=&%TRVvV?&S~Ie#Nvp68sx4vH4u!#N<{)9
z#WY!vd1X;iRAuL|Q)zLo!l9Z}ll7HE3jmt@nI(54fR2GBCB8B(0`YQQTdbeCv-ur=
zD8}DKZoHW2t|9|U>q1GH4a!99-pqrNYKmB}$#uA9u47IVs0`KQ0`Vk5ifaOTTQLsS
z?@#E}DCx6yUCyD0#-wdcMaK2S`Cdo1lZLJ<`@z^>p>dVO?osQ~z2ZrbW_5ni1Bqy`
zLrJxrDG>w8^uRI#l<9DEzwPR+4U%fyBySKL${%<;H<!}qM#>%HF1maJ5BiVTw2(F;
z^i__e>o1@j4x5_>igy;xD%eXVf5^mxv-k&hNfN{ps3w$cDYTIeixo>zN_5NT3r?O(
zJ2+!`x3yuBOmpgH+8YU?n~c1~`YB9&(^q4pFCHKt4TnDsmHkMMvXieWY0OelL@V~X
zxok=x2UC;Aq(lu9Z`MYMgh}w*b^0|gTfxKi1>$V|bGPTh0u<G!N-Cp@iLNp6`S+0(
z{J~g~^n5MOyug4r0~9K2F8Me5eBDXvTU_MO_xJKa+DX8W=JqZVk?oLMH!yIst@<^K
z^?TqjS_JzJxP9%POC1o}EJ;onZZIgqbeFp%sexW)1xQhtStTi=5C7T2pnzpIB|9#o
z{8!!(q4OSOL3eLV+Yc|2pZJNtBTZH2&wy0|DbJ_ZzFWBhxFCf<+1shcbs86@OxMrc
z&Ue<JP$~Hq^ThrSEb9N>am{#OJEBopw`nqy4ED^OH}#d5Nv`4K24gW9`1;S*Ap^aW
zpkdJ0K;pom49gol^gvN@r!(NMEj`23u*ySWf89B;5AxvLdQT&5^}kLLBZj-M@`aNv
z5Kac@?iGx#ajCNYR-e0Y6W<OR94?=uj978;y;1IV-_n^w-}ry$h14f9J#4^(o%Y@D
zxMPZGZ|F^}0(VBqjp)rZML@LoTAY;S;;bwuD>lI>hD4i(GhPmKi75@2GDeQ6rw{@p
zq+9xc0BNC6)58uOxA3{Ffa%i6kKCig2-jo4@0)~KlemaJj^R;pklJ^0<i?+n$d9+H
zSrO0G@0qY0evVWRpjknW0@bMWOP_ZK+0dKBK$m*c?Gjr_q2ais!)%olE<RdG@-&rr
z#@t~l<SBtrlw2*k?^7Y5cgNh)r2=tIpr0BffgvL$VYKs$%IW}b#+7-K!C(HvRf$b;
z@#DC`iq!!!XUq7nLups@c21M9y<~mJM)|C|Eyj<$gX$i!47-LH<|EK_AWCs!O?Gm1
z2a*<z8Esox6einV{4>;f#eF9BH~)M(l=sZV%BPMoK|>1r@_qHlNRm*xJJpOVJLO3c
zHJM#dPhR~#A0r=l9vIJEprhXS{rINywGsFWG6qMGxpR*O7Xyl5gq&M(uCjd|iQ2bn
zPmn2C_EJIAb|Tlzoo$ubB6aEpZH}tX4T^I#;}ioyJt@_*Emg7ON&&>Z>j_dIxv(wL
zH5ey)YwW{hhiMj2MTE@$Syt_a*eE4x@-t>VJleTxX|j~K{4cVmx;1=6B)%gUFD#w-
z^z+>L*DMQ$mlHT~Eb>_pxd~~2>uLn%sM^ec`chI^t%u!vY_6!KxL0;rwv#>GnQYlw
zJV^lqVATvxiwjr7L2FTM7AikIA<r*@w7AiWjP;ifqeagGf4{LLzV{j?|7hY@OP$_H
zkA8u`(&W!wq^N+@J!sms`;wRK9jj~k?~TfeN)R`a8hl~}8ry|tl%oMTW`(N!y1m=b
zm%i7}k9_f;Fo@Ku2`9lOtoOm@aJ0?ePn|AOhQY_I>x*Mq%B08vIMwPtvODWNRum~B
z&uzJwCL85hdHv%w%>_Z`7iup_cmG-UR-w`|N0&~!o`uN-906~zZbl-oMH99uErj&E
z#(Au%u1fUbq?uB^G$CzKQaz*dtMVdmNCQ&u<^UmVPmHf;uo@0lNFVx+Uh{Vg+Nq6$
zb%$Yx-mI?~D_$r19jZ8YFP!Nfwd2v=8vCV<=_HHQ!GfA$9<3RZUzHkENDs1GwO`>;
z7h{)~ZrvEQ9X}B)-bb)Vl0^3ICZhW%B&AG;HdkGq`f>sCFDc<UGDp4hn~!bT?d=W<
zUYUm)8Ms?u_2Yw>yP1YPT)2f_rTI2)<1_N^8ood}Nx`XCq^b2Md)2g^Gy8@z(@>wV
zJ*+zH?BAs57>Hvo*sLhMd1~EaiSo*xJuEXC=g(dml(ZohAsb+DM}1uL(%GCjy3O#<
zsj#`0QFsw5b9tn^ISh>$(ph<zWjG$}dBU&9F7jsO>2$v8P-x{L!k56R|HX4XVlUC|
z4zL^meG6~?b{&R8Yaa&Qv+PDXOWwrTmL~T5H3=GU7Y3ESX~JKHOoy#E#Q>14<$8Cj
zQrLaq``DpDiWxmZ)^sJfW<~W_Hpk`7Y^KrnO%9}!Du}5Q5=YwOU8}e#SxUr;0s~v8
z)G`B%c_9sw0pR=05wBk&BThRpm9s;+4TyppN0>jEG^O$WI(VFWv18fN-=YHB&wEz6
z02}mT5E&r`Mo2A_F0Rcd6W9(7C;)>YWl$h)mlO&NBxj=8*7mKMxt>##ff{7(3Vwh)
zrpl|PI+b#xc%I<%smeE~dvMlJ-7|i-3E)GJqWJse#lpyz`<{KKhRdUCI{A%mx++@;
z=c|bvu>pfRUo6;Db(0u!a`U6)WY}JowX?>=*wL$dj^QFHyS?6&cAB>@|5lU9D*$K#
z?Z>kaorPIhSkN?vV{_9JJL-oByp0R`i4mcWdPvRn7oB>B8U)4Z6g8s^kJXt@=v|9`
zrOvgy!*+&aR^-D4Ze!}qF6U0Jc1!e^6$wqjfoDJ?2XR9A6Ug#(`SD>{e|h{`Gmv_#
zRI^%Ft>zx!$3qQ$I351pj~x!aacd>NkvJ0!U8r8nO5YH7zd!Dk*f~F!k?;|_a#gV6
z?Vg6Pz>JottJ`8HAk75I9s+JR6AgZQ>UBAsUJF>U*=xmCRf}_{2If)|Pr$<Z3j-Lt
zyEl@*I^`ea9_M~!q}Ae}#kJLGkAvNj>5GYVV<dxLdmywnJbvl2P$6XJ1dJhl0cWg(
zg?$7;oYl9%es%Y-h{qLG$|LqT-|?WWBd!-_OuJnD<kLX``-C6SO8||&k_Aq=q31(8
z7za2yG;e#{;E!Oc+?>}D<`(#AgSnOz^J3(@Rr&9QgKWXP@(UfaU1_rTy@?3^SdPr~
zCtWBX6Hg&MbAzwv>%u7}llGHE%sL%5k~IzfVaMweRkIL81{{WkxCN_dlS2-7-b6qz
zNQcNm{f|zUx+)VIGwQ4FX}nnC+gMyk)ipktXSQ+BeuJ6+zVTz0;}7Sqol?Wwq71i!
z>qvb7#*j&2DD(+?LDv2Ahh)^cR?Bqlr(B1Ckq@>HO85?r3}8+bF*5|(`tpDBVNYCz
zpeCXg`ry<D?{}^DU1X8$OwzHql(sO`?3E!z5Vky&^_zLFv3=*tjf-MdQg;MeWG&e5
z>i$?hml)QuV#TTL`Af|t>V9R39^=Bkvy7K(f|5&*;f6#B#;uD7b-j>{ppXJ=unOO}
zv04SiWE1n-F5mQZ+p3FOqib3k6)jbp^Da@>*ZK6(cGIU%XkulvGs7a3@=>Yz&fx1W
zscbD;oI7lM05y4PcEAmV{wT2%{A2bvv*CsLZFV2^?gNu_O}WxL?yFYY7MD(8m=#!f
z6^6*IZ~<LdW(Ntoq0*&<3OFKonsQCV0|>n2l=8gqgit}66P7;~S6qK_2dw41K*?{T
zJ38@mc0CRs+O6HVsuceEywhHeUU5&+ue`3F$REv^yY`|nDVSx*8(npLph-U|KPg}<
zxTfs|<NW3gvm*SQoBl(*_ckkLbs_%;s|Av2R(gV(q@MijJK8T1mJk66S6lzBuaJ3_
z#axve|53?-BY9qLz#(lG=pG;Gh%bM>_O_J_dRBnu@I4wc6mHazXC-T4Udz0|wFDtT
zGS%UoROzgFq6hv3`szugUJj1(_9?0f5=ElZWT3HRLU3v~^eYiw^C{zQ)X??}ImU|m
zL!--~(x?D!PG7{V=4eA==gjA4j9!o!p$qtuYd0ujf!r_nXh$1tAhG>Th#E}_8Ce6$
z_DBqApf|yIc5(N%-jGx6Y(+C8Zn^?f!mAnQliwOo<NY><*L~xR>B%;P=LLMpa6@*t
z;7~8l-TVhm02+6ocOf1W79vp5HcGZx?gl)GgDClft36HS<l4iy+C_A}>n3|GvDs7(
zz!D3rTG4S&c+MU25TPZdHPulL)y2?JqTNI%EQ<W|_eO$Wm{Jtk=eR+36+z_ON?Ma!
z;5(rnE#^Nzttm=4$ixN%&1Ts3N5@Q4bVLX^Uh2KRCuIp%OoMk(Om*c5I~ep-43ahY
zFJ1>(sS}tR?-O?n4ysJL0dPcDzw@H!-rS<o44T_UH(EWZ+}=kk4-cl0Kq^Cb9EUy&
zJs7OMD`bU?pj>%(XEL4{9Z{e>lGXhJ&onKIS(vD*^HKCC1+I<|uVE=)ch^I?S33kh
zEv_^Vw@P2O-Xfe^A6e({F9RCzB+!5Z*oxczkgi3DBdGx^iRb3#C2xJ#Wqu3j!v%&?
zlKk10{Pw2xT(Q#)+nOYO|6ZS>J*^an>syaU7?qN;x%-eBuF|Y+^hh|PAb#aF0U;M-
zu!u`}I%ZQKlRfBJOBk(CVn>Du!6nDlceQky9Qc|T6^O-!mEVfqd_2k-I)%cCZVT(c
zCt4W)?MBX4g!PEpV7wF(f~7_dGWD6H2~|gBEJiwjQG*9$!;2GRW^LY1KF<<b**rpu
z(uaYU@WJ$GLEv;lE8`{H+S(_bDl4(qHOxVSjhx|d3R&Ts{>HX?Vu~&taunvtHx(T<
znMEg0G?0v(!r`^X6@9)&4csBc1y2t0hcg75f>o}uxP^;?+xHCNAaF1{5+JOsb~_6X
zef<6QqnKz9W@;oaAx@q7mvPgNB<NFXt$=d4R-@*&IH?<bfvh8=baL!2DRm)%@bkpn
zMZ;6&{42YfdPrn!V``YK5uK<4d^>wDb*7qIr)Jt2=w|n!@uR$Bl8P=BlKr-XdhoQe
z=*^;t$tFM<^weiNAtY%EAtgxJV9vLok}LJ<o7a4wPs&uZUF`FHs${k_-nnp5AbxgK
z9MK<6y(HM2Tpm+xs6&uF!Y9vQ75wwZ0pw2!6zV^v8DeUE-#uPPw#lA$SM@R+?(%I<
z^%5cR*J?vR;7nwL{f-?enm&U8{o5$8C$(9q$tD8if#$fPJ^3#kQn=t5IcVY`vXq8>
zLvu=a#Rgv`RB5CKFR(`vmPrA;VWlZ()7Y;~=~DH`G;WZ0)G*NhwOr|4^kG5Z<K4e}
zD|>u`Ts_Tx^1|J_K_4;l@fF3!ex0^00|x*a<T52ZbUtbk5G*?;_-Jgngz851c9QwE
zk!yJ0=+uD|3`nMf!b=Gj`u|cMt1xgczn)M%i-fMHpk(q)>!(C^e_qHC@3P#3!MtbF
z#!lReyO|`2TOhg6!{2*G!$7n@pAl&*=SZi1Kbe-j+u(_Eh47;m@~Epmm4_Bxwy}Eo
zTWSeg)t{v_qmk91G>zOlr1Dg9UgG6AwfS{6K~@;X*ON#hQY3rHQ#*@4y9xDz+BPAq
ztO=K3+#f#QFWv6kQdPBKC;>8>$N?Ft$>w)9>uBIUF_+HjG^Qht76PPgKFz(1cFA_n
z^40`jx<m70OjXKMsT_;>7QJi!EA!?vt$0QRIaa|3`c-e$l+~>3y)t6iQWNS`)=AQB
z9ddls*qN}tml~<Rb;j#rQ)ExQ99OkYZM|*VV8t{P1`V2zr-bhUgy})YpLm^jOFC7(
z$WHKP8jZq9(h?gv1`0i@mQFf1YZI?fvpA=k)}9okaDeGpz%l-0R|Srl8IfWuV$o?2
z#t9a=<^Mj39H4$ksQMk`B=@ec-T#1%AQES>(W^@ZDIf95sZZ=HR+8a;HuI{HF}fzo
z@aVhVVxQoqDC)}}JcUx6Vu#Lc$I&9q1fXFU%x8&ZXI*F(WoW9LiDxvvuA2EY{7Hn~
zcVpOZ%jbJixWWor7tmoZPe;y|eKgY5y`@@*mQyHu_}S^O>32kyVl`llw?Z{@%sDNU
zf+}8*of@dP5(f!iOe7U7LYpQIpW@}jK`3voEciy}K{Fxcd(=!l6koV$ThqNnvhMbG
zytO4MrZCdv%Wwa3sULx(ZabVV04GmPhFG^%RBTs!F#30>F%&{F>2@66g*<*(bS%H~
zsu{+s<spOL0;}eD49Otu61ltjuV>3<5>#jEyJo)>b@yL9I}D?xkZL-6p=V1o1dfN}
zKN@RPCv3b!uNchwyGq7K(TzSKnPsxQujXOv(fe}a#QKky-mvQa{#T!Z4y$vmDEDyu
z?nSy+#-0rf;@vTg2qxwO+xBCY+}?5Sun;>_cN2aqEUgQj(qWHh{opxjgq$((u;aZz
z7xSCLqX}QgI_#@X$Q??3+*<du@AR8JcZrpfAlPK4FS?D>PyZB|`YxSZdFY}6VJS+~
z=j~Dv0HYw!ptM21bMwL!4myrjuHk~CV^{0??=*`U(A16L&2p~ZDA4Sti3z~T$n!*9
z;b?gKG&PB(z*t@sNj&a`l6LIYX4_&PWb?rJUVYCOiKkw0W1hZG1nUZsBgJtjdVc76
zW_vU>ZHhVJVPAg~IU!07_R-gLmxu0Wl$^O5LwK_xc<Dz6Swqw)bJ!_Nz!7FsSqXYK
z2l@1?@FH4!6VRwD*7c%#!!sXomu4M83aF+}y(^mw3Bm-W3&153!jD`hoE0{B9_FSd
z=4-A$rM$pi5*U0=Og=G*KG3#kXC>RZ%2jOR4Hu4mTtg^Q`RKtBLI@XSRpe6Qbz~O>
z*gF6&#RM|rP#ipK23))vK)`bpwpy#N2`|z6P&1ekbrM-}Tfb)q-)Yy09o}c%Xd&%Q
zrfN-AI!qy3i=wGL$VzunOj-3KMM~QDUOIhhb;IZ!=OxnzQ)ljPtS)l<dknOYS#elh
z&BkkIR!<APEf=N?6rPWBzPXJnKQ2wkw_zH(&c77L=5brEs6Z+Cjj&4PaTgn*hVtv-
z-E!GY6XyE~$s@y+Fl|UzB63{AzVpe7Owuc&*Gq=WQjfEL@1jT+5lca9hS~izi5IB1
z(bg^-@U6~X*q~Tl@lAD2Z8Y<8P+a(mK2M3QHQ@7)LibjewT28;*!eIHzGf@+>&bk}
zwD*wW@7c=J46`+*r|U#6J9nr0%p|(V>%E}H$jRM|zNn6Jp}64k;nBa!yvUj-ZubBE
zhv+l@Ck@y){u9D~LO=q5|1{x0A^f*H{I?4JTLu5Eg8x>*|EH?}lS;0zN1*SsxtnCn
R>pk#KLq+F&zOr@5{{e@yhEo6l

literal 0
HcmV?d00001

diff --git a/ref-implementation/backstage-templates/entities/basic/skeleton/docs/index.md b/ref-implementation/backstage-templates/entities/basic/skeleton/docs/index.md
new file mode 100644
index 0000000..6f9f96b
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/basic/skeleton/docs/index.md
@@ -0,0 +1,11 @@
+![cnoe logo](./images/cnoe-logo.png)
+
+# Example Basic Application
+
+Thanks for trying out this demo! In this example, we deployed a simple application.
+
+### idpbuilder
+
+Checkout idpbuilder website: https://cnoe.io/docs/reference-implementation/installations/idpbuilder
+
+Checkout idpbuilder repository: https://github.com/cnoe-io/idpbuilder
diff --git a/ref-implementation/backstage/manifests/install.yaml b/ref-implementation/backstage/manifests/install.yaml
index 969bf39..56aacdb 100644
--- a/ref-implementation/backstage/manifests/install.yaml
+++ b/ref-implementation/backstage/manifests/install.yaml
@@ -134,7 +134,7 @@ data:
     techdocs:
       builder: 'local' # Alternatives - 'external'
       generator:
-        runIn: 'docker' # Alternatives - 'local'
+        runIn: 'local'
       publisher:
         type: 'local' # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.
 
@@ -148,7 +148,6 @@ data:
             metadataUrl: ${KEYCLOAK_NAME_METADATA}
             clientId: backstage
             clientSecret: ${KEYCLOAK_CLIENT_SECRET}
-            scope: 'openid profile email groups'
             prompt: auto
 
     scaffolder:
@@ -264,7 +263,7 @@ spec:
                 name: gitea-credentials
             - secretRef:
                 name: argocd-credentials
-          image: ghcr.io/cnoe-io/backstage-app:b8e4f08914af17a48ed6b8b83a3621a9f4b4181d
+          image: ghcr.io/cnoe-io/backstage-app:9232d633b2698fffa6d0a73b715e06640d170162
           name: backstage
           ports:
             - containerPort: 7007

From 2b12c4d7104042140e0a41516211c12dad725804 Mon Sep 17 00:00:00 2001
From: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
Date: Wed, 2 Oct 2024 09:40:04 -0400
Subject: [PATCH 06/20] Stack: Kyverno (#38)

Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>
---
 kyverno-integration/README.md                 | 46 +++++++++++++
 kyverno-integration/kyverno.yaml              | 31 +++++++++
 .../audit/kyverno-pss-policies-audit.yaml     | 33 ++++++++++
 .../modules/enforce/exceptions/argocd.yaml    | 35 ++++++++++
 .../modules/enforce/exceptions/backstage.yaml | 35 ++++++++++
 .../enforce/exceptions/crossplane.yaml        | 36 ++++++++++
 .../enforce/exceptions/ingress-nginx.yaml     | 22 +++++++
 .../modules/enforce/exceptions/kind.yaml      | 66 +++++++++++++++++++
 .../enforce/kyverno-pss-exceptions.yaml       | 26 ++++++++
 .../enforce/kyverno-pss-policies-enforce.yaml | 33 ++++++++++
 10 files changed, 363 insertions(+)
 create mode 100644 kyverno-integration/README.md
 create mode 100644 kyverno-integration/kyverno.yaml
 create mode 100644 kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
 create mode 100644 kyverno-integration/modules/enforce/exceptions/argocd.yaml
 create mode 100644 kyverno-integration/modules/enforce/exceptions/backstage.yaml
 create mode 100644 kyverno-integration/modules/enforce/exceptions/crossplane.yaml
 create mode 100644 kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml
 create mode 100644 kyverno-integration/modules/enforce/exceptions/kind.yaml
 create mode 100644 kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml
 create mode 100644 kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml

diff --git a/kyverno-integration/README.md b/kyverno-integration/README.md
new file mode 100644
index 0000000..346484e
--- /dev/null
+++ b/kyverno-integration/README.md
@@ -0,0 +1,46 @@
+# Kyverno Stack
+
+Implementation of Kyverno for CNOE
+
+## Components
+
+The Stack installs `Kyverno` and optionally `Kyverno Pod Security Policies - Restricted` implementation. By default users should use:
+  - `module/audit` - for testing and understanding of the impact
+  - `module/enforce` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
+    - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
+      - [ArgoCD](modules/enforce/exceptions/argocd.yaml)
+      - [Crossplane](modules/enforce/exceptions/crossplane.yaml)
+      - [Backstage](modules/enforce/exceptions/backstage.yaml)
+      - [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml)
+      - [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
+
+*NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues for NEW workloads, already existing workloads will not be affected immediately, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
+
+## Installation
+
+You can use and test out this stack without using any policies, using the `ref-implementation` as follows:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration
+```
+
+Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit
+```
+
+If you would like to change to `Enforce` mode:
+
+```bash
+idpbuilder create --use-path-routing \
+  -p https://github.com/cnoe-io/stacks//ref-implementation \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration \
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce
+```
+
diff --git a/kyverno-integration/kyverno.yaml b/kyverno-integration/kyverno.yaml
new file mode 100644
index 0000000..8816923
--- /dev/null
+++ b/kyverno-integration/kyverno.yaml
@@ -0,0 +1,31 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno
+  namespace: argocd
+spec:
+  project: default
+  source:
+    chart: kyverno
+    repoURL: https://kyverno.github.io/kyverno/
+    targetRevision: 3.2.7
+    helm:
+      releaseName: kyverno
+      valuesObject:
+          kyverno.fullname: kyverno
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kyverno
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    - CreateNamespace=true
+    automated:
+      selfHeal: true
+      prune: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
diff --git a/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml b/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
new file mode 100644
index 0000000..4d38eb6
--- /dev/null
+++ b/kyverno-integration/modules/audit/kyverno-pss-policies-audit.yaml
@@ -0,0 +1,33 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-audit
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: 3.2.7
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Audit
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
diff --git a/kyverno-integration/modules/enforce/exceptions/argocd.yaml b/kyverno-integration/modules/enforce/exceptions/argocd.yaml
new file mode 100644
index 0000000..b10e933
--- /dev/null
+++ b/kyverno-integration/modules/enforce/exceptions/argocd.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: argocd-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - argocd
+        names:
+        # TODO: this should be more targeted than blanket *
+        - argocd-*
diff --git a/kyverno-integration/modules/enforce/exceptions/backstage.yaml b/kyverno-integration/modules/enforce/exceptions/backstage.yaml
new file mode 100644
index 0000000..5620a0e
--- /dev/null
+++ b/kyverno-integration/modules/enforce/exceptions/backstage.yaml
@@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: backstage-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - backstage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - backstage*
diff --git a/kyverno-integration/modules/enforce/exceptions/crossplane.yaml b/kyverno-integration/modules/enforce/exceptions/crossplane.yaml
new file mode 100644
index 0000000..eaacbf3
--- /dev/null
+++ b/kyverno-integration/modules/enforce/exceptions/crossplane.yaml
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: crossplane-system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - crossplane-system
+        names:
+        # TODO: this should be more targeted than blanket *
+        - crossplane*
+        - upbound-provider-*
diff --git a/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml b/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml
new file mode 100644
index 0000000..24ccaa7
--- /dev/null
+++ b/kyverno-integration/modules/enforce/exceptions/ingress-nginx.yaml
@@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: ingress-nginx-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-ports
+    ruleNames:
+    - host-ports-none
+    - autogen-host-ports-none
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        namespaces:
+        - ingress-nginx
+        names:
+        - ingress-nginx*
diff --git a/kyverno-integration/modules/enforce/exceptions/kind.yaml b/kyverno-integration/modules/enforce/exceptions/kind.yaml
new file mode 100644
index 0000000..6bb33ce
--- /dev/null
+++ b/kyverno-integration/modules/enforce/exceptions/kind.yaml
@@ -0,0 +1,66 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: system-cnoe-operation
+  namespace: kyverno
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+    - autogen-host-path
+  - policyName: disallow-privilege-escalation
+    ruleNames:
+    - privilege-escalation
+    - autogen-privilege-escalation
+  - policyName: disallow-privileged-containers
+    ruleNames:
+    - privileged-containers
+    - autogen-privileged-containers
+  - policyName: disallow-capabilities-strict
+    ruleNames:
+    - require-drop-all
+    - autogen-require-drop-all
+    - adding-capabilities-strict
+    - autogen-adding-capabilities-strict
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: disallow-capabilities
+    ruleNames:
+    - adding-capabilities
+    - autogen-adding-capabilities
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  - policyName: restrict-seccomp-strict
+    ruleNames:
+    - check-seccomp-strict
+    - autogen-check-seccomp-strict
+  - policyName: restrict-volume-types
+    ruleNames:
+    - restricted-volumes
+    - autogen-restricted-volumes
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        - ReplicaSet
+        - StatefulSet
+        - DaemonSet
+        namespaces:
+        - kube-system
+        - local-path-storage
+        names:
+        # TODO: this should be more targeted than blanket *
+        - kube-*
+        - kindnet*
+        - local-path*
+        - coredns*
+        - etcd-*
diff --git a/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml b/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml
new file mode 100644
index 0000000..dce95b4
--- /dev/null
+++ b/kyverno-integration/modules/enforce/kyverno-pss-exceptions.yaml
@@ -0,0 +1,26 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce-exceptions
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: cnoe://exceptions
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
diff --git a/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml
new file mode 100644
index 0000000..8545a51
--- /dev/null
+++ b/kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml
@@ -0,0 +1,33 @@
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: HEAD
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Enforce
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s

From 2ed8e1d37fefaee129443bb16cd7f1dcd5775f47 Mon Sep 17 00:00:00 2001
From: Manabu McCloskey <manabu.mccloskey@gmail.com>
Date: Thu, 10 Oct 2024 12:47:26 -0700
Subject: [PATCH 07/20] add guest user (#42)

Signed-off-by: Manabu McCloskey <manabu.mccloskey@gmail.com>
---
 .../app-with-bucket/skeleton/catalog-info.yaml    |  6 +++---
 .../entities/app-with-bucket/template.yaml        |  2 +-
 .../argo-workflows/skeleton/catalog-info.yaml     |  4 ++--
 .../entities/argo-workflows/template.yaml         |  2 +-
 .../entities/basic/skeleton/catalog-info.yaml     |  4 ++--
 .../entities/basic/template.yaml                  |  2 +-
 .../entities/catalog-info.yaml                    |  9 +++++++++
 .../entities/organization/guests.yaml             | 15 +++++++++++++++
 .../backstage/manifests/install.yaml              |  7 ++-----
 9 files changed, 36 insertions(+), 15 deletions(-)
 create mode 100644 ref-implementation/backstage-templates/entities/organization/guests.yaml

diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
index 72d80a3..7eb1d36 100644
--- a/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/skeleton/catalog-info.yaml
@@ -7,7 +7,7 @@ metadata:
     argocd/app-name: ${{values.name | dump}}
 spec:
   type: s3-bucket
-  owner: guest
+  owner: guests
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Component
@@ -24,7 +24,7 @@ metadata:
       title: Repo URL
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
   system: ${{values.name | dump}}
@@ -43,6 +43,6 @@ metadata:
       title: CNOE Repo
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
diff --git a/ref-implementation/backstage-templates/entities/app-with-bucket/template.yaml b/ref-implementation/backstage-templates/entities/app-with-bucket/template.yaml
index f2fc060..7627951 100644
--- a/ref-implementation/backstage-templates/entities/app-with-bucket/template.yaml
+++ b/ref-implementation/backstage-templates/entities/app-with-bucket/template.yaml
@@ -5,7 +5,7 @@ metadata:
   name: app-with-aws-resources
   title: Add a Go App with AWS resources
 spec:
-  owner: guest
+  owner: guests
   type: service
   parameters:
     - properties:
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
index 6324717..0cf6405 100644
--- a/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/skeleton/catalog-info.yaml
@@ -18,7 +18,7 @@ metadata:
       title: Repo URL
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
   system: ${{values.name | dump}}
@@ -35,6 +35,6 @@ metadata:
       title: CNOE Repo
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
diff --git a/ref-implementation/backstage-templates/entities/argo-workflows/template.yaml b/ref-implementation/backstage-templates/entities/argo-workflows/template.yaml
index fb41bec..985c97b 100644
--- a/ref-implementation/backstage-templates/entities/argo-workflows/template.yaml
+++ b/ref-implementation/backstage-templates/entities/argo-workflows/template.yaml
@@ -5,7 +5,7 @@ metadata:
   name: argo-workflows-basic
   title: Basic Argo Workflow with a Spark Job
 spec:
-  owner: guest
+  owner: guests
   type: service
   parameters:
     - title: Configuration Options
diff --git a/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml b/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
index 8893792..c4dec95 100644
--- a/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/basic/skeleton/catalog-info.yaml
@@ -14,7 +14,7 @@ metadata:
       title: Repo URL
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
   system: ${{values.name | dump}}
@@ -31,6 +31,6 @@ metadata:
       title: CNOE Repo 
       icon: github
 spec:
-  owner: guest
+  owner: guests
   lifecycle: experimental
   type: service
diff --git a/ref-implementation/backstage-templates/entities/basic/template.yaml b/ref-implementation/backstage-templates/entities/basic/template.yaml
index dd0d173..f75743b 100644
--- a/ref-implementation/backstage-templates/entities/basic/template.yaml
+++ b/ref-implementation/backstage-templates/entities/basic/template.yaml
@@ -5,7 +5,7 @@ metadata:
   name: basic
   title: Create a Basic Deployment
 spec:
-  owner: guest
+  owner: guests
   type: service
   parameters:
     - title: Configuration Options
diff --git a/ref-implementation/backstage-templates/entities/catalog-info.yaml b/ref-implementation/backstage-templates/entities/catalog-info.yaml
index 5dd49eb..f49a7bb 100644
--- a/ref-implementation/backstage-templates/entities/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/catalog-info.yaml
@@ -8,3 +8,12 @@ spec:
     - ./basic/template.yaml
     - ./argo-workflows/template.yaml
     - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/ref-implementation/backstage-templates/entities/organization/guests.yaml b/ref-implementation/backstage-templates/entities/organization/guests.yaml
new file mode 100644
index 0000000..b1dddfc
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/organization/guests.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: backstage.io/v1alpha1
+kind: User
+metadata:
+  name: guest
+spec:
+  memberOf: [guests]
+---
+apiVersion: backstage.io/v1alpha1
+kind: Group
+metadata:
+  name: guests
+spec:
+  type: team
+  children: []
diff --git a/ref-implementation/backstage/manifests/install.yaml b/ref-implementation/backstage/manifests/install.yaml
index 56aacdb..5cc31a9 100644
--- a/ref-implementation/backstage/manifests/install.yaml
+++ b/ref-implementation/backstage/manifests/install.yaml
@@ -166,11 +166,8 @@ data:
         # Examples from a public GitHub repository.
         - type: url
           target: https://cnoe.localtest.me/gitea/giteaAdmin/idpbuilder-localdev-backstage-templates-entities/raw/branch/main/catalog-info.yaml
-        ## Uncomment these lines to add an example org
-        # - type: url
-        #   target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/acme-corp.yaml
-        #   rules:
-        #     - allow: [User, Group]
+          rules:
+            - allow: [Component, System, API, Resource, Location, Template, User, Group]
     kubernetes:
       serviceLocatorMethod:
         type: 'multiTenant'

From 80d62e30a409524a59bfbdf23a50a34edabf9665 Mon Sep 17 00:00:00 2001
From: Greg Haynes <greg.haynes@autodesk.com>
Date: Fri, 1 Nov 2024 12:16:55 -0700
Subject: [PATCH 08/20] Add vcluster-multi-env stack (#44)

Signed-off-by: Greg Haynes <greg.haynes@autodesk.com>
---
 vcluster-multi-env/README.md                  | 41 ++++++++++
 vcluster-multi-env/add-vclusters.sh           | 48 ++++++++++++
 .../vcluster/application-vcluster.yaml        | 39 ++++++++++
 vcluster-multi-env/vcluster/ingress.yaml      | 27 +++++++
 .../vcluster/kustomization.yaml               |  3 +
 vcluster-multi-env/vclusters.yaml             | 78 +++++++++++++++++++
 6 files changed, 236 insertions(+)
 create mode 100644 vcluster-multi-env/README.md
 create mode 100755 vcluster-multi-env/add-vclusters.sh
 create mode 100644 vcluster-multi-env/vcluster/application-vcluster.yaml
 create mode 100644 vcluster-multi-env/vcluster/ingress.yaml
 create mode 100644 vcluster-multi-env/vcluster/kustomization.yaml
 create mode 100644 vcluster-multi-env/vclusters.yaml

diff --git a/vcluster-multi-env/README.md b/vcluster-multi-env/README.md
new file mode 100644
index 0000000..42dceba
--- /dev/null
+++ b/vcluster-multi-env/README.md
@@ -0,0 +1,41 @@
+# IDP Builder Multi-Environment
+
+Multi-environment emulation on top of CNOE.
+
+# Configuring Clusters
+
+By default, this stack creates two vclusters (staging and production). If you
+desire a different configuration you can edit the following list in
+`vclusters.yaml`:
+
+```yaml
+  generators:
+  - list:
+      elements:
+      - name: staging
+      - name: production
+```
+
+# Running
+
+```bash
+# Create CNOE deployment with vcluster-multi-env stack
+idpbuilder create -p vcluster-multi-env
+
+# Enroll vclusters in ArgoCD
+./vcluster-multi-env/add-vclusters.sh
+```
+
+# Using
+
+Your CNOE ArgoCD should now have a cluster enrolled for each configured
+vcluster (staging and production by default). These clusters will have the
+following labels for your use:
+
+```yaml
+    cnoe.io/vclusterMultiEnv/clusterClass: "app-runtime"
+    cnoe.io/vclusterMultiEnv/clusterName: "${cluster_name}"
+```
+
+You may now target them using, for example, an ArgoCD ApplicationSet cluster
+generator which matches these labels.
diff --git a/vcluster-multi-env/add-vclusters.sh b/vcluster-multi-env/add-vclusters.sh
new file mode 100755
index 0000000..78d6d96
--- /dev/null
+++ b/vcluster-multi-env/add-vclusters.sh
@@ -0,0 +1,48 @@
+#! /bin/bash
+
+set -eu
+
+vcluster_app_names=$(kubectl get application -A -l cnoe.io/applicationName=vcluster-package,cnoe.io/stackName=vcluster-multi-env --no-headers -o custom-columns=":metadata.name")
+environments=$(echo "$vcluster_app_names" | cut -f 1 -d '-')
+
+for env in $environments; do
+    cluster_name=$env
+
+    echo "Checking readiness for ${cluster_name} vcluster..."
+
+    until kubectl get secret -n ${cluster_name}-vcluster vc-${cluster_name}-vcluster-helm &> /dev/null; do
+      echo "Waiting for ${cluster_name} vcluster secret to be ready..."
+      sleep 10
+    done
+
+    echo "${cluster_name} vcluster is ready. Retrieving credentials..."
+    client_key=$(kubectl get secret -n ${cluster_name}-vcluster vc-${cluster_name}-vcluster-helm --template='{{index .data "client-key" }}')
+    client_certificate=$(kubectl get secret -n ${cluster_name}-vcluster vc-${cluster_name}-vcluster-helm --template='{{index .data "client-certificate" }}')
+    certificate_authority=$(kubectl get secret -n ${cluster_name}-vcluster vc-${cluster_name}-vcluster-helm --template='{{index .data "certificate-authority" }}')
+
+    kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${cluster_name}-vcluster-secret
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+    cnoe.io/vclusterMultiEnv/clusterClass: "app-runtime"
+    cnoe.io/vclusterMultiEnv/clusterName: "${cluster_name}"
+type: Opaque
+stringData:
+  name: ${cluster_name}-vcluster
+  server: https://${cluster_name}-vcluster.cnoe.localtest.me:443
+  config: |
+    {
+      "tlsClientConfig": {
+        "insecure": false,
+        "caData": "${certificate_authority}",
+        "certData": "${client_certificate}",
+        "keyData": "${client_key}"
+      }
+    }
+EOF
+
+done
diff --git a/vcluster-multi-env/vcluster/application-vcluster.yaml b/vcluster-multi-env/vcluster/application-vcluster.yaml
new file mode 100644
index 0000000..11fb265
--- /dev/null
+++ b/vcluster-multi-env/vcluster/application-vcluster.yaml
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: unpatched-vcluster
+  namespace: argocd
+  labels:
+    cnoe.io/stackName: vcluster-multi-env
+    cnoe.io/applicationName: vcluster-helm
+spec:
+  project: default
+  source:
+    chart: vcluster
+    repoURL: https://charts.loft.sh
+    targetRevision: 0.20.0
+    helm:
+      valuesObject:
+        sync:
+          fromHost:
+            nodes:
+              enabled: true # Required for virtualScheduler
+        controlPlane:
+          advanced:
+            virtualScheduler: # For Keptn support: https://keptn.sh/stable/docs/installation/configuration/vcluster/
+              enabled: true
+          proxy:
+            extraSANs:
+            - unpatched-vcluster-hostname.cnoe.localtest.me
+          statefulSet:
+            scheduling:
+              podManagementPolicy: OrderedReady
+        exportKubeConfig:
+          server: https://unpatched-vcluster-hostname.cnoe.localtest.me:443
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: unpatched-vcluster
+  syncPolicy:
+    automated: {}
+    syncOptions:
+    - CreateNamespace=true
\ No newline at end of file
diff --git a/vcluster-multi-env/vcluster/ingress.yaml b/vcluster-multi-env/vcluster/ingress.yaml
new file mode 100644
index 0000000..3d89fe1
--- /dev/null
+++ b/vcluster-multi-env/vcluster/ingress.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    # We need the ingress to pass through ssl traffic to the vCluster
+    # This only works for the nginx-ingress (enable via --enable-ssl-passthrough
+    # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough )
+    # for other ingress controllers please check their respective documentation.
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+  name: vcluster-ingress
+  labels:
+    cnoe.io/stackName: vcluster-multi-env
+spec:
+  ingressClassName: nginx # use your ingress class name
+  rules:
+  - host: unpatched-vcluster-hostname.cnoe.localtest.me
+    http:
+      paths:
+      - backend:
+          service:
+            name: unpatched-vcluster-services
+            port:
+              number: 443
+        path: /
+        pathType: ImplementationSpecific
\ No newline at end of file
diff --git a/vcluster-multi-env/vcluster/kustomization.yaml b/vcluster-multi-env/vcluster/kustomization.yaml
new file mode 100644
index 0000000..f0be1b3
--- /dev/null
+++ b/vcluster-multi-env/vcluster/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+- application-vcluster.yaml
+- ingress.yaml
\ No newline at end of file
diff --git a/vcluster-multi-env/vclusters.yaml b/vcluster-multi-env/vclusters.yaml
new file mode 100644
index 0000000..09fee3f
--- /dev/null
+++ b/vcluster-multi-env/vclusters.yaml
@@ -0,0 +1,78 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: vclusters
+  namespace: argocd
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+  - list:
+      elements:
+      - name: staging
+      - name: production
+  template:
+    metadata:
+      name: '{{.name}}-vcluster'
+      labels:
+        cnoe.io/stackName: vcluster-multi-env
+        cnoe.io/applicationName: vcluster-package
+      finalizers:
+      - resources-finalizer.argocd.argoproj.io # enabling cascading deletion
+    spec:
+      project: 'default'
+      source:
+        repoURL: cnoe://
+        targetRevision: HEAD
+        path: vcluster
+        kustomize:
+          patches:
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Ingress
+            patch: |-
+              - op: replace
+                path: /spec/rules/0/host
+                value: {{.name}}-vcluster.cnoe.localtest.me
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Ingress
+            patch: |-
+              - op: replace
+                path: /spec/rules/0/http/paths/0/backend/service/name
+                value: {{.name}}-vcluster-helm
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Application
+            patch: |-
+              - op: replace
+                path: /metadata/name
+                value: {{.name}}-vcluster-helm
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Application
+            patch: |-
+              - op: replace
+                path: /spec/source/helm/valuesObject/controlPlane/proxy/extraSANs/0
+                value: {{.name}}-vcluster.cnoe.localtest.me
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Application
+            patch: |-
+              - op: replace
+                path: /spec/source/helm/valuesObject/exportKubeConfig/server
+                value: https://{{.name}}-vcluster.cnoe.localtest.me:443
+          - target:
+              labelSelector: cnoe.io/stackName=vcluster-multi-env
+              kind: Application
+            patch: |-
+              - op: replace
+                path: /spec/destination/namespace
+                value: {{.name}}-vcluster
+      destination:
+        server: "https://kubernetes.default.svc"
+        namespace: '{{.name}}-vcluster'
+      syncPolicy:
+        automated: {}
+        syncOptions:
+        - CreateNamespace=true
\ No newline at end of file

From 2608dde2a6030add793009dbb23eeb08bf2d28e7 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Mon, 11 Nov 2024 14:39:55 +0100
Subject: [PATCH 09/20] openbao

---
 .../open-bao_20241111142831.yaml              |  21 +
 .../open-bao_20241111142912.yaml              |  21 +
 .../open-bao_20241111142943.yaml              |  22 ++
 .../open-bao_20241111142944.yaml              |  22 ++
 .../open-bao_20241111142947.yaml              |  21 +
 .../open-bao_20241111142957.yaml              |  21 +
 .../open-bao_20241111143101.yaml              |  21 +
 .../openbao_20241111143100.yaml               |  21 +
 .../openbao_20241111143152.yaml               |  21 +
 .../openbao_20241111143207.yaml               |  21 +
 ref-implementation/openbao.yaml               |  21 +
 .../openbao/manifests/ingress.yaml            |  30 ++
 .../openbao/manifests/install.yaml            | 164 ++++++++
 .../openbao/manifests/keycloak-config.yaml    | 366 ++++++++++++++++++
 .../openbao/manifests/secret-gen.yaml         | 179 +++++++++
 15 files changed, 972 insertions(+)
 create mode 100644 .history/ref-implementation/open-bao_20241111142831.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142912.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142943.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142944.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142947.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111142957.yaml
 create mode 100644 .history/ref-implementation/open-bao_20241111143101.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143100.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143152.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111143207.yaml
 create mode 100644 ref-implementation/openbao.yaml
 create mode 100644 ref-implementation/openbao/manifests/ingress.yaml
 create mode 100644 ref-implementation/openbao/manifests/install.yaml
 create mode 100644 ref-implementation/openbao/manifests/keycloak-config.yaml
 create mode 100644 ref-implementation/openbao/manifests/secret-gen.yaml

diff --git a/.history/ref-implementation/open-bao_20241111142831.yaml b/.history/ref-implementation/open-bao_20241111142831.yaml
new file mode 100644
index 0000000..d279bc5
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142831.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+  labels:
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142912.yaml b/.history/ref-implementation/open-bao_20241111142912.yaml
new file mode 100644
index 0000000..0d8f748
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142912.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142943.yaml b/.history/ref-implementation/open-bao_20241111142943.yaml
new file mode 100644
index 0000000..38a34a4
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142943.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+  env: dev
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142944.yaml b/.history/ref-implementation/open-bao_20241111142944.yaml
new file mode 100644
index 0000000..7249de0
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142944.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+    example: ref-implementation
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142947.yaml b/.history/ref-implementation/open-bao_20241111142947.yaml
new file mode 100644
index 0000000..3aa23e8
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142947.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: keycloak
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111142957.yaml b/.history/ref-implementation/open-bao_20241111142957.yaml
new file mode 100644
index 0000000..a557757
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111142957.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/open-bao_20241111143101.yaml b/.history/ref-implementation/open-bao_20241111143101.yaml
new file mode 100644
index 0000000..a132e8d
--- /dev/null
+++ b/.history/ref-implementation/open-bao_20241111143101.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143100.yaml b/.history/ref-implementation/openbao_20241111143100.yaml
new file mode 100644
index 0000000..a132e8d
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143100.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: open-bao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143152.yaml b/.history/ref-implementation/openbao_20241111143152.yaml
new file mode 100644
index 0000000..aa23be6
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143152.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: open-bao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111143207.yaml b/.history/ref-implementation/openbao_20241111143207.yaml
new file mode 100644
index 0000000..8a632d4
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111143207.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
new file mode 100644
index 0000000..8a632d4
--- /dev/null
+++ b/ref-implementation/openbao.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml
new file mode 100644
index 0000000..abaf181
--- /dev/null
+++ b/ref-implementation/openbao/manifests/ingress.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/ref-implementation/openbao/manifests/install.yaml b/ref-implementation/openbao/manifests/install.yaml
new file mode 100644
index 0000000..ed3b799
--- /dev/null
+++ b/ref-implementation/openbao/manifests/install.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/ref-implementation/openbao/manifests/keycloak-config.yaml b/ref-implementation/openbao/manifests/keycloak-config.yaml
new file mode 100644
index 0000000..4bb098e
--- /dev/null
+++ b/ref-implementation/openbao/manifests/keycloak-config.yaml
@@ -0,0 +1,366 @@
+# resources here are used to configure keycloak instance for SSO
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: keycloak-config
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: keycloak-config
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: keycloak-config
+  namespace: argocd
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: keycloak-config
+  namespace: argocd
+subjects:
+  - kind: ServiceAccount
+    name: keycloak-config
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: keycloak-config
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-job
+  namespace: keycloak
+data:
+  client-scope-groups-payload.json: |
+    {
+      "name": "groups",
+      "description": "groups a user belongs to",
+      "attributes": {
+          "consent.screen.text": "Access to groups a user belongs to.",
+          "display.on.consent.screen": "true",
+          "include.in.token.scope": "true",
+          "gui.order": ""
+      },
+      "type": "default",
+      "protocol": "openid-connect"
+    }
+  group-admin-payload.json: |
+    {"name":"admin"}
+  group-base-user-payload.json: |
+    {"name":"base-user"}
+  group-mapper-payload.json: |
+    {
+        "protocol": "openid-connect",
+        "protocolMapper": "oidc-group-membership-mapper",
+        "name": "groups",
+        "config": {
+          "claim.name": "groups",
+          "full.path": "false",
+          "id.token.claim": "true",
+          "access.token.claim": "true",
+          "userinfo.token.claim": "true"
+        }
+    }
+  realm-payload.json: |
+    {"realm":"cnoe","enabled":true}
+  user-password.json: |
+    {
+        "temporary": false,
+        "type": "password",
+        "value": "${USER1_PASSWORD}"
+    }
+  user-user1.json: |
+    {
+        "username": "user1",
+        "email": "",
+        "firstName": "user",
+        "lastName": "one",
+        "requiredActions": [],
+        "emailVerified": false,
+        "groups": [
+          "/admin"
+        ],
+        "enabled": true
+    }
+  user-user2.json: |
+    {
+        "username": "user2",
+        "email": "",
+        "firstName": "user",
+        "lastName": "two",
+        "requiredActions": [],
+        "emailVerified": false,
+        "groups": [
+          "/base-user"
+        ],
+        "enabled": true
+    }
+  argo-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "argo-workflows",
+      "name": "Argo Workflows Client",
+      "description": "Used for Argo Workflows SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
+  backstage-client-payload.json: |
+    {
+      "protocol": "openid-connect",
+      "clientId": "backstage",
+      "name": "Backstage Client",
+      "description": "Used for Backstage SSO",
+      "publicClient": false,
+      "authorizationServicesEnabled": false,
+      "serviceAccountsEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "standardFlowEnabled": true,
+      "frontchannelLogout": true,
+      "attributes": {
+        "saml_idp_initiated_sso_url_name": "",
+        "oauth2.device.authorization.grant.enabled": false,
+        "oidc.ciba.grant.enabled": false
+      },
+      "alwaysDisplayInConsole": false,
+      "rootUrl": "",
+      "baseUrl": "",
+      "redirectUris": [
+        "https://cnoe.localtest.me:8443/api/auth/keycloak-oidc/handler/frame"
+      ],
+      "webOrigins": [
+        "/*"
+      ]
+    }
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: config
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  template:
+    metadata:
+      generateName: config
+    spec:
+      serviceAccountName: keycloak-config
+      restartPolicy: Never
+      volumes:
+        - name: keycloak-config
+          secret:
+            secretName: keycloak-config
+        - name: config-payloads
+          configMap:
+            name: config-job
+      containers:
+        - name: kubectl
+          image: docker.io/library/ubuntu:22.04
+          volumeMounts:
+            - name: keycloak-config
+              readOnly: true
+              mountPath: "/var/secrets/"
+            - name: config-payloads
+              readOnly: true
+              mountPath: "/var/config/"
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              #! /bin/bash
+  
+              set -ex -o pipefail
+              
+              apt -qq update && apt -qq install curl jq -y
+              
+              ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
+              USER1_PASSWORD=$(cat /var/secrets/USER_PASSWORD)
+
+              KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak
+
+              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
+                --data-urlencode "username=cnoe-admin" \
+                --data-urlencode "password=${ADMIN_PASSWORD}" \
+                --data-urlencode "grant_type=password" \
+                --data-urlencode "client_id=admin-cli" \
+                ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token')
+                
+              set +e
+              
+              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
+              if [ $? -eq 0 ]; then
+                exit 0
+              fi
+              set -e
+              
+              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
+              chmod +x kubectl
+              
+              echo "creating cnoe realm and groups"
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/realm-payload.json \
+                ${KEYCLOAK_URL}/admin/realms
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/client-scope-groups-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-admin-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-base-user-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
+              
+              # Create scope mapper
+                echo 'adding group claim to tokens'
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/group-mapper-payload.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models
+                
+              echo "creating test users"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/user-user1.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/user-user2.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users
+              
+              USER1ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id')
+              USER2ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id')
+              
+              echo "setting user passwords"
+              jq -r --arg pass ${USER1_PASSWORD}  '.value = $pass' /var/config/user-password.json > /tmp/user-password-to-be-applied.json
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT --data @/tmp/user-password-to-be-applied.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER1ID}/reset-password
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT --data @/tmp/user-password-to-be-applied.json \
+                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER2ID}/reset-password
+            
+              echo "creating Argo Workflows client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                  -X POST --data @/var/config/argo-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argo-workflows") | .id')
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+              echo "creating Backstage client"
+              curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X POST --data @/var/config/backstage-client-payload.json \
+                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
+              
+              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
+              
+              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
+              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
+              
+              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
+                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
+                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
+              
+              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
+              
+              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
+              
+              echo \
+              "apiVersion: v1
+              kind: Secret
+              metadata:
+                name: keycloak-clients
+                namespace: keycloak
+              type: Opaque
+              stringData:
+                ARGO_WORKFLOWS_CLIENT_SECRET: ${ARGO_WORKFLOWS_CLIENT_SECRET}
+                ARGO_WORKFLOWS_CLIENT_ID: argo-workflows
+                ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
+                BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
+                BACKSTAGE_CLIENT_ID: backstage
+              " > /tmp/secret.yaml
+              
+              ./kubectl apply -f /tmp/secret.yaml
+              
diff --git a/ref-implementation/openbao/manifests/secret-gen.yaml b/ref-implementation/openbao/manifests/secret-gen.yaml
new file mode 100644
index 0000000..f7bf8c9
--- /dev/null
+++ b/ref-implementation/openbao/manifests/secret-gen.yaml
@@ -0,0 +1,179 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Password
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  length: 36
+  digits: 5
+  symbols: 5
+  symbolCharacters: "/-+"
+  noUpper: false
+  allowRepeat: true
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+spec:
+  refreshInterval: "0"
+  target:
+    name: keycloak-config
+    template:
+      metadata:
+        labels:
+          cnoe.io/cli-secret: "true"
+          cnoe.io/package-name: keycloak
+      engineVersion: v2
+      data:
+        KEYCLOAK_ADMIN_PASSWORD: "{{.KEYCLOAK_ADMIN_PASSWORD}}"
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: "{{.KC_DB_PASSWORD}}"
+        POSTGRES_DB: keycloak
+        POSTGRES_USER: keycloak
+        POSTGRES_PASSWORD: "{{.KC_DB_PASSWORD}}"
+        USER_PASSWORD: "{{.USER_PASSWORD}}"
+  dataFrom:
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "KEYCLOAK_ADMIN_PASSWORD"
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "KC_DB_PASSWORD"
+    - sourceRef:
+        generatorRef:
+          apiVersion: generators.external-secrets.io/v1alpha1
+          kind: Password
+          name: keycloak
+      rewrite:
+        - transform:
+            template: "USER_PASSWORD"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-store
+  namespace: keycloak
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: keycloak
+  name: eso-store
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-store
+  namespace: keycloak
+subjects:
+  - kind: ServiceAccount
+    name: eso-store
+    namespace: keycloak
+roleRef:
+  kind: Role
+  name: eso-store
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: keycloak
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: keycloak
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: keycloak
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: eso-store
+          namespace: keycloak
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-store
+  namespace: gitea
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: eso-store
+  namespace: gitea
+rules:
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - selfsubjectrulesreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eso-store
+  namespace: gitea
+subjects:
+  - kind: ServiceAccount
+    name: eso-store
+    namespace: gitea
+roleRef:
+  kind: Role
+  name: eso-store
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: gitea
+spec:
+  provider:
+    kubernetes:
+      remoteNamespace: gitea
+      server:
+        caProvider:
+          type: ConfigMap
+          name: kube-root-ca.crt
+          namespace: gitea
+          key: ca.crt
+      auth:
+        serviceAccount:
+          name: eso-store
+          namespace: gitea

From 6157854f504926991192fffd7bc524537c27961d Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Mon, 11 Nov 2024 14:54:14 +0100
Subject: [PATCH 10/20] test

---
 .../entities/catalog-info_20241111142553.yaml | 19 ++++++++++++++++++
 .../entities/catalog-info_20241111145410.yaml | 20 +++++++++++++++++++
 .../entities/catalog-info.yaml                |  1 +
 3 files changed, 40 insertions(+)
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111142553.yaml
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145410.yaml

diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111142553.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111142553.yaml
new file mode 100644
index 0000000..f49a7bb
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111142553.yaml
@@ -0,0 +1,19 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145410.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145410.yaml
new file mode 100644
index 0000000..ff05253
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145410.yaml
@@ -0,0 +1,20 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/ref-implementation/backstage-templates/entities/catalog-info.yaml b/ref-implementation/backstage-templates/entities/catalog-info.yaml
index f49a7bb..ff05253 100644
--- a/ref-implementation/backstage-templates/entities/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/catalog-info.yaml
@@ -8,6 +8,7 @@ spec:
     - ./basic/template.yaml
     - ./argo-workflows/template.yaml
     - ./app-with-bucket/template.yaml
+    - ./app-with-bucket/template.yaml
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Location

From 2d083b9f40609ae8e1ce1b414066bf19c7ec3c32 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Mon, 11 Nov 2024 14:55:28 +0100
Subject: [PATCH 11/20] template

---
 .../entities/catalog-info_20241111145445.yaml | 19 ++++++
 .../entities/catalog-info_20241111145519.yaml | 21 +++++++
 .../entities/catalog-info_20241111145520.yaml | 21 +++++++
 .../entities/catalog-info_20241111145522.yaml | 20 +++++++
 .../entities/basic/template2.yaml             | 58 +++++++++++++++++++
 .../entities/catalog-info.yaml                |  2 +-
 6 files changed, 140 insertions(+), 1 deletion(-)
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145445.yaml
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145519.yaml
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145520.yaml
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145522.yaml
 create mode 100644 ref-implementation/backstage-templates/entities/basic/template2.yaml

diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145445.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145445.yaml
new file mode 100644
index 0000000..f49a7bb
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145445.yaml
@@ -0,0 +1,19 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145519.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145519.yaml
new file mode 100644
index 0000000..740bc62
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145519.yaml
@@ -0,0 +1,21 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+
+    - ./basic/template.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145520.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145520.yaml
new file mode 100644
index 0000000..8e7eff6
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145520.yaml
@@ -0,0 +1,21 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+
+    - ./basic/template2.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145522.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145522.yaml
new file mode 100644
index 0000000..3bf5a42
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145522.yaml
@@ -0,0 +1,20 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+    - ./basic/template2.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/ref-implementation/backstage-templates/entities/basic/template2.yaml b/ref-implementation/backstage-templates/entities/basic/template2.yaml
new file mode 100644
index 0000000..f75743b
--- /dev/null
+++ b/ref-implementation/backstage-templates/entities/basic/template2.yaml
@@ -0,0 +1,58 @@
+apiVersion: scaffolder.backstage.io/v1beta3
+kind: Template
+metadata:
+  description: Creates a Basic Kubernetes Deployment
+  name: basic
+  title: Create a Basic Deployment
+spec:
+  owner: guests
+  type: service
+  parameters:
+    - title: Configuration Options
+      required:
+        - name
+      properties:
+        name:
+          type: string
+          description: name of this application
+        
+  steps:
+    - id: template
+      name: Generating component
+      action: fetch:template
+      input:
+        url: ./skeleton
+        values:
+          name: ${{parameters.name}}
+
+    - id: publish
+      name: Publishing to a gitea git repository
+      action: publish:gitea
+      input:
+        description: This is an example app
+        # Hard coded value for this demo purposes only.
+        repoUrl: cnoe.localtest.me:8443/gitea?repo=${{parameters.name}}
+        defaultBranch: main
+    - id: create-argocd-app
+      name: Create ArgoCD App
+      action: cnoe:create-argocd-app
+      input:
+        appName: ${{parameters.name}}
+        appNamespace: ${{parameters.name}}
+        argoInstance: in-cluster
+        projectName: default
+        # necessary until we generate our own cert
+        repoUrl: https://cnoe.localtest.me:8443/gitea/giteaAdmin/${{parameters.name}}
+        path: "manifests"
+    - id: register
+      name: Register
+      action: catalog:register
+      input:
+        repoContentsUrl: ${{ steps['publish'].output.repoContentsUrl }}
+        catalogInfoPath: 'catalog-info.yaml'
+
+  output:
+    links:
+      - title: Open in catalog
+        icon: catalog
+        entityRef: ${{ steps['register'].output.entityRef }}
diff --git a/ref-implementation/backstage-templates/entities/catalog-info.yaml b/ref-implementation/backstage-templates/entities/catalog-info.yaml
index ff05253..3bf5a42 100644
--- a/ref-implementation/backstage-templates/entities/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/catalog-info.yaml
@@ -6,9 +6,9 @@ metadata:
 spec:
   targets:
     - ./basic/template.yaml
+    - ./basic/template2.yaml
     - ./argo-workflows/template.yaml
     - ./app-with-bucket/template.yaml
-    - ./app-with-bucket/template.yaml
 ---
 apiVersion: backstage.io/v1alpha1
 kind: Location

From 2a6b10f007e85ea3b2cbb330072f491aa8e78cb8 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 12 Nov 2024 10:40:11 +0100
Subject: [PATCH 12/20] let's go

---
 .../entities/catalog-info_20241111145551.yaml | 19 ++++++
 .../openbao_20241111150421.yaml               | 21 +++++++
 .../openbao_20241111150423.yaml               | 21 +++++++
 .../openbao_20241112103833.yaml               | 19 ++++++
 .../openbao_20241112103904.yaml               | 19 ++++++
 .../openbao_20241112103909.yaml               | 19 ++++++
 .../openbao_20241112103930.yaml               | 19 ++++++
 .../openbao_20241112103938.yaml               | 19 ++++++
 .../openbao_20241112103940.yaml               | 19 ++++++
 .../entities/basic/template2.yaml             | 58 -------------------
 .../entities/catalog-info.yaml                |  1 -
 ref-implementation/openbao.yaml               |  8 +--
 12 files changed, 178 insertions(+), 64 deletions(-)
 create mode 100644 .history/ref-implementation/backstage-templates/entities/catalog-info_20241111145551.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111150421.yaml
 create mode 100644 .history/ref-implementation/openbao_20241111150423.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103833.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103904.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103909.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103930.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103938.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112103940.yaml
 delete mode 100644 ref-implementation/backstage-templates/entities/basic/template2.yaml

diff --git a/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145551.yaml b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145551.yaml
new file mode 100644
index 0000000..f49a7bb
--- /dev/null
+++ b/.history/ref-implementation/backstage-templates/entities/catalog-info_20241111145551.yaml
@@ -0,0 +1,19 @@
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-example-templates
+  description: A collection of example templates
+spec:
+  targets:
+    - ./basic/template.yaml
+    - ./argo-workflows/template.yaml
+    - ./app-with-bucket/template.yaml
+---
+apiVersion: backstage.io/v1alpha1
+kind: Location
+metadata:
+  name: basic-organization
+  description: Basic organization data
+spec:
+  targets:
+    - ./organization/guests.yaml
diff --git a/.history/ref-implementation/openbao_20241111150421.yaml b/.history/ref-implementation/openbao_20241111150421.yaml
new file mode 100644
index 0000000..ecce75a
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111150421.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    example: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241111150423.yaml b/.history/ref-implementation/openbao_20241111150423.yaml
new file mode 100644
index 0000000..8a632d4
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241111150423.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103833.yaml b/.history/ref-implementation/openbao_20241112103833.yaml
new file mode 100644
index 0000000..d06ab5e
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103833.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103904.yaml b/.history/ref-implementation/openbao_20241112103904.yaml
new file mode 100644
index 0000000..8bcfa6f
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103904.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103909.yaml b/.history/ref-implementation/openbao_20241112103909.yaml
new file mode 100644
index 0000000..997633d
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103909.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103930.yaml b/.history/ref-implementation/openbao_20241112103930.yaml
new file mode 100644
index 0000000..8d19f61
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103930.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103938.yaml b/.history/ref-implementation/openbao_20241112103938.yaml
new file mode 100644
index 0000000..76b59a3
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103938.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112103940.yaml b/.history/ref-implementation/openbao_20241112103940.yaml
new file mode 100644
index 0000000..8d19f61
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112103940.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/backstage-templates/entities/basic/template2.yaml b/ref-implementation/backstage-templates/entities/basic/template2.yaml
deleted file mode 100644
index f75743b..0000000
--- a/ref-implementation/backstage-templates/entities/basic/template2.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: scaffolder.backstage.io/v1beta3
-kind: Template
-metadata:
-  description: Creates a Basic Kubernetes Deployment
-  name: basic
-  title: Create a Basic Deployment
-spec:
-  owner: guests
-  type: service
-  parameters:
-    - title: Configuration Options
-      required:
-        - name
-      properties:
-        name:
-          type: string
-          description: name of this application
-        
-  steps:
-    - id: template
-      name: Generating component
-      action: fetch:template
-      input:
-        url: ./skeleton
-        values:
-          name: ${{parameters.name}}
-
-    - id: publish
-      name: Publishing to a gitea git repository
-      action: publish:gitea
-      input:
-        description: This is an example app
-        # Hard coded value for this demo purposes only.
-        repoUrl: cnoe.localtest.me:8443/gitea?repo=${{parameters.name}}
-        defaultBranch: main
-    - id: create-argocd-app
-      name: Create ArgoCD App
-      action: cnoe:create-argocd-app
-      input:
-        appName: ${{parameters.name}}
-        appNamespace: ${{parameters.name}}
-        argoInstance: in-cluster
-        projectName: default
-        # necessary until we generate our own cert
-        repoUrl: https://cnoe.localtest.me:8443/gitea/giteaAdmin/${{parameters.name}}
-        path: "manifests"
-    - id: register
-      name: Register
-      action: catalog:register
-      input:
-        repoContentsUrl: ${{ steps['publish'].output.repoContentsUrl }}
-        catalogInfoPath: 'catalog-info.yaml'
-
-  output:
-    links:
-      - title: Open in catalog
-        icon: catalog
-        entityRef: ${{ steps['register'].output.entityRef }}
diff --git a/ref-implementation/backstage-templates/entities/catalog-info.yaml b/ref-implementation/backstage-templates/entities/catalog-info.yaml
index 3bf5a42..f49a7bb 100644
--- a/ref-implementation/backstage-templates/entities/catalog-info.yaml
+++ b/ref-implementation/backstage-templates/entities/catalog-info.yaml
@@ -6,7 +6,6 @@ metadata:
 spec:
   targets:
     - ./basic/template.yaml
-    - ./basic/template2.yaml
     - ./argo-workflows/template.yaml
     - ./app-with-bucket/template.yaml
 ---
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
index 8a632d4..8d19f61 100644
--- a/ref-implementation/openbao.yaml
+++ b/ref-implementation/openbao.yaml
@@ -3,16 +3,14 @@ kind: Application
 metadata:
   name: openbao
   namespace: argocd
-  labels:
-    env: dev
 spec:
   destination:
     namespace: openbao
     server: "https://kubernetes.default.svc"
   source:
-    repoURL: cnoe://openbao/manifests
-    targetRevision: HEAD
-    path: "."
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
   project: default
   syncPolicy:
     automated:

From 67a67174a598e506912a1f5476093d11d67bf2f2 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 12 Nov 2024 11:15:26 +0100
Subject: [PATCH 13/20] hopefully it will work now

---
 .../maniek_20241112110416.yml                 |   0
 .../maniek_20241112110417.yml                 |  35 ++
 .../manifests/manifest_20241112110416.yml     |  35 ++
 .../manifests/manifest_20241112110859.yml     |  35 ++
 .../manifests/manifest_20241112110906.yml     |  35 ++
 .../manifests/manifest_20241112110950.yml     |  41 ++
 .../manifests/manifest_20241112110952.yml     |  35 ++
 .../manifests/manifest_20241112110953.yml     |  35 ++
 .../openbao_20241112110613.yaml               |  19 +
 .../openbao_20241112110615.yaml               |  19 +
 .../openbao_20241112110641.yaml               |  19 +
 .../openbao_20241112110645.yaml               |  19 +
 .../openbao_20241112110651.yaml               |  19 +
 .../openbao_20241112110747.yaml               |  19 +
 .../openbao_20241112110753.yaml               |  19 +
 ref-implementation/openbao.yaml               |   6 +-
 .../openbao/manifests/ingress.yaml            |  30 --
 .../openbao/manifests/install.yaml            | 164 --------
 .../openbao/manifests/keycloak-config.yaml    | 366 ------------------
 .../openbao/manifests/manifest.yml            |  35 ++
 .../openbao/manifests/secret-gen.yaml         | 179 ---------
 21 files changed, 422 insertions(+), 742 deletions(-)
 create mode 100644 .history/ref-implementation/maniek_20241112110416.yml
 create mode 100644 .history/ref-implementation/maniek_20241112110417.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110416.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110859.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110906.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110950.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110952.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112110953.yml
 create mode 100644 .history/ref-implementation/openbao_20241112110613.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110615.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110641.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110645.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110651.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110747.yaml
 create mode 100644 .history/ref-implementation/openbao_20241112110753.yaml
 delete mode 100644 ref-implementation/openbao/manifests/ingress.yaml
 delete mode 100644 ref-implementation/openbao/manifests/install.yaml
 delete mode 100644 ref-implementation/openbao/manifests/keycloak-config.yaml
 create mode 100644 ref-implementation/openbao/manifests/manifest.yml
 delete mode 100644 ref-implementation/openbao/manifests/secret-gen.yaml

diff --git a/.history/ref-implementation/maniek_20241112110416.yml b/.history/ref-implementation/maniek_20241112110416.yml
new file mode 100644
index 0000000..e69de29
diff --git a/.history/ref-implementation/maniek_20241112110417.yml b/.history/ref-implementation/maniek_20241112110417.yml
new file mode 100644
index 0000000..81ab8ad
--- /dev/null
+++ b/.history/ref-implementation/maniek_20241112110417.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml
new file mode 100644
index 0000000..81ab8ad
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110416.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml
new file mode 100644
index 0000000..d68ae99
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110859.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml
new file mode 100644
index 0000000..3f9ba3f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110906.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml
new file mode 100644
index 0000000..9fdb23b
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110950.yml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml
new file mode 100644
index 0000000..3f9ba3f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110952.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml
new file mode 100644
index 0000000..8ec577d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112110953.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao_20241112110613.yaml b/.history/ref-implementation/openbao_20241112110613.yaml
new file mode 100644
index 0000000..0ff12a4
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110613.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    //repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110615.yaml b/.history/ref-implementation/openbao_20241112110615.yaml
new file mode 100644
index 0000000..dd920ca
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110615.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    # repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110641.yaml b/.history/ref-implementation/openbao_20241112110641.yaml
new file mode 100644
index 0000000..8d19f61
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110641.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: 'https://github.com/openbao/openbao.git'
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110645.yaml b/.history/ref-implementation/openbao_20241112110645.yaml
new file mode 100644
index 0000000..acc1c64
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110645.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: main
+    path: "openbao"
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110651.yaml b/.history/ref-implementation/openbao_20241112110651.yaml
new file mode 100644
index 0000000..627b1fd
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110651.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: main
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110747.yaml b/.history/ref-implementation/openbao_20241112110747.yaml
new file mode 100644
index 0000000..e398adc
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110747.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://keycloak/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/.history/ref-implementation/openbao_20241112110753.yaml b/.history/ref-implementation/openbao_20241112110753.yaml
new file mode 100644
index 0000000..d06ab5e
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241112110753.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openbao
+  namespace: argocd
+spec:
+  destination:
+    namespace: openbao
+    server: "https://kubernetes.default.svc"
+  source:
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
index 8d19f61..d06ab5e 100644
--- a/ref-implementation/openbao.yaml
+++ b/ref-implementation/openbao.yaml
@@ -8,9 +8,9 @@ spec:
     namespace: openbao
     server: "https://kubernetes.default.svc"
   source:
-    repoURL: 'https://github.com/openbao/openbao.git'
-    targetRevision: main
-    path: "openbao"
+    repoURL: cnoe://openbao/manifests
+    targetRevision: HEAD
+    path: "."
   project: default
   syncPolicy:
     automated:
diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml
deleted file mode 100644
index abaf181..0000000
--- a/ref-implementation/openbao/manifests/ingress.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: keycloak-ingress-localhost
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/sync-wave: "100"
-spec:
-  ingressClassName: "nginx"
-  rules:
-    - host: localhost
-      http:
-        paths:
-          - path: /keycloak
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: keycloak
-                port:
-                  name: http
-    - host: cnoe.localtest.me
-      http:
-        paths:
-          - path: /keycloak
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: keycloak
-                port:
-                  name: http
diff --git a/ref-implementation/openbao/manifests/install.yaml b/ref-implementation/openbao/manifests/install.yaml
deleted file mode 100644
index ed3b799..0000000
--- a/ref-implementation/openbao/manifests/install.yaml
+++ /dev/null
@@ -1,164 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: keycloak
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: keycloak
-  labels:
-    app: keycloak
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-  selector:
-    app: keycloak
-  type: ClusterIP
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app: keycloak
-  name: keycloak
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: keycloak
-  template:
-    metadata:
-      labels:
-        app: keycloak
-    spec:
-      containers:
-        - args:
-            - start-dev
-          env:
-            - name: KEYCLOAK_ADMIN
-              value: cnoe-admin
-            - name: KEYCLOAK_LOGLEVEL
-              value: ALL
-            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
-              value: 'true'
-          envFrom:
-            - secretRef:
-                name: keycloak-config
-          image: quay.io/keycloak/keycloak:22.0.3
-          name: keycloak
-          ports:
-            - containerPort: 8080
-              name: http
-          readinessProbe:
-            httpGet:
-              path: /keycloak/realms/master
-              port: 8080
-          volumeMounts:
-            - mountPath: /opt/keycloak/conf
-              name: keycloak-config
-              readOnly: true
-      volumes:
-        - configMap:
-            name: keycloak-config
-          name: keycloak-config
----
-apiVersion: v1
-data:
-  keycloak.conf: |
-    # Database
-    # The database vendor.
-    db=postgres
-    
-    # The username of the database user.
-    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
-
-    # The proxy address forwarding mode if the server is behind a reverse proxy.
-    proxy=edge
-    
-    # hostname configuration
-    hostname=cnoe.localtest.me
-    hostname-port=8443
-    http-relative-path=keycloak
-    
-    # the admin url requires its own configuration to reflect correct url
-    hostname-admin=cnoe.localtest.me:8443
-    
-    hostname-debug=true
-    
-    # this should only be allowed in development. NEVER in production.
-    hostname-strict=false
-    hostname-strict-backchannel=false
-    
-
-kind: ConfigMap
-metadata:
-  name: keycloak-config
-  namespace: keycloak
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app: postgresql
-  name: postgresql
-  namespace: keycloak
-spec:
-  clusterIP: None
-  ports:
-    - name: postgres
-      port: 5432
-  selector:
-    app: postgresql
----
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  labels:
-    app: postgresql
-  name: postgresql
-  namespace: keycloak
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: postgresql
-  serviceName: service-postgresql
-  template:
-    metadata:
-      labels:
-        app: postgresql
-    spec:
-      containers:
-        - envFrom:
-            - secretRef:
-                name: keycloak-config
-          image: docker.io/library/postgres:15.3-alpine3.18
-          name: postgres
-          ports:
-            - containerPort: 5432
-              name: postgresdb
-          resources:
-            limits:
-              memory: 500Mi
-            requests:
-              cpu: 100m
-              memory: 300Mi
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-  volumeClaimTemplates:
-  - metadata:
-      name: data
-    spec:
-      accessModes: ["ReadWriteOnce"]
-      resources:
-        requests:
-          storage: "500Mi"
-
diff --git a/ref-implementation/openbao/manifests/keycloak-config.yaml b/ref-implementation/openbao/manifests/keycloak-config.yaml
deleted file mode 100644
index 4bb098e..0000000
--- a/ref-implementation/openbao/manifests/keycloak-config.yaml
+++ /dev/null
@@ -1,366 +0,0 @@
-# resources here are used to configure keycloak instance for SSO
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: keycloak-config
-  namespace: keycloak
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-config
-  namespace: keycloak
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "update", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: keycloak-config
-  namespace: keycloak
-subjects:
-  - kind: ServiceAccount
-    name: keycloak-config
-    namespace: keycloak
-roleRef:
-  kind: Role
-  name: keycloak-config
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-config
-  namespace: argocd
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: keycloak-config
-  namespace: argocd
-subjects:
-  - kind: ServiceAccount
-    name: keycloak-config
-    namespace: keycloak
-roleRef:
-  kind: Role
-  name: keycloak-config
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: config-job
-  namespace: keycloak
-data:
-  client-scope-groups-payload.json: |
-    {
-      "name": "groups",
-      "description": "groups a user belongs to",
-      "attributes": {
-          "consent.screen.text": "Access to groups a user belongs to.",
-          "display.on.consent.screen": "true",
-          "include.in.token.scope": "true",
-          "gui.order": ""
-      },
-      "type": "default",
-      "protocol": "openid-connect"
-    }
-  group-admin-payload.json: |
-    {"name":"admin"}
-  group-base-user-payload.json: |
-    {"name":"base-user"}
-  group-mapper-payload.json: |
-    {
-        "protocol": "openid-connect",
-        "protocolMapper": "oidc-group-membership-mapper",
-        "name": "groups",
-        "config": {
-          "claim.name": "groups",
-          "full.path": "false",
-          "id.token.claim": "true",
-          "access.token.claim": "true",
-          "userinfo.token.claim": "true"
-        }
-    }
-  realm-payload.json: |
-    {"realm":"cnoe","enabled":true}
-  user-password.json: |
-    {
-        "temporary": false,
-        "type": "password",
-        "value": "${USER1_PASSWORD}"
-    }
-  user-user1.json: |
-    {
-        "username": "user1",
-        "email": "",
-        "firstName": "user",
-        "lastName": "one",
-        "requiredActions": [],
-        "emailVerified": false,
-        "groups": [
-          "/admin"
-        ],
-        "enabled": true
-    }
-  user-user2.json: |
-    {
-        "username": "user2",
-        "email": "",
-        "firstName": "user",
-        "lastName": "two",
-        "requiredActions": [],
-        "emailVerified": false,
-        "groups": [
-          "/base-user"
-        ],
-        "enabled": true
-    }
-  argo-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "argo-workflows",
-      "name": "Argo Workflows Client",
-      "description": "Used for Argo Workflows SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://cnoe.localtest.me:8443/argo-workflows/oauth2/callback"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }
-
-  backstage-client-payload.json: |
-    {
-      "protocol": "openid-connect",
-      "clientId": "backstage",
-      "name": "Backstage Client",
-      "description": "Used for Backstage SSO",
-      "publicClient": false,
-      "authorizationServicesEnabled": false,
-      "serviceAccountsEnabled": false,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "standardFlowEnabled": true,
-      "frontchannelLogout": true,
-      "attributes": {
-        "saml_idp_initiated_sso_url_name": "",
-        "oauth2.device.authorization.grant.enabled": false,
-        "oidc.ciba.grant.enabled": false
-      },
-      "alwaysDisplayInConsole": false,
-      "rootUrl": "",
-      "baseUrl": "",
-      "redirectUris": [
-        "https://cnoe.localtest.me:8443/api/auth/keycloak-oidc/handler/frame"
-      ],
-      "webOrigins": [
-        "/*"
-      ]
-    }
-
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: config
-  namespace: keycloak
-  annotations:
-    argocd.argoproj.io/hook: PostSync
-spec:
-  template:
-    metadata:
-      generateName: config
-    spec:
-      serviceAccountName: keycloak-config
-      restartPolicy: Never
-      volumes:
-        - name: keycloak-config
-          secret:
-            secretName: keycloak-config
-        - name: config-payloads
-          configMap:
-            name: config-job
-      containers:
-        - name: kubectl
-          image: docker.io/library/ubuntu:22.04
-          volumeMounts:
-            - name: keycloak-config
-              readOnly: true
-              mountPath: "/var/secrets/"
-            - name: config-payloads
-              readOnly: true
-              mountPath: "/var/config/"
-          command: ["/bin/bash", "-c"]
-          args:
-            - |
-              #! /bin/bash
-  
-              set -ex -o pipefail
-              
-              apt -qq update && apt -qq install curl jq -y
-              
-              ADMIN_PASSWORD=$(cat /var/secrets/KEYCLOAK_ADMIN_PASSWORD)
-              USER1_PASSWORD=$(cat /var/secrets/USER_PASSWORD)
-
-              KEYCLOAK_URL=http://keycloak.keycloak.svc.cluster.local:8080/keycloak
-
-              KEYCLOAK_TOKEN=$(curl -sS  --fail-with-body -X POST -H "Content-Type: application/x-www-form-urlencoded" \
-                --data-urlencode "username=cnoe-admin" \
-                --data-urlencode "password=${ADMIN_PASSWORD}" \
-                --data-urlencode "grant_type=password" \
-                --data-urlencode "client_id=admin-cli" \
-                ${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token | jq -e -r '.access_token')
-                
-              set +e
-              
-              curl --fail-with-body -H "Authorization: bearer ${KEYCLOAK_TOKEN}"  "${KEYCLOAK_URL}/admin/realms/cnoe"  &> /dev/null
-              if [ $? -eq 0 ]; then
-                exit 0
-              fi
-              set -e
-              
-              curl -sS -LO "https://dl.k8s.io/release/v1.28.3//bin/linux/amd64/kubectl"
-              chmod +x kubectl
-              
-              echo "creating cnoe realm and groups"
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/realm-payload.json \
-                ${KEYCLOAK_URL}/admin/realms
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/client-scope-groups-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-admin-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-base-user-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/groups
-              
-              # Create scope mapper
-                echo 'adding group claim to tokens'
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/group-mapper-payload.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes/${CLIENT_SCOPE_GROUPS_ID}/protocol-mappers/models
-                
-              echo "creating test users"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/user-user1.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/user-user2.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users
-              
-              USER1ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=one" | jq -r '.[0].id')
-              USER2ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" "${KEYCLOAK_URL}/admin/realms/cnoe/users?lastName=two" | jq -r '.[0].id')
-              
-              echo "setting user passwords"
-              jq -r --arg pass ${USER1_PASSWORD}  '.value = $pass' /var/config/user-password.json > /tmp/user-password-to-be-applied.json
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT --data @/tmp/user-password-to-be-applied.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER1ID}/reset-password
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT --data @/tmp/user-password-to-be-applied.json \
-                ${KEYCLOAK_URL}/admin/realms/cnoe/users/${USER2ID}/reset-password
-            
-              echo "creating Argo Workflows client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                  -X POST --data @/var/config/argo-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
-              
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "argo-workflows") | .id')
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              ARGO_WORKFLOWS_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-              -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-              -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-              echo "creating Backstage client"
-              curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X POST --data @/var/config/backstage-client-payload.json \
-                  ${KEYCLOAK_URL}/admin/realms/cnoe/clients
-              
-              CLIENT_ID=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients | jq -e -r  '.[] | select(.clientId == "backstage") | .id')
-              
-              CLIENT_SCOPE_GROUPS_ID=$(curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X GET  ${KEYCLOAK_URL}/admin/realms/cnoe/client-scopes | jq -e -r  '.[] | select(.name == "groups") | .id')
-              curl -sS -H "Content-Type: application/json" -H "Authorization: bearer ${KEYCLOAK_TOKEN}" -X PUT  ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID}/default-client-scopes/${CLIENT_SCOPE_GROUPS_ID}
-              
-              BACKSTAGE_CLIENT_SECRET=$(curl -sS -H "Content-Type: application/json" \
-                -H "Authorization: bearer ${KEYCLOAK_TOKEN}" \
-                -X GET ${KEYCLOAK_URL}/admin/realms/cnoe/clients/${CLIENT_ID} | jq -e -r '.secret')
-              
-              ARGOCD_PASSWORD=$(./kubectl -n argocd get secret argocd-initial-admin-secret -o go-template='{{.data.password | base64decode }}')
-              
-              ARGOCD_SESSION_TOKEN=$(curl -k -sS http://argocd-server.argocd.svc.cluster.local:443/api/v1/session -H 'Content-Type: application/json' -d "{\"username\":\"admin\",\"password\":\"${ARGOCD_PASSWORD}\"}" | jq -r .token)
-              
-              echo \
-              "apiVersion: v1
-              kind: Secret
-              metadata:
-                name: keycloak-clients
-                namespace: keycloak
-              type: Opaque
-              stringData:
-                ARGO_WORKFLOWS_CLIENT_SECRET: ${ARGO_WORKFLOWS_CLIENT_SECRET}
-                ARGO_WORKFLOWS_CLIENT_ID: argo-workflows
-                ARGOCD_SESSION_TOKEN: ${ARGOCD_SESSION_TOKEN}
-                BACKSTAGE_CLIENT_SECRET: ${BACKSTAGE_CLIENT_SECRET}
-                BACKSTAGE_CLIENT_ID: backstage
-              " > /tmp/secret.yaml
-              
-              ./kubectl apply -f /tmp/secret.yaml
-              
diff --git a/ref-implementation/openbao/manifests/manifest.yml b/ref-implementation/openbao/manifests/manifest.yml
new file mode 100644
index 0000000..8ec577d
--- /dev/null
+++ b/ref-implementation/openbao/manifests/manifest.yml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/ref-implementation/openbao/manifests/secret-gen.yaml b/ref-implementation/openbao/manifests/secret-gen.yaml
deleted file mode 100644
index f7bf8c9..0000000
--- a/ref-implementation/openbao/manifests/secret-gen.yaml
+++ /dev/null
@@ -1,179 +0,0 @@
-apiVersion: generators.external-secrets.io/v1alpha1
-kind: Password
-metadata:
-  name: keycloak
-  namespace: keycloak
-spec:
-  length: 36
-  digits: 5
-  symbols: 5
-  symbolCharacters: "/-+"
-  noUpper: false
-  allowRepeat: true
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: keycloak-config
-  namespace: keycloak
-spec:
-  refreshInterval: "0"
-  target:
-    name: keycloak-config
-    template:
-      metadata:
-        labels:
-          cnoe.io/cli-secret: "true"
-          cnoe.io/package-name: keycloak
-      engineVersion: v2
-      data:
-        KEYCLOAK_ADMIN_PASSWORD: "{{.KEYCLOAK_ADMIN_PASSWORD}}"
-        KC_DB_USERNAME: keycloak
-        KC_DB_PASSWORD: "{{.KC_DB_PASSWORD}}"
-        POSTGRES_DB: keycloak
-        POSTGRES_USER: keycloak
-        POSTGRES_PASSWORD: "{{.KC_DB_PASSWORD}}"
-        USER_PASSWORD: "{{.USER_PASSWORD}}"
-  dataFrom:
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: keycloak
-      rewrite:
-        - transform:
-            template: "KEYCLOAK_ADMIN_PASSWORD"
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: keycloak
-      rewrite:
-        - transform:
-            template: "KC_DB_PASSWORD"
-    - sourceRef:
-        generatorRef:
-          apiVersion: generators.external-secrets.io/v1alpha1
-          kind: Password
-          name: keycloak
-      rewrite:
-        - transform:
-            template: "USER_PASSWORD"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: eso-store
-  namespace: keycloak
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: keycloak
-  name: eso-store
-rules:
-  - apiGroups: [""]
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - selfsubjectrulesreviews
-    verbs:
-      - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: eso-store
-  namespace: keycloak
-subjects:
-  - kind: ServiceAccount
-    name: eso-store
-    namespace: keycloak
-roleRef:
-  kind: Role
-  name: eso-store
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: keycloak
-spec:
-  provider:
-    kubernetes:
-      remoteNamespace: keycloak
-      server:
-        caProvider:
-          type: ConfigMap
-          name: kube-root-ca.crt
-          namespace: keycloak
-          key: ca.crt
-      auth:
-        serviceAccount:
-          name: eso-store
-          namespace: keycloak
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: eso-store
-  namespace: gitea
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: eso-store
-  namespace: gitea
-rules:
-  - apiGroups: [""]
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - selfsubjectrulesreviews
-    verbs:
-      - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: eso-store
-  namespace: gitea
-subjects:
-  - kind: ServiceAccount
-    name: eso-store
-    namespace: gitea
-roleRef:
-  kind: Role
-  name: eso-store
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: gitea
-spec:
-  provider:
-    kubernetes:
-      remoteNamespace: gitea
-      server:
-        caProvider:
-          type: ConfigMap
-          name: kube-root-ca.crt
-          namespace: gitea
-          key: ca.crt
-      auth:
-        serviceAccount:
-          name: eso-store
-          namespace: gitea

From 8720cfd633526d75a929ff12fc1362000b953f6d Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 12 Nov 2024 11:53:48 +0100
Subject: [PATCH 14/20] let's go

---
 .../manifests/manifest_20241112112033.yml     | 42 +++++++++++++++++
 .../manifests/manifest_20241112114625.yml     | 43 ++++++++++++++++++
 .../manifests/manifest_20241112114627.yml     | 43 ++++++++++++++++++
 .../manifests/manifest_20241112114630.yml     | 45 +++++++++++++++++++
 .../openbao/manifests/manifest.yml            | 10 +++++
 5 files changed, 183 insertions(+)
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112112033.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112114625.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112114627.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112114630.yml

diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112112033.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112112033.yml
new file mode 100644
index 0000000..1b22ab8
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112112033.yml
@@ -0,0 +1,42 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112114625.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112114625.yml
new file mode 100644
index 0000000..ad22ff4
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112114625.yml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+            
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112114627.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112114627.yml
new file mode 100644
index 0000000..cddcbef
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112114627.yml
@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+          
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112114630.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112114630.yml
new file mode 100644
index 0000000..aa8e5ea
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112114630.yml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/ref-implementation/openbao/manifests/manifest.yml b/ref-implementation/openbao/manifests/manifest.yml
index 8ec577d..aa8e5ea 100644
--- a/ref-implementation/openbao/manifests/manifest.yml
+++ b/ref-implementation/openbao/manifests/manifest.yml
@@ -1,3 +1,10 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -18,6 +25,9 @@ spec:
           image: openbao/openbao:latest  # Replace with the actual image
           ports:
             - containerPort: 8200
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
 
 ---
 apiVersion: v1

From 575cbbbfa887fddffe2494dc27c2d6d1c0c33526 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 12 Nov 2024 13:54:10 +0100
Subject: [PATCH 15/20] loadBalancer

---
 .../manifests/install_20241111142553.yaml     | 164 +++++++++++++++++
 .../manifests/install_20241112125306.yaml     | 165 ++++++++++++++++++
 .../manifests/install_20241112125311.yaml     | 165 ++++++++++++++++++
 .../manifests/install_20241112125315.yaml     | 165 ++++++++++++++++++
 .../manifests/install_20241112125321.yaml     | 164 +++++++++++++++++
 .../manifests/install_20241112125401.yaml     | 164 +++++++++++++++++
 .../manifests/install_20241112125405.yaml     | 164 +++++++++++++++++
 .../manifests/ingress_20241112130717.yaml     |   0
 .../manifests/ingress_20241112130720.yaml     |  30 ++++
 .../manifests/ingress_20241112130742.yaml     |  27 +++
 .../manifests/ingress_20241112130743.yaml     |  30 ++++
 .../manifests/ingress_20241112130751.yaml     |  28 +++
 .../manifests/ingress_20241112130756.yaml     |  28 +++
 .../manifests/ingress_20241112130759.yaml     |  28 +++
 .../manifests/ingress_20241112130902.yaml     |  28 +++
 .../manifests/ingress_20241112130904.yaml     |  28 +++
 .../manifests/ingress_20241112130913.yaml     |  28 +++
 .../manifests/ingress_20241112132252.yaml     |  19 ++
 .../manifests/ingress_20241112132258.yaml     |  18 ++
 .../manifests/ingress_20241112132302.yaml     |  18 ++
 .../manifests/ingress_20241112132304.yaml     |  18 ++
 .../manifests/ingress_20241112132310.yaml     |  18 ++
 .../manifests/ingress_20241112132312.yaml     |  18 ++
 .../manifests/ingress_20241112132315.yaml     |  18 ++
 .../manifests/ingress_20241112132318.yaml     |  18 ++
 .../manifests/ingress_20241112132320.yaml     |  18 ++
 .../manifests/ingress_20241112132340.yaml     |  18 ++
 .../manifests/ingress_20241112132445.yaml     |  18 ++
 .../manifests/ingress_20241112132617.yaml     |  18 ++
 .../manifests/ingress_20241112132620.yaml     |  18 ++
 .../manifests/ingress_20241112132622.yaml     |  18 ++
 .../manifests/ingress_20241112132648.yaml     |  18 ++
 .../manifests/ingress_20241112133726.yaml     |   0
 .../manifests/ingress_20241112133806.yaml     |  18 ++
 .../manifests/ingress_20241112135400.yaml     |  18 ++
 .../manifests/manifest_20241112121944.yml     |  46 +++++
 .../manifests/manifest_20241112121955.yml     |  46 +++++
 .../manifests/manifest_20241112125415.yml     |  47 +++++
 .../manifests/manifest_20241112125417.yml     |  47 +++++
 .../manifests/manifest_20241112125534.yml     |  48 +++++
 .../manifests/manifest_20241112125538.yml     |  48 +++++
 .../manifests/manifest_20241112125540.yml     |  48 +++++
 .../manifests/manifest_20241112125545.yml     |  48 +++++
 .../manifests/manifest_20241112125549.yml     |  48 +++++
 .../manifests/manifest_20241112125552.yml     |  48 +++++
 .../manifests/manifest_20241112125553.yml     |  48 +++++
 .../manifests/manifest_20241112125604.yml     |  47 +++++
 .../manifests/manifest_20241112125613.yml     |  48 +++++
 .../manifests/manifest_20241112125615.yml     |  48 +++++
 .../manifests/manifest_20241112125617.yml     |  48 +++++
 .../manifests/manifest_20241112125618.yml     |  48 +++++
 .../manifests/manifest_20241112125627.yml     |  48 +++++
 .../manifests/manifest_20241112125629.yml     |  48 +++++
 .../manifests/manifest_20241112125633.yml     |  48 +++++
 .../manifests/manifest_20241112133731.yml     |  50 ++++++
 .../manifests/manifest_20241112133734.yml     |  50 ++++++
 .../manifests/manifest_20241112133738.yml     |  52 ++++++
 .../manifests/manifest_20241112133739.yml     |  70 ++++++++
 .../manifests/manifest_20241112133740.yml     |  70 ++++++++
 .../manifests/manifest_20241112133804.yml     |  48 +++++
 .../manifests/manifest_20241112133833.yml     |  48 +++++
 .../manifests/manifest_20241112133859.yml     |  48 +++++
 .../manifests/manifest_20241112134239.yml     |  49 ++++++
 .../manifests/manifest_20241112134258.yml     |  49 ++++++
 .../manifests/manifest_20241112134322.yml     |  49 ++++++
 .../manifests/manifest_20241112134324.yml     |  49 ++++++
 .../manifests/manifest_20241112134335.yml     |  49 ++++++
 .../manifests/manifest_20241112134407.yml     |  49 ++++++
 .../manifests/manifest_20241112134409.yml     |  49 ++++++
 .../manifests/manifest_20241112134417.yml     |  49 ++++++
 .../manifests/manifest_20241112134421.yml     |  49 ++++++
 .../manifests/manifest_20241112134425.yml     |  49 ++++++
 .../manifests/manifest_20241112134434.yml     |  49 ++++++
 .../manifests/manifest_20241112134440.yml     |  49 ++++++
 .../manifests/manifest_20241112134443.yml     |  49 ++++++
 .../manifests/manifest_20241112134912.yml     |  49 ++++++
 .../manifests/manifest_20241112134953.yml     |  49 ++++++
 .../manifests/manifest_20241112135014.yml     |  50 ++++++
 .../manifests/manifest_20241112135016.yml     |  50 ++++++
 .../manifests/manifest_20241112135019.yml     |  50 ++++++
 .../manifests/manifest_20241112135021.yml     |  50 ++++++
 .../manifests/manifest_20241112135022.yml     |  50 ++++++
 .../manifests/manifest_20241112135048.yml     |  50 ++++++
 .../manifests/manifest_20241112135059.yml     |  50 ++++++
 .../manifests/manifest_20241112135112.yml     |  50 ++++++
 .../manifests/manifest_20241112135129.yml     |  50 ++++++
 .../manifests/manifest_20241112135138.yml     |  50 ++++++
 .../openbao/manifests/ingress.yaml            |  18 ++
 .../openbao/manifests/manifest.yml            |  15 +-
 89 files changed, 4317 insertions(+), 5 deletions(-)
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241111142553.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125306.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125311.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125315.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125321.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125401.yaml
 create mode 100644 .history/ref-implementation/keycloak/manifests/install_20241112125405.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130717.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130720.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130742.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130743.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130751.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130756.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130759.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130902.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130904.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112130913.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132252.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132258.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132302.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132304.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132310.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132312.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132315.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132318.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132320.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132340.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132445.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132617.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132620.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132622.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112132648.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112133726.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112133806.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/ingress_20241112135400.yaml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112121944.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112121955.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125415.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125417.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125534.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125538.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125540.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125545.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125549.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125552.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125553.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125604.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125613.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125615.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125617.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125618.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125627.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125629.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112125633.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133731.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133734.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133738.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133739.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133740.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133804.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133833.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112133859.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134239.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134258.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134322.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134324.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134335.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134407.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134409.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134417.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134421.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134425.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134434.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134440.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134443.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134912.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112134953.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135014.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135016.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135019.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135021.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135022.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135048.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135059.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135112.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135129.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135138.yml
 create mode 100644 ref-implementation/openbao/manifests/ingress.yaml

diff --git a/.history/ref-implementation/keycloak/manifests/install_20241111142553.yaml b/.history/ref-implementation/keycloak/manifests/install_20241111142553.yaml
new file mode 100644
index 0000000..ed3b799
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241111142553.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125306.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125306.yaml
new file mode 100644
index 0000000..7418140
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125306.yaml
@@ -0,0 +1,165 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+      type: LoadBalancer
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125311.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125311.yaml
new file mode 100644
index 0000000..4e41c0a
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125311.yaml
@@ -0,0 +1,165 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+    type: LoadBalancer
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125315.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125315.yaml
new file mode 100644
index 0000000..213df32
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125315.yaml
@@ -0,0 +1,165 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  type: LoadBalancer
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125321.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125321.yaml
new file mode 100644
index 0000000..b304101
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125321.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  type: LoadBalancer
+  selector:
+    app: keycloak
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125401.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125401.yaml
new file mode 100644
index 0000000..80965f6
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125401.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  
+  selector:
+    app: keycloak
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/keycloak/manifests/install_20241112125405.yaml b/.history/ref-implementation/keycloak/manifests/install_20241112125405.yaml
new file mode 100644
index 0000000..ed3b799
--- /dev/null
+++ b/.history/ref-implementation/keycloak/manifests/install_20241112125405.yaml
@@ -0,0 +1,164 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    app: keycloak
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: keycloak
+  name: keycloak
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - args:
+            - start-dev
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: cnoe-admin
+            - name: KEYCLOAK_LOGLEVEL
+              value: ALL
+            - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
+              value: 'true'
+          envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: quay.io/keycloak/keycloak:22.0.3
+          name: keycloak
+          ports:
+            - containerPort: 8080
+              name: http
+          readinessProbe:
+            httpGet:
+              path: /keycloak/realms/master
+              port: 8080
+          volumeMounts:
+            - mountPath: /opt/keycloak/conf
+              name: keycloak-config
+              readOnly: true
+      volumes:
+        - configMap:
+            name: keycloak-config
+          name: keycloak-config
+---
+apiVersion: v1
+data:
+  keycloak.conf: |
+    # Database
+    # The database vendor.
+    db=postgres
+    
+    # The username of the database user.
+    db-url=jdbc:postgresql://postgresql.keycloak.svc.cluster.local:5432/postgres
+
+    # The proxy address forwarding mode if the server is behind a reverse proxy.
+    proxy=edge
+    
+    # hostname configuration
+    hostname=cnoe.localtest.me
+    hostname-port=8443
+    http-relative-path=keycloak
+    
+    # the admin url requires its own configuration to reflect correct url
+    hostname-admin=cnoe.localtest.me:8443
+    
+    hostname-debug=true
+    
+    # this should only be allowed in development. NEVER in production.
+    hostname-strict=false
+    hostname-strict-backchannel=false
+    
+
+kind: ConfigMap
+metadata:
+  name: keycloak-config
+  namespace: keycloak
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  clusterIP: None
+  ports:
+    - name: postgres
+      port: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    app: postgresql
+  name: postgresql
+  namespace: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  serviceName: service-postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - envFrom:
+            - secretRef:
+                name: keycloak-config
+          image: docker.io/library/postgres:15.3-alpine3.18
+          name: postgres
+          ports:
+            - containerPort: 5432
+              name: postgresdb
+          resources:
+            limits:
+              memory: 500Mi
+            requests:
+              cpu: 100m
+              memory: 300Mi
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: "500Mi"
+
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130717.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130717.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130720.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130720.yaml
new file mode 100644
index 0000000..abaf181
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130720.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130742.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130742.yaml
new file mode 100644
index 0000000..6abab23
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130742.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130743.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130743.yaml
new file mode 100644
index 0000000..abaf181
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130743.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  namespace: keycloak
+  annotations:
+    argocd.argoproj.io/sync-wave: "100"
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130751.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130751.yaml
new file mode 100644
index 0000000..fb5aeb3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130751.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress-localhost
+  name: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130756.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130756.yaml
new file mode 100644
index 0000000..35a4f35
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130756.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  name: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130759.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130759.yaml
new file mode 100644
index 0000000..932955c
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130759.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130902.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130902.yaml
new file mode 100644
index 0000000..f356af7
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130902.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /openbao
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130904.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130904.yaml
new file mode 100644
index 0000000..c4b8374
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130904.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: cnoe://openbao/manifests
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112130913.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112130913.yaml
new file mode 100644
index 0000000..9bacafb
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112130913.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+spec:
+  ingressClassName: "nginx"
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: cnoe://openbao/manifests
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: openbao
+                port:
+                  name: http
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /keycloak
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132252.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132252.yaml
new file mode 100644
index 0000000..31fff8f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132252.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-app-ingress
+  namespace: default
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132258.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132258.yaml
new file mode 100644
index 0000000..9f706f3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132258.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-app-ingress
+  namespace: default
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132302.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132302.yaml
new file mode 100644
index 0000000..9e9bfcb
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132302.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-app-ingress
+  namespace: o
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132304.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132304.yaml
new file mode 100644
index 0000000..0e0d97a
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132304.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-app-ingress
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132310.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132310.yaml
new file mode 100644
index 0000000..6f33ebd
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132310.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: open
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132312.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132312.yaml
new file mode 100644
index 0000000..4849eba
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132312.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132315.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132315.yaml
new file mode 100644
index 0000000..18f3315
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132315.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132318.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132318.yaml
new file mode 100644
index 0000000..754343a
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132318.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-local
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132320.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132320.yaml
new file mode 100644
index 0000000..7857781
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132320.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: my-app.local  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132340.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132340.yaml
new file mode 100644
index 0000000..e7669f3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132340.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132445.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132445.yaml
new file mode 100644
index 0000000..650ab4d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132445.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: my-app-service  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132617.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132617.yaml
new file mode 100644
index 0000000..69be905
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132617.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao  # Name of your service
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132620.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132620.yaml
new file mode 100644
index 0000000..cc13074
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132620.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao 
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132622.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132622.yaml
new file mode 100644
index 0000000..9615367
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132622.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112132648.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112132648.yaml
new file mode 100644
index 0000000..9615367
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112132648.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112133726.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112133726.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112133806.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112133806.yaml
new file mode 100644
index 0000000..9615367
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112133806.yaml
@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao
+            port:
+              number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/ingress_20241112135400.yaml b/.history/ref-implementation/openbao/manifests/ingress_20241112135400.yaml
new file mode 100644
index 0000000..f75a03d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/ingress_20241112135400.yaml
@@ -0,0 +1,18 @@
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: openbao-ingress-localhost
+#   namespace: openbao
+
+# spec:
+#   rules:
+#   - host: localhost  # Change this to your domain or leave it as is for local development
+#     http:
+#       paths:
+#       - path: ""
+#         pathType: Exact
+#         backend:
+#           service:
+#             name: openbao
+#             port:
+#               number: 8200  # The port to forward to on your service
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112121944.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112121944.yml
new file mode 100644
index 0000000..badda3f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112121944.yml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+            - hostPort: 8200
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112121955.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112121955.yml
new file mode 100644
index 0000000..d20b7b3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112121955.yml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+              hostPort: 8200
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125415.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125415.yml
new file mode 100644
index 0000000..a656216
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125415.yml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+              hostPort: 8200
+              
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125417.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125417.yml
new file mode 100644
index 0000000..47b44df
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125417.yml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125534.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125534.yml
new file mode 100644
index 0000000..0f612be
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125534.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+            ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125538.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125538.yml
new file mode 100644
index 0000000..4040f40
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125538.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+            ports:
+            - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125540.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125540.yml
new file mode 100644
index 0000000..ca2a209
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125540.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+            ports:
+            - protocol: TCP
+            port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125545.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125545.yml
new file mode 100644
index 0000000..4e2f145
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125545.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+            ports:
+              - protocol: TCP
+            port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125549.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125549.yml
new file mode 100644
index 0000000..5607328
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125549.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+              - protocol: TCP
+            port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125552.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125552.yml
new file mode 100644
index 0000000..9c90d16
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125552.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+          - protocol: TCP
+            port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125553.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125553.yml
new file mode 100644
index 0000000..9ded5d1
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125553.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+            port: 8200
+      targetPort: 8200
+  type: LoadBalancer  # or NodePort
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125604.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125604.yml
new file mode 100644
index 0000000..47b44df
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125604.yml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125613.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125613.yml
new file mode 100644
index 0000000..fc8bf8c
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125613.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+          
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125615.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125615.yml
new file mode 100644
index 0000000..020d960
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125615.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - 
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125617.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125617.yml
new file mode 100644
index 0000000..c152d38
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125617.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - po
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125618.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125618.yml
new file mode 100644
index 0000000..7f08b85
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125618.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - port:
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125627.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125627.yml
new file mode 100644
index 0000000..256cfb6
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125627.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCO
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125629.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125629.yml
new file mode 100644
index 0000000..0a3e930
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125629.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+            - containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112125633.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112125633.yml
new file mode 100644
index 0000000..575777f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112125633.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133731.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133731.yml
new file mode 100644
index 0000000..6d406a4
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133731.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+  
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133734.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133734.yml
new file mode 100644
index 0000000..b07a1b7
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133734.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---  
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133738.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133738.yml
new file mode 100644
index 0000000..2bb23c2
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133738.yml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133739.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133739.yml
new file mode 100644
index 0000000..04470a4
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133739.yml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao
+            port:
+              number: 8200  # The port to forward to on your service
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133740.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133740.yml
new file mode 100644
index 0000000..04470a4
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133740.yml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress-localhost
+  namespace: openbao
+
+spec:
+  rules:
+  - host: localhost  # Change this to your domain or leave it as is for local development
+    http:
+      paths:
+      - path: ""
+        pathType: Exact
+        backend:
+          service:
+            name: openbao
+            port:
+              number: 8200  # The port to forward to on your service
+
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133804.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133804.yml
new file mode 100644
index 0000000..575777f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133804.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          env:
+            - name: BAO_ADDR
+              value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133833.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133833.yml
new file mode 100644
index 0000000..6ddb3db
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133833.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112133859.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112133859.yml
new file mode 100644
index 0000000..eeff542
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112133859.yml
@@ -0,0 +1,48 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134239.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134239.yml
new file mode 100644
index 0000000..9bf147d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134239.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134258.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134258.yml
new file mode 100644
index 0000000..a4247b3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134258.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+              # targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134322.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134322.yml
new file mode 100644
index 0000000..9bf147d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134322.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134324.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134324.yml
new file mode 100644
index 0000000..b81c1cf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134324.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134335.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134335.yml
new file mode 100644
index 0000000..ce84f2e
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134335.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              port: 8200
+              # hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134407.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134407.yml
new file mode 100644
index 0000000..bc183db
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134407.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              port: 8200
+              # hostPort: 8200
+              containerPort:: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134409.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134409.yml
new file mode 100644
index 0000000..0f65ec9
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134409.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              port: 8200
+              # hostPort: 8200
+              containerPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134417.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134417.yml
new file mode 100644
index 0000000..ce84f2e
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134417.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              port: 8200
+              # hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134421.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134421.yml
new file mode 100644
index 0000000..b81c1cf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134421.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134425.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134425.yml
new file mode 100644
index 0000000..b81c1cf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134425.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              targetPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134434.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134434.yml
new file mode 100644
index 0000000..f162211
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134434.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              port: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134440.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134440.yml
new file mode 100644
index 0000000..572c07a
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134440.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              hos: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134443.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134443.yml
new file mode 100644
index 0000000..8ffb033
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134443.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134912.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134912.yml
new file mode 100644
index 0000000..f3a5b6f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134912.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: ClusterIP
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112134953.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112134953.yml
new file mode 100644
index 0000000..470a458
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112134953.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135014.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135014.yml
new file mode 100644
index 0000000..26f238d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135014.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      no
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135016.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135016.yml
new file mode 100644
index 0000000..21d3812
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135016.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      NodePort: 
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135019.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135019.yml
new file mode 100644
index 0000000..f9e2ddd
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135019.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      NodePort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135021.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135021.yml
new file mode 100644
index 0000000..f9e2ddd
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135021.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      NodePort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135022.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135022.yml
new file mode 100644
index 0000000..f2ea0bd
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135022.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135048.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135048.yml
new file mode 100644
index 0000000..84881db
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135048.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135059.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135059.yml
new file mode 100644
index 0000000..f2ea0bd
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135059.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 8200
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135112.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135112.yml
new file mode 100644
index 0000000..e3e69d3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135112.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135129.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135129.yml
new file mode 100644
index 0000000..8da5307
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135129.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135138.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135138.yml
new file mode 100644
index 0000000..2b5441b
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135138.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: LoadBalancer
diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml
new file mode 100644
index 0000000..f75a03d
--- /dev/null
+++ b/ref-implementation/openbao/manifests/ingress.yaml
@@ -0,0 +1,18 @@
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: openbao-ingress-localhost
+#   namespace: openbao
+
+# spec:
+#   rules:
+#   - host: localhost  # Change this to your domain or leave it as is for local development
+#     http:
+#       paths:
+#       - path: ""
+#         pathType: Exact
+#         backend:
+#           service:
+#             name: openbao
+#             port:
+#               number: 8200  # The port to forward to on your service
diff --git a/ref-implementation/openbao/manifests/manifest.yml b/ref-implementation/openbao/manifests/manifest.yml
index aa8e5ea..2b5441b 100644
--- a/ref-implementation/openbao/manifests/manifest.yml
+++ b/ref-implementation/openbao/manifests/manifest.yml
@@ -24,10 +24,14 @@ spec:
         - name: openbao
           image: openbao/openbao:latest  # Replace with the actual image
           ports:
-            - containerPort: 8200
-          env:
-            - name: BAO_ADDR
-              value: "http://0.0.0.0:8200"
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
 
 ---
 apiVersion: v1
@@ -42,4 +46,5 @@ spec:
     - protocol: TCP
       port: 8200
       targetPort: 8200
-  type: ClusterIP
+      # nodePort: 30000
+  type: LoadBalancer

From 111648d78a68611ff4203aec3f1f88a97244dfbe Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Tue, 12 Nov 2024 13:58:55 +0100
Subject: [PATCH 16/20] node port

---
 .../manifests/manifest_20241112135826.yml     | 50 +++++++++++++++++++
 .../manifests/manifest_20241112135828.yml     | 50 +++++++++++++++++++
 .../manifests/manifest_20241112135835.yml     | 50 +++++++++++++++++++
 .../manifests/manifest_20241112135837.yml     | 50 +++++++++++++++++++
 .../manifests/manifest_20241112135849.yml     | 50 +++++++++++++++++++
 .../openbao/manifests/manifest.yml            |  4 +-
 6 files changed, 252 insertions(+), 2 deletions(-)
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135826.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135828.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135835.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135837.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241112135849.yml

diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135826.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135826.yml
new file mode 100644
index 0000000..056eceb
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135826.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: No
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135828.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135828.yml
new file mode 100644
index 0000000..09680c7
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135828.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: 
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135835.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135835.yml
new file mode 100644
index 0000000..8da5307
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135835.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135837.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135837.yml
new file mode 100644
index 0000000..e3e69d3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135837.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241112135849.yml b/.history/ref-implementation/openbao/manifests/manifest_20241112135849.yml
new file mode 100644
index 0000000..e3e69d3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241112135849.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/ref-implementation/openbao/manifests/manifest.yml b/ref-implementation/openbao/manifests/manifest.yml
index 2b5441b..e3e69d3 100644
--- a/ref-implementation/openbao/manifests/manifest.yml
+++ b/ref-implementation/openbao/manifests/manifest.yml
@@ -46,5 +46,5 @@ spec:
     - protocol: TCP
       port: 8200
       targetPort: 8200
-      # nodePort: 30000
-  type: LoadBalancer
+      nodePort: 30000
+  type: NodePort

From 9fbea8df451213276ab668db885ced07764c8155 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 13 Nov 2024 10:33:41 +0100
Subject: [PATCH 17/20] values.yaml

---
 .../manifests/manifest_20241113093100.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093101.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093110.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093126.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093129.yml     |  0
 .../manifests/manifest_20241113093614.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093615.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093618.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093621.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093625.yml     | 50 ++++++++++++
 .../manifests/manifest_20241113093821.yml     | 52 ++++++++++++
 .../manifests/manifest_20241113093826.yml     | 52 ++++++++++++
 .../manifests/manifest_20241113093827.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113093842.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113093847.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113093851.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113093853.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113093944.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094042.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094100.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094104.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094154.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094340.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094401.yml     | 73 +++++++++++++++++
 .../manifests/manifest_20241113094647.yml     | 81 +++++++++++++++++++
 .../manifests/manifest_20241113095157.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113095238.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113095247.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100517.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100529.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100645.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100725.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100745.yml     | 72 +++++++++++++++++
 .../manifests/manifest_20241113100822.yml     | 66 +++++++++++++++
 .../manifests/manifest_20241113100829.yml     | 67 +++++++++++++++
 .../manifests/manifest_20241113100833.yml     | 67 +++++++++++++++
 .../manifests/manifest_20241113100902.yml     | 67 +++++++++++++++
 .../manifests/manifest_20241113101113.yml     | 65 +++++++++++++++
 .../openbao/values_20241113103308.yaml        |  0
 .../openbao/values_20241113103317.yaml        |  1 +
 .../openbao/values_20241113103322.yaml        |  1 +
 .../openbao/values_20241113103326.yaml        |  1 +
 .../openbao_20241113102912.yaml               | 27 +++++++
 .../openbao_20241113103006.yaml               | 27 +++++++
 .../openbao_20241113103024.yaml               | 27 +++++++
 .../openbao_20241113103029.yaml               | 27 +++++++
 ref-implementation/openbao.yaml               | 24 ++++--
 .../openbao/manifests/ingress.yaml            | 18 -----
 ref-implementation/openbao/values.yaml        |  1 +
 49 files changed, 2546 insertions(+), 26 deletions(-)
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093100.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093101.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093110.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093126.yml
 rename ref-implementation/openbao/manifests/manifest.yml => .history/ref-implementation/openbao/manifests/manifest_20241113093129.yml (100%)
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093614.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093615.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093618.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093621.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093625.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093821.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093826.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093827.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093842.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093847.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093851.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093853.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113093944.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094042.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094100.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094104.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094154.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094340.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094401.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113094647.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113095157.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113095238.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113095247.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100517.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100529.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100645.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100725.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100745.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100822.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100829.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100833.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113100902.yml
 create mode 100644 .history/ref-implementation/openbao/manifests/manifest_20241113101113.yml
 create mode 100644 .history/ref-implementation/openbao/values_20241113103308.yaml
 create mode 100644 .history/ref-implementation/openbao/values_20241113103317.yaml
 create mode 100644 .history/ref-implementation/openbao/values_20241113103322.yaml
 create mode 100644 .history/ref-implementation/openbao/values_20241113103326.yaml
 create mode 100644 .history/ref-implementation/openbao_20241113102912.yaml
 create mode 100644 .history/ref-implementation/openbao_20241113103006.yaml
 create mode 100644 .history/ref-implementation/openbao_20241113103024.yaml
 create mode 100644 .history/ref-implementation/openbao_20241113103029.yaml
 delete mode 100644 ref-implementation/openbao/manifests/ingress.yaml
 create mode 100644 ref-implementation/openbao/values.yaml

diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093100.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093100.yml
new file mode 100644
index 0000000..a9c388f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093100.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: HTTO
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093101.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093101.yml
new file mode 100644
index 0000000..ff5a849
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093101.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: HTTP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093110.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093110.yml
new file mode 100644
index 0000000..6c4856f
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093110.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: HTTP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: HTTP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093126.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093126.yml
new file mode 100644
index 0000000..ff5a849
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093126.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: HTTP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/ref-implementation/openbao/manifests/manifest.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093129.yml
similarity index 100%
rename from ref-implementation/openbao/manifests/manifest.yml
rename to .history/ref-implementation/openbao/manifests/manifest_20241113093129.yml
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093614.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093614.yml
new file mode 100644
index 0000000..e3e69d3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093614.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093615.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093615.yml
new file mode 100644
index 0000000..8da5307
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093615.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093618.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093618.yml
new file mode 100644
index 0000000..9b7d979
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093618.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: Load
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093621.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093621.yml
new file mode 100644
index 0000000..f11cbce
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093621.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: Loa
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093625.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093625.yml
new file mode 100644
index 0000000..8da5307
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093625.yml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: NodePort
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093821.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093821.yml
new file mode 100644
index 0000000..2e0b80a
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093821.yml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      # nodePort: 30000
+  type: NodePort
+
+  
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093826.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093826.yml
new file mode 100644
index 0000000..c5989b8
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093826.yml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093827.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093827.yml
new file mode 100644
index 0000000..89d123c
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093827.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093842.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093842.yml
new file mode 100644
index 0000000..f59a0ac
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093842.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+---                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093847.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093847.yml
new file mode 100644
index 0000000..f2e7b01
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093847.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+  ---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+---                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093851.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093851.yml
new file mode 100644
index 0000000..376b905
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093851.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+  ---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093853.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093853.yml
new file mode 100644
index 0000000..c8002fb
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093853.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113093944.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113093944.yml
new file mode 100644
index 0000000..49eefae
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113093944.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094042.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094042.yml
new file mode 100644
index 0000000..0cb99bc
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094042.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: ""
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094100.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094100.yml
new file mode 100644
index 0000000..c8002fb
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094100.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: openbao.local  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094104.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094104.yml
new file mode 100644
index 0000000..49eefae
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094104.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094154.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094154.yml
new file mode 100644
index 0000000..f879eda
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094154.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094340.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094340.yml
new file mode 100644
index 0000000..dbce7b6
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094340.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: localhost/openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094401.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094401.yml
new file mode 100644
index 0000000..f879eda
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094401.yml
@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao  # References the Service defined above
+                port:
+                  number: 8200  # The port exposed by the Service
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113094647.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113094647.yml
new file mode 100644
index 0000000..2b6727e
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113094647.yml
@@ -0,0 +1,81 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+# 4. Ingress (optional for HTTP-based access)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /  # Ensures requests are rewritten to the root path
+spec:
+  rules:
+    - host: localhost  # Replace with your domain or host if you're using DNS
+      http:
+        paths:
+          - path: /ui
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
+          # Optional: Redirect root `/` path to `/ui`
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113095157.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113095157.yml
new file mode 100644
index 0000000..335bdaf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113095157.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: localhost  # Or replace with your custom hostname if using /etc/hosts
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113095238.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113095238.yml
new file mode 100644
index 0000000..809d96c
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113095238.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: localhost  # Or replace with your custom hostname if using /etc/hosts
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 30000
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113095247.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113095247.yml
new file mode 100644
index 0000000..335bdaf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113095247.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: localhost  # Or replace with your custom hostname if using /etc/hosts
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100517.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100517.yml
new file mode 100644
index 0000000..2efa4bf
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100517.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: localhost
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100529.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100529.yml
new file mode 100644
index 0000000..bb50907
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100529.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100645.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100645.yml
new file mode 100644
index 0000000..ea5af0d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100645.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100725.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100725.yml
new file mode 100644
index 0000000..6ae7008
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100725.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100745.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100745.yml
new file mode 100644
index 0000000..ea5af0d
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100745.yml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+              # hostPort: 8200
+              # hostPort: 8200
+          # type: LoadBalancer
+          # env:
+          #   - name: BAO_ADDR
+          #     value: "http://0.0.0.0:8200"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100822.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100822.yml
new file mode 100644
index 0000000..6d528b0
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100822.yml
@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100829.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100829.yml
new file mode 100644
index 0000000..a61d0b3
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100829.yml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest  # Replace with the actual image
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100833.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100833.yml
new file mode 100644
index 0000000..6ed5ca2
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100833.yml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+      nodePort: 30000
+  type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113100902.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113100902.yml
new file mode 100644
index 0000000..fa08302
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113100902.yml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+  #     nodePort: 30000
+  # type: NodePort
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/manifests/manifest_20241113101113.yml b/.history/ref-implementation/openbao/manifests/manifest_20241113101113.yml
new file mode 100644
index 0000000..d9f9c28
--- /dev/null
+++ b/.history/ref-implementation/openbao/manifests/manifest_20241113101113.yml
@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openbao
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openbao
+  template:
+    metadata:
+      labels:
+        app: openbao
+    spec:
+      containers:
+        - name: openbao
+          image: openbao/openbao:latest
+          ports:
+            - protocol: TCP
+              containerPort: 8200
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: openbao
+  namespace: openbao
+spec:
+  selector:
+    app: openbao
+  ports:
+    - protocol: TCP
+      port: 8200
+      targetPort: 8200
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: openbao-ingress
+  namespace: openbao
+  # annotations:
+  #   nginx.ingress.kubernetes.io/rewrite-target: /ui
+spec:
+  rules:
+    - host: cnoe.localtest.me
+      http:
+        paths:
+          - path: /openbao
+            pathType: Prefix
+            backend:
+              service:
+                name: openbao
+                port:
+                  number: 8200
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/values_20241113103308.yaml b/.history/ref-implementation/openbao/values_20241113103308.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/.history/ref-implementation/openbao/values_20241113103317.yaml b/.history/ref-implementation/openbao/values_20241113103317.yaml
new file mode 100644
index 0000000..30d74d2
--- /dev/null
+++ b/.history/ref-implementation/openbao/values_20241113103317.yaml
@@ -0,0 +1 @@
+test
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/values_20241113103322.yaml b/.history/ref-implementation/openbao/values_20241113103322.yaml
new file mode 100644
index 0000000..23f90b4
--- /dev/null
+++ b/.history/ref-implementation/openbao/values_20241113103322.yaml
@@ -0,0 +1 @@
+test:123
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/values_20241113103326.yaml b/.history/ref-implementation/openbao/values_20241113103326.yaml
new file mode 100644
index 0000000..07fb25f
--- /dev/null
+++ b/.history/ref-implementation/openbao/values_20241113103326.yaml
@@ -0,0 +1 @@
+test: 123
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao_20241113102912.yaml b/.history/ref-implementation/openbao_20241113102912.yaml
new file mode 100644
index 0000000..164c5fb
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241113102912.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/argoproj/argo-helm
+      path: charts/argo-cd
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/argocd/values.yaml
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values
diff --git a/.history/ref-implementation/openbao_20241113103006.yaml b/.history/ref-implementation/openbao_20241113103006.yaml
new file mode 100644
index 0000000..4879383
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241113103006.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/openbao/openbao-helm.git
+      path: charts/argo-cd
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/argocd/values.yaml
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values
diff --git a/.history/ref-implementation/openbao_20241113103024.yaml b/.history/ref-implementation/openbao_20241113103024.yaml
new file mode 100644
index 0000000..dbd59b5
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241113103024.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/openbao/openbao-helm.git
+      path: charts/openbao
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/argocd/values.yaml
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values
diff --git a/.history/ref-implementation/openbao_20241113103029.yaml b/.history/ref-implementation/openbao_20241113103029.yaml
new file mode 100644
index 0000000..8d66475
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241113103029.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/openbao/openbao-helm.git
+      path: charts/openbao
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/openbao/values.yaml
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
index d06ab5e..8d66475 100644
--- a/ref-implementation/openbao.yaml
+++ b/ref-implementation/openbao.yaml
@@ -1,19 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: openbao
+  name: argocd
   namespace: argocd
+  labels:
+    env: dev
 spec:
-  destination:
-    namespace: openbao
-    server: "https://kubernetes.default.svc"
-  source:
-    repoURL: cnoe://openbao/manifests
-    targetRevision: HEAD
-    path: "."
   project: default
   syncPolicy:
     automated:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/openbao/openbao-helm.git
+      path: charts/openbao
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/openbao/values.yaml
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values
diff --git a/ref-implementation/openbao/manifests/ingress.yaml b/ref-implementation/openbao/manifests/ingress.yaml
deleted file mode 100644
index f75a03d..0000000
--- a/ref-implementation/openbao/manifests/ingress.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-# apiVersion: networking.k8s.io/v1
-# kind: Ingress
-# metadata:
-#   name: openbao-ingress-localhost
-#   namespace: openbao
-
-# spec:
-#   rules:
-#   - host: localhost  # Change this to your domain or leave it as is for local development
-#     http:
-#       paths:
-#       - path: ""
-#         pathType: Exact
-#         backend:
-#           service:
-#             name: openbao
-#             port:
-#               number: 8200  # The port to forward to on your service
diff --git a/ref-implementation/openbao/values.yaml b/ref-implementation/openbao/values.yaml
new file mode 100644
index 0000000..07fb25f
--- /dev/null
+++ b/ref-implementation/openbao/values.yaml
@@ -0,0 +1 @@
+test: 123
\ No newline at end of file

From 384dff1c3e52ee4ecc91bb94e13de17881fe4302 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 13 Nov 2024 10:45:28 +0100
Subject: [PATCH 18/20] test

---
 .../openbao_20241113104501.yaml               | 27 +++++++++++++++++++
 ref-implementation/openbao.yaml               |  6 ++---
 2 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 .history/ref-implementation/openbao_20241113104501.yaml

diff --git a/.history/ref-implementation/openbao_20241113104501.yaml b/.history/ref-implementation/openbao_20241113104501.yaml
new file mode 100644
index 0000000..b2e7e7f
--- /dev/null
+++ b/.history/ref-implementation/openbao_20241113104501.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  labels:
+    env: dev
+spec:
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    name: in-cluster
+    namespace: argocd
+  sources:
+    - repoURL: https://github.com/openbao/openbao-helm.git
+      path: charts/openbao
+      targetRevision: HEAD
+      helm:
+        valueFiles:
+          - $values/stacks/core/openbao/values.yaml
+    # - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+    #   targetRevision: HEAD
+    #   ref: values
diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
index 8d66475..b2e7e7f 100644
--- a/ref-implementation/openbao.yaml
+++ b/ref-implementation/openbao.yaml
@@ -22,6 +22,6 @@ spec:
       helm:
         valueFiles:
           - $values/stacks/core/openbao/values.yaml
-    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
-      targetRevision: HEAD
-      ref: values
+    # - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+    #   targetRevision: HEAD
+    #   ref: values

From 71223f2f6726c8eb4726af82e2fa757402f59d77 Mon Sep 17 00:00:00 2001
From: miwr <michal.wrobel@telekom.de>
Date: Wed, 13 Nov 2024 10:51:48 +0100
Subject: [PATCH 19/20] global:   domain: cnoe.localtest.me

---
 .history/ref-implementation/openbao/values_20241113105141.yaml | 2 ++
 .history/ref-implementation/openbao/values_20241113105142.yaml | 2 ++
 ref-implementation/openbao/values.yaml                         | 3 ++-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 .history/ref-implementation/openbao/values_20241113105141.yaml
 create mode 100644 .history/ref-implementation/openbao/values_20241113105142.yaml

diff --git a/.history/ref-implementation/openbao/values_20241113105141.yaml b/.history/ref-implementation/openbao/values_20241113105141.yaml
new file mode 100644
index 0000000..623e208
--- /dev/null
+++ b/.history/ref-implementation/openbao/values_20241113105141.yaml
@@ -0,0 +1,2 @@
+global:
+  domain: cnoe.localtest.me
\ No newline at end of file
diff --git a/.history/ref-implementation/openbao/values_20241113105142.yaml b/.history/ref-implementation/openbao/values_20241113105142.yaml
new file mode 100644
index 0000000..623e208
--- /dev/null
+++ b/.history/ref-implementation/openbao/values_20241113105142.yaml
@@ -0,0 +1,2 @@
+global:
+  domain: cnoe.localtest.me
\ No newline at end of file
diff --git a/ref-implementation/openbao/values.yaml b/ref-implementation/openbao/values.yaml
index 07fb25f..623e208 100644
--- a/ref-implementation/openbao/values.yaml
+++ b/ref-implementation/openbao/values.yaml
@@ -1 +1,2 @@
-test: 123
\ No newline at end of file
+global:
+  domain: cnoe.localtest.me
\ No newline at end of file

From d8104418cffb81a422682c9ddf54d70070782bc6 Mon Sep 17 00:00:00 2001
From: "Michal.Wrobel" <Michal.Wrobel@telekom.de>
Date: Wed, 13 Nov 2024 09:58:36 +0000
Subject: [PATCH 20/20] ref-implementation/openbao.yaml aktualisiert

---
 ref-implementation/openbao.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ref-implementation/openbao.yaml b/ref-implementation/openbao.yaml
index b2e7e7f..c30e2dd 100644
--- a/ref-implementation/openbao.yaml
+++ b/ref-implementation/openbao.yaml
@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd
+  name: openbao
   namespace: argocd
   labels:
     env: dev
@@ -14,7 +14,7 @@ spec:
       - CreateNamespace=true
   destination:
     name: in-cluster
-    namespace: argocd
+    namespace: openbao
   sources:
     - repoURL: https://github.com/openbao/openbao-helm.git
       path: charts/openbao
@@ -22,6 +22,6 @@ spec:
       helm:
         valueFiles:
           - $values/stacks/core/openbao/values.yaml
-    # - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
-    #   targetRevision: HEAD
-    #   ref: values
+    - repoURL: https://gitea.cnoe.localtest.me/giteaAdmin/edfbuilder-shoot
+      targetRevision: HEAD
+      ref: values