From d6c7f7e5fa614fa4424adf6565735d372d1831bc Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Mon, 22 Jan 2024 22:50:11 +0530 Subject: [PATCH 01/13] Changes to support pod and container security context for Portal charts --- .../templates/broker/broker-statefulset.yaml | 10 +++ .../coordinator/coordinator-statefulset.yaml | 10 +++ .../historical/historical-statefulset.yaml | 12 ++- .../ingestion/ingestion-deployment.yaml | 10 +++ .../templates/kafka/kafka-statefulset.yaml | 12 ++- .../middlemanager-statefulset.yaml | 10 +++ .../templates/minio/minio-statefulset.yaml | 14 +++- .../zookeeper/zookeeper-statefulset.yaml | 12 ++- .../analytics-deployment.yaml | 10 +++ .../templates/apim/apim-deployment.yaml | 10 +++ .../authenticator-deployment.yaml | 10 +++ .../dispatcher/dispatcher-deployment.yaml | 10 +++ .../portal-data/portal-data-deployment.yaml | 10 +++ .../portal-enterprise-deployment.yaml | 10 +++ .../templates/pssg/pssg-deployment.yaml | 10 +++ .../tenant-provisioner-deployment.yaml | 10 +++ charts/portal/values.yaml | 82 +++++++++++++++++++ 17 files changed, 243 insertions(+), 9 deletions(-) diff --git a/charts/druid/templates/broker/broker-statefulset.yaml b/charts/druid/templates/broker/broker-statefulset.yaml index c0266d89..854f8c3a 100644 --- a/charts/druid/templates/broker/broker-statefulset.yaml +++ b/charts/druid/templates/broker/broker-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.broker.tolerations }} tolerations: {{- toYaml .Values.broker.tolerations | nindent 12 }} {{- end }} + {{- if .Values.broker.podSecurityContext }} + securityContext: {{- toYaml .Values.broker.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: broker image: "{{ .Values.global.portalRepository }}{{ .Values.image.broker }}" imagePullPolicy: "{{ .Values.broker.image.pullPolicy }}" + {{- if .Values.broker.containerSecurityContext }} + securityContext: {{- toYaml .Values.broker.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: broker-config diff --git a/charts/druid/templates/coordinator/coordinator-statefulset.yaml b/charts/druid/templates/coordinator/coordinator-statefulset.yaml index 1e227c73..6c8e7a75 100644 --- a/charts/druid/templates/coordinator/coordinator-statefulset.yaml +++ b/charts/druid/templates/coordinator/coordinator-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.coordinator.tolerations }} tolerations: {{- toYaml .Values.coordinator.tolerations | nindent 12 }} {{- end }} + {{- if .Values.coordinator.podSecurityContext }} + securityContext: {{- toYaml .Values.coordinator.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: coordinator image: "{{ .Values.global.portalRepository }}{{ .Values.image.coordinator }}" imagePullPolicy: "{{ .Values.coordinator.image.pullPolicy }}" + {{- if .Values.coordinator.containerSecurityContext }} + securityContext: {{- toYaml .Values.coordinator.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/historical/historical-statefulset.yaml b/charts/druid/templates/historical/historical-statefulset.yaml index 3204dbcc..986b9887 100644 --- a/charts/druid/templates/historical/historical-statefulset.yaml +++ b/charts/druid/templates/historical/historical-statefulset.yaml @@ -41,12 +41,20 @@ spec: {{- if .Values.historical.tolerations }} tolerations: {{- toYaml .Values.historical.tolerations | nindent 12 }} {{- end }} - securityContext: - fsGroup: 1010 + {{- if .Values.historical.podSecurityContext }} + securityContext: {{- toYaml .Values.historical.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: historical image: "{{ .Values.global.portalRepository }}{{ .Values.image.historical }}" imagePullPolicy: "{{ .Values.historical.image.pullPolicy }}" + {{- if .Values.historical.containerSecurityContext }} + securityContext: {{- toYaml .Values.historical.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/ingestion/ingestion-deployment.yaml b/charts/druid/templates/ingestion/ingestion-deployment.yaml index e3435edf..e3e546a9 100644 --- a/charts/druid/templates/ingestion/ingestion-deployment.yaml +++ b/charts/druid/templates/ingestion/ingestion-deployment.yaml @@ -42,10 +42,20 @@ spec: {{- if .Values.ingestion.tolerations }} tolerations: {{- toYaml .Values.ingestion.tolerations | nindent 12 }} {{- end }} + {{- if .Values.ingestion.podSecurityContext }} + securityContext: {{- toYaml .Values.ingestion.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: ingestion-server image: "{{ .Values.global.portalRepository }}{{ .Values.image.ingestion }}" imagePullPolicy: "{{ .Values.ingestion.image.pullPolicy }}" + {{- if .Values.ingestion.containerSecurityContext }} + securityContext: {{- toYaml .Values.ingestion.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/kafka/kafka-statefulset.yaml b/charts/druid/templates/kafka/kafka-statefulset.yaml index 8c57e5a6..fcd17b34 100644 --- a/charts/druid/templates/kafka/kafka-statefulset.yaml +++ b/charts/druid/templates/kafka/kafka-statefulset.yaml @@ -41,12 +41,20 @@ spec: {{- if .Values.kafka.tolerations }} tolerations: {{- toYaml .Values.kafka.tolerations | nindent 12 }} {{- end }} - securityContext: - fsGroup: 1010 + {{- if .Values.kafka.podSecurityContext }} + securityContext: {{- toYaml .Values.kafka.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: kafka image: "{{ .Values.global.portalRepository }}{{ .Values.image.kafka }}" imagePullPolicy: "{{ .Values.kafka.image.pullPolicy }}" + {{- if .Values.kafka.containerSecurityContext }} + securityContext: {{- toYaml .Values.kafka.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} envFrom: - configMapRef: name: kafka-config diff --git a/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml b/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml index ab375dbf..e1eacd5c 100644 --- a/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml +++ b/charts/druid/templates/middlemanager/middlemanager-statefulset.yaml @@ -41,10 +41,20 @@ spec: {{- if .Values.middlemanager.tolerations }} tolerations: {{- toYaml .Values.middlemanager.tolerations | nindent 12 }} {{- end }} + {{- if .Values.middlemanager.podSecurityContext }} + securityContext: {{- toYaml .Values.middlemanager.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: middlemanager image: "{{ .Values.global.portalRepository }}{{ .Values.image.middlemanager }}" imagePullPolicy: "{{ .Values.middlemanager.image.pullPolicy }}" + {{- if .Values.middlemanager.containerSecurityContext }} + securityContext: {{- toYaml .Values.middlemanager.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/minio/minio-statefulset.yaml b/charts/druid/templates/minio/minio-statefulset.yaml index 08686ee7..6ab43c22 100644 --- a/charts/druid/templates/minio/minio-statefulset.yaml +++ b/charts/druid/templates/minio/minio-statefulset.yaml @@ -42,8 +42,16 @@ spec: {{- if .Values.minio.tolerations }} tolerations: {{- toYaml .Values.minio.tolerations | nindent 12 }} {{- end }} - securityContext: - fsGroup: 1010 + {{- if .Values.minio.podSecurityContext }} + securityContext: {{- toYaml .Values.minio.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} + {{- if .Values.minio.containerSecurityContext }} + securityContext: {{- toYaml .Values.minio.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} containers: {{ $address := print ".minio." .Release.Namespace ".svc.cluster.local/opt/data" }} - command: @@ -56,7 +64,7 @@ spec: {{ end }} name: minio image: "{{ .Values.global.portalRepository }}{{ .Values.image.minio }}" - imagePullPolicy: "{{ .Values.minio.image.pullPolicy }}" + imagePullPolicy: "{{ .Values.minio.image.pullPolicy }}" env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml index 2934f0a7..7a4988a8 100644 --- a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml +++ b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml @@ -44,12 +44,20 @@ spec: {{- if .Values.zookeeper.tolerations }} tolerations: {{- toYaml .Values.zookeeper.tolerations | nindent 12 }} {{- end }} - securityContext: - fsGroup: 1010 + {{- if .Values.zookeeper.podSecurityContext }} + securityContext: {{- toYaml .Values.zookeeper.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: zookeeper image: "{{ .Values.global.portalRepository }}{{ .Values.image.zookeeper }}" imagePullPolicy: "{{ .Values.zookeeper.image.pullPolicy }}" + {{- if .Values.zookeeper.containerSecurityContext }} + securityContext: {{- toYaml .Values.zookeeper.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} ports: - containerPort: 2181 - containerPort: 2888 diff --git a/charts/portal/templates/analytics-server/analytics-deployment.yaml b/charts/portal/templates/analytics-server/analytics-deployment.yaml index 58c14e74..276f5a3a 100644 --- a/charts/portal/templates/analytics-server/analytics-deployment.yaml +++ b/charts/portal/templates/analytics-server/analytics-deployment.yaml @@ -47,6 +47,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.analytics.podSecurityContext }} + securityContext: {{- toYaml .Values.analytics.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -58,6 +63,11 @@ spec: - name: analytics-server image: "{{ .Values.global.portalRepository }}{{ .Values.image.analytics }}" imagePullPolicy: "{{ .Values.analytics.image.pullPolicy }}" + {{- if .Values.analytics.containerSecurityContext }} + securityContext: {{- toYaml .Values.analytics.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_PASSWORD valueFrom: diff --git a/charts/portal/templates/apim/apim-deployment.yaml b/charts/portal/templates/apim/apim-deployment.yaml index 797d5fc3..c23544d9 100644 --- a/charts/portal/templates/apim/apim-deployment.yaml +++ b/charts/portal/templates/apim/apim-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.apim.podSecurityContext }} + securityContext: {{- toYaml .Values.apim.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: apim image: "{{ .Values.global.portalRepository }}{{ .Values.image.apim }}" imagePullPolicy: {{ .Values.apim.image.pullPolicy | quote }} + {{- if .Values.apim.containerSecurityContext }} + securityContext: {{- toYaml .Values.apim.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/authenticator/authenticator-deployment.yaml b/charts/portal/templates/authenticator/authenticator-deployment.yaml index dc56fd90..cc4566de 100644 --- a/charts/portal/templates/authenticator/authenticator-deployment.yaml +++ b/charts/portal/templates/authenticator/authenticator-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.authenticator.podSecurityContext }} + securityContext: {{- toYaml .Values.authenticator.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: authenticator image: "{{ .Values.global.portalRepository }}{{ .Values.image.authenticator }}" imagePullPolicy: "{{ .Values.authenticator.image.pullPolicy }}" + {{- if .Values.authenticator.containerSecurityContext }} + securityContext: {{- toYaml .Values.authenticator.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_PASSWORD valueFrom: diff --git a/charts/portal/templates/dispatcher/dispatcher-deployment.yaml b/charts/portal/templates/dispatcher/dispatcher-deployment.yaml index 097c4a71..50760755 100644 --- a/charts/portal/templates/dispatcher/dispatcher-deployment.yaml +++ b/charts/portal/templates/dispatcher/dispatcher-deployment.yaml @@ -43,10 +43,20 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.dispatcher.podSecurityContext }} + securityContext: {{- toYaml .Values.dispatcher.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} containers: - name: dispatcher image: "{{ .Values.global.portalRepository }}{{ .Values.image.dispatcher }}" imagePullPolicy: "{{ .Values.dispatcher.image.pullPolicy }}" + {{- if .Values.dispatcher.containerSecurityContext }} + securityContext: {{- toYaml .Values.dispatcher.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HTTPD_SSL_KEY valueFrom: diff --git a/charts/portal/templates/portal-data/portal-data-deployment.yaml b/charts/portal/templates/portal-data/portal-data-deployment.yaml index 367f9601..bbccea67 100644 --- a/charts/portal/templates/portal-data/portal-data-deployment.yaml +++ b/charts/portal/templates/portal-data/portal-data-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.portalData.podSecurityContext }} + securityContext: {{- toYaml .Values.portalData.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: portal-data image: "{{ .Values.global.portalRepository }}{{ .Values.image.data }}" imagePullPolicy: "{{ .Values.portalData.image.pullPolicy }}" + {{- if .Values.portalData.containerSecurityContext }} + securityContext: {{- toYaml .Values.portalData.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml b/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml index 3cc8d3dd..580bc2c4 100644 --- a/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml +++ b/charts/portal/templates/portal-enterprise/portal-enterprise-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.portalEnterprise.podSecurityContext }} + securityContext: {{- toYaml .Values.portalEnterprise.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: portal-enterprise image: "{{ .Values.global.portalRepository }}{{ .Values.image.enterprise }}" imagePullPolicy: "{{ .Values.portalEnterprise.image.pullPolicy }}" + {{- if .Values.portalEnterprise.containerSecurityContext }} + securityContext: {{- toYaml .Values.portalEnterprise.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: RABBITMQ_DEFAULT_PASS valueFrom: diff --git a/charts/portal/templates/pssg/pssg-deployment.yaml b/charts/portal/templates/pssg/pssg-deployment.yaml index 161b5191..f768d28c 100644 --- a/charts/portal/templates/pssg/pssg-deployment.yaml +++ b/charts/portal/templates/pssg/pssg-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.pssg.podSecurityContext }} + securityContext: {{- toYaml .Values.pssg.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: pssg image: "{{ .Values.global.portalRepository }}{{ .Values.image.pssg }}" imagePullPolicy: "{{ .Values.pssg.image.pullPolicy }}" + {{- if .Values.pssg.containerSecurityContext }} + securityContext: {{- toYaml .Values.pssg.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: SSG_ADMIN_USERNAME valueFrom: diff --git a/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml b/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml index e13d9fb1..9b8fa618 100644 --- a/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml +++ b/charts/portal/templates/tenant-provisioner/tenant-provisioner-deployment.yaml @@ -43,6 +43,11 @@ spec: {{- if .Values.global.schedulerName }} schedulerName: "{{ .Values.global.schedulerName }}" {{- end }} + {{- if .Values.tenantProvisioner.podSecurityContext }} + securityContext: {{- toYaml .Values.tenantProvisioner.podSecurityContext | nindent 12 }} + {{- else if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- end }} initContainers: - name: liquidbase-upgrade-portal image: "{{ .Values.global.portalRepository }}{{ .Values.image.upgradeVerify }}" @@ -54,6 +59,11 @@ spec: - name: tenant-provisioner-service image: "{{ .Values.global.portalRepository }}{{ .Values.image.tps }}" imagePullPolicy: "{{ .Values.tenantProvisioner.image.pullPolicy }}" + {{- if .Values.tenantProvisioner.containerSecurityContext }} + securityContext: {{- toYaml .Values.tenantProvisioner.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} ports: - containerPort: 9000 protocol: TCP diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index 893aea5d..02427e51 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -23,6 +23,11 @@ global: legacyHostnames: false legacyDatabaseNames: false subdomainPrefix: dev-portal + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: @@ -183,6 +188,10 @@ analytics: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -211,6 +220,10 @@ apim: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 1000m @@ -238,6 +251,10 @@ authenticator: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 250m @@ -264,6 +281,10 @@ dispatcher: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -319,6 +340,10 @@ portalData: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -346,6 +371,10 @@ portalEnterprise: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 250m @@ -372,6 +401,10 @@ pssg: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -399,6 +432,10 @@ tenantProvisioner: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -452,6 +489,11 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 1 + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} image: pullPolicy: IfNotPresent auth: @@ -501,6 +543,11 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: {} # memory: 256Mi @@ -518,6 +565,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: {} # memory: 512Mi @@ -535,6 +586,11 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -554,6 +610,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 1Gi @@ -571,6 +631,11 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 2Gi @@ -589,6 +654,10 @@ druid: image: pullPolicy: IfNotPresent portName: ingestion-svc + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # cpu: 100m @@ -608,6 +677,10 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: {} # memory: 4Gi @@ -740,6 +813,9 @@ jobs: mysql: image: tag: "8.0.31-debian-11-r36" + serviceAccount: + create: false + name: "default" auth: username: portal existingSecret: database-secret @@ -754,6 +830,12 @@ mysql: elevate-admin.sql: | GRANT ALL PRIVILEGES ON *.* TO 'portal'@'%'; FLUSH PRIVILEGES; primary: + # podSecurityContext: + # enabled: true + # fsGroup: 1000760000 + # containerSecurityContext: + # enabled: true + # runAsUser: 1000760000 configuration: |- [client] port=3306 From 3485033761cbd04cb972bffe489bdeeb981ac594 Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 14:41:21 +0530 Subject: [PATCH 02/13] Changes to support pod and container security context for Portal charts --- charts/portal/README.md | 5 ++ .../templates/jobs/cert-update-job.yaml | 6 ++ .../portal/templates/jobs/db-upgrade-job.yaml | 6 ++ .../templates/jobs/rbac-upgrade-job.yaml | 6 ++ charts/portal/values-production.yaml | 72 +++++++++++++++++++ charts/portal/values.yaml | 19 +++-- 6 files changed, 103 insertions(+), 11 deletions(-) diff --git a/charts/portal/README.md b/charts/portal/README.md index 6c6975eb..8dc432ca 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -195,6 +195,9 @@ This section describes configurable parameters in **values.yaml**, there is also | `global.schedulerName` | Global Scheduler name for Portal + Analytics, this doesn't apply to other subcharts | `not set` | | `global.saas` | Reserved | `not set` | | `global.additionalLabels` | A list of custom key: value labels applied to all components | `not set` | +| `global.podSecurityContext` | Same settings are applied to all portal microservices. For more details see [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | +| `global.containerSecurityContext` | Same settings are applied to all portal microservices. For more details see [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | + ### Portal Parameters | Parameter | Description | Default | @@ -272,6 +275,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `analytics.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `analytics.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `analytics.pdb.minAvailable` | Minimum number of available pods | `1` | +| `analytics.podSecurityContext` | Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `analytics.containerSecurityContext` | Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `analytics.strategy` | Update strategy | `{} evaluated as a template` | | `analytics.resources` | Resource request/limits | `{} evaluated as a template` | | `analytics.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | diff --git a/charts/portal/templates/jobs/cert-update-job.yaml b/charts/portal/templates/jobs/cert-update-job.yaml index fd261fb2..bc622dab 100644 --- a/charts/portal/templates/jobs/cert-update-job.yaml +++ b/charts/portal/templates/jobs/cert-update-job.yaml @@ -24,10 +24,16 @@ spec: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} restartPolicy: Never + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: {{ .Release.Name }}-tls-manager image: "{{ .Values.global.portalRepository }}{{ .Values.image.tlsManager }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 10 }} + {{- end }} env: - name: P12_INTERNAL_PASS valueFrom: diff --git a/charts/portal/templates/jobs/db-upgrade-job.yaml b/charts/portal/templates/jobs/db-upgrade-job.yaml index dded490d..e33acc14 100644 --- a/charts/portal/templates/jobs/db-upgrade-job.yaml +++ b/charts/portal/templates/jobs/db-upgrade-job.yaml @@ -22,10 +22,16 @@ spec: template: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: db-upgrade image: "{{ .Values.global.portalRepository }}{{ .Values.image.dbUpgrade }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HOST {{ if .Values.global.setupDemoDatabase }} diff --git a/charts/portal/templates/jobs/rbac-upgrade-job.yaml b/charts/portal/templates/jobs/rbac-upgrade-job.yaml index 689acc2e..b6c7de17 100644 --- a/charts/portal/templates/jobs/rbac-upgrade-job.yaml +++ b/charts/portal/templates/jobs/rbac-upgrade-job.yaml @@ -22,10 +22,16 @@ spec: template: spec: serviceAccountName: {{ include "portal.serviceAccountName" . }} + {{- if .Values.global.podSecurityContext }} + securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 8 }} + {{- end }} containers: - name: rbac-upgrade image: "{{ .Values.global.portalRepository }}{{ .Values.image.rbacUpgrade }}" imagePullPolicy: {{ .Values.jobs.image.pullPolicy }} + {{- if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: HOST {{ if .Values.global.setupDemoDatabase }} diff --git a/charts/portal/values-production.yaml b/charts/portal/values-production.yaml index c4fef581..8cba60de 100644 --- a/charts/portal/values-production.yaml +++ b/charts/portal/values-production.yaml @@ -23,6 +23,10 @@ global: legacyHostnames: false legacyDatabaseNames: false subdomainPrefix: dev-portal + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: @@ -181,6 +185,10 @@ analytics: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -218,6 +226,10 @@ apim: rollingUpdate: maxSurge: 2 maxUnavailable: 2 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 1000m @@ -254,6 +266,10 @@ authenticator: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 250m @@ -289,6 +305,10 @@ dispatcher: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -353,6 +373,10 @@ portalData: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -389,6 +413,10 @@ portalEnterprise: rollingUpdate: maxSurge: 1 maxUnavailable: 0 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 250m @@ -424,6 +452,10 @@ pssg: rollingUpdate: maxSurge: 2 maxUnavailable: 2 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -460,6 +492,10 @@ tenantProvisioner: rollingUpdate: maxSurge: 1 maxUnavailable: 1 + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -518,6 +554,11 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 4 + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} image: pullPolicy: IfNotPresent pdb: @@ -581,6 +622,11 @@ druid: create: false maxUnavailable: "" minAvailable: "" + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: memory: 256Mi @@ -608,6 +654,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: limits: memory: 512Mi @@ -634,6 +684,11 @@ druid: create: false maxUnavailable: "" minAvailable: "" + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -662,6 +717,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 1Gi @@ -688,6 +747,11 @@ druid: create: false maxUnavailable: "" minAvailable: "" + podSecurityContext: + fsGroup: 1001 + runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 2Gi @@ -715,6 +779,10 @@ druid: maxUnavailable: "" minAvailable: "" portName: ingestion-svc + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: cpu: 100m @@ -743,6 +811,10 @@ druid: create: false maxUnavailable: "" minAvailable: "" + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} resources: requests: memory: 4Gi diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index 02427e51..4f95c404 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -25,7 +25,6 @@ global: subdomainPrefix: dev-portal # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod podSecurityContext: {} - # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ @@ -491,7 +490,7 @@ druid: replicaCount: 1 podSecurityContext: fsGroup: 1001 - runAsNonRoot: true + runAsNonRoot: true # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} image: @@ -813,9 +812,6 @@ jobs: mysql: image: tag: "8.0.31-debian-11-r36" - serviceAccount: - create: false - name: "default" auth: username: portal existingSecret: database-secret @@ -830,12 +826,13 @@ mysql: elevate-admin.sql: | GRANT ALL PRIVILEGES ON *.* TO 'portal'@'%'; FLUSH PRIVILEGES; primary: - # podSecurityContext: - # enabled: true - # fsGroup: 1000760000 - # containerSecurityContext: - # enabled: true - # runAsUser: 1000760000 + # primary: + # podSecurityContext: + # enabled: true + # fsGroup: 100 + # containerSecurityContext: + # enabled: true + # runAsUser: 1001 configuration: |- [client] port=3306 From f3df7d3e2554e73575dfd174ec363a2dd389b2e7 Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 14:49:44 +0530 Subject: [PATCH 03/13] Changes to support pod and container security context for Portal charts --- charts/portal/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/portal/README.md b/charts/portal/README.md index 8dc432ca..f8bb9d31 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -195,8 +195,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `global.schedulerName` | Global Scheduler name for Portal + Analytics, this doesn't apply to other subcharts | `not set` | | `global.saas` | Reserved | `not set` | | `global.additionalLabels` | A list of custom key: value labels applied to all components | `not set` | -| `global.podSecurityContext` | Same settings are applied to all portal microservices. For more details see [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | `[]` | -| `global.containerSecurityContext` | Same settings are applied to all portal microservices. For more details see [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) | `{}` | +| `global.podSecurityContext` | [Pod Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) settings are applied to all portal microservices. | `[]` | +| `global.containerSecurityContext` | [Container Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) settings are applied to all portal microservices. | `{}` | ### Portal Parameters @@ -275,8 +275,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `analytics.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `analytics.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `analytics.pdb.minAvailable` | Minimum number of available pods | `1` | -| `analytics.podSecurityContext` | Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | -| `analytics.containerSecurityContext` | Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | +| `analytics.podSecurityContext` | Analytics Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `analytics.containerSecurityContext` | Analytics Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `analytics.strategy` | Update strategy | `{} evaluated as a template` | | `analytics.resources` | Resource request/limits | `{} evaluated as a template` | | `analytics.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -290,6 +290,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `apim.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `apim.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `apim.pdb.minAvailable` | Minimum number of available pods | `1` | +| `apim.podSecurityContext` | APIM Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `apim.containerSecurityContext` | APIM Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `apim.strategy` | Update strategy | `{} evaluated as a template` | | `apim.resources` | Resource request/limits | `{} evaluated as a template` | | `apim.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | From 965675176563b472fcdd79adab10d312fa8d772a Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 15:12:35 +0530 Subject: [PATCH 04/13] Doc changes --- charts/portal/README.md | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/charts/portal/README.md b/charts/portal/README.md index f8bb9d31..827f31f5 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -275,8 +275,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `analytics.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `analytics.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `analytics.pdb.minAvailable` | Minimum number of available pods | `1` | -| `analytics.podSecurityContext` | Analytics Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | -| `analytics.containerSecurityContext` | Analytics Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | +| `analytics.podSecurityContext` | Analytics pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `analytics.containerSecurityContext` | Analytics container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `analytics.strategy` | Update strategy | `{} evaluated as a template` | | `analytics.resources` | Resource request/limits | `{} evaluated as a template` | | `analytics.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -290,8 +290,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `apim.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `apim.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `apim.pdb.minAvailable` | Minimum number of available pods | `1` | -| `apim.podSecurityContext` | APIM Pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | -| `apim.containerSecurityContext` | APIM Container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | +| `apim.podSecurityContext` | APIM pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `apim.containerSecurityContext` | APIM container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `apim.strategy` | Update strategy | `{} evaluated as a template` | | `apim.resources` | Resource request/limits | `{} evaluated as a template` | | `apim.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -317,6 +317,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `authenticator.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `authenticator.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `authenticator.pdb.minAvailable` | Minimum number of available pods | `1` | +| `authenticator.podSecurityContext` | authenticator pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `authenticator.containerSecurityContext` | authenticator container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `authenticator.strategy` | Update strategy | `{} evaluated as a template` | | `authenticator.resources` | Resource request/limits | `{} evaluated as a template` | | `authenticator.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -329,6 +331,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `dispatcher.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `dispatcher.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `dispatcher.pdb.minAvailable` | Minimum number of available pods | `1` | +| `dispatcher.podSecurityContext` | Dispatcher pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `dispatcher.containerSecurityContext`| Dispatcher container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `dispatcher.strategy` | Update strategy | `{} evaluated as a template` | | `dispatcher.resources` | Resource request/limits | `{} evaluated as a template` | | `dispatcher.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | @@ -355,6 +359,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `portalData.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `portalData.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `portalData.additionalLabels` | A list of custom key: value labels | `not set` | +| `portalData.podSecurityContext` | Portal-data pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `portalData.containerSecurityContext`| Portal-data container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `portalEnterprise.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `portalEnterprise.replicaCount` | Number of portal-enterprise nodes | `1` | | `portalEnterprise.javaOptions` | Java Options to pass in | `-Xms2g -Xmx2g` | @@ -368,6 +374,9 @@ This section describes configurable parameters in **values.yaml**, there is also | `portalEnterprise.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `portalEnterprise.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `portalEnterprise.additionalLabels` | A list of custom key: value labels | `not set` | +| `portalEnterprise.podSecurityContext`| Portal enterprise pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `portalEnterprise.containerSecurityContext`| Portal enterprise container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | +| `portalEnterprise.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `pssg.forceRedeploy` | Force redeployment during helm upgrade whether there is a change or not | `false` | | `pssg.replicaCount` | Number of PSSG nodes | `1` | | `pssg.image.pullPolicy` | PSSG image pull policy | `IfNotPresent` | @@ -380,6 +389,8 @@ This section describes configurable parameters in **values.yaml**, there is also | `pssg.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `pssg.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `pssg.additionalLabels` | A list of custom key: value labels | `not set` | +| `pssg.podSecurityContext` | PSSG pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `pssg.containerSecurityContext`| PSSG container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `pssg.additionalEnv.CONFIG_8443_TLS` | Enabled Port 8443 TLS Versions | `If not specfied, Portal TLS defaults are enabled.` see [Portal TLS Defaults](#portal-tls-defaults) | | `pssg.additionalEnv.CONFIG_9443_TLS` | Enabled Port 9443 TLS Versions | `If not specfied, Portal TLS defaults are enabled` see [Portal TLS Defaults](#portal-tls-defaults) | | `pssg.additionalEnv.CONFIG_9446_TLS` | Enabled Port 9446 TLS Versions | `If not specfied, Portal TLS defaults are enabled` see [Portal TLS Defaults](#portal-tls-defaults) | @@ -403,10 +414,14 @@ This section describes configurable parameters in **values.yaml**, there is also | `tenantProvisioner.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `tenantProvisioner.affinity ` | Affinity for pod assignment | `{} evaluated as a template` | | `tenantProvisioner.additionalLabels` | A list of custom key: value labels | `not set` | +| `tenantProvisioner.podSecurityContext`| Tenant provisioner pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `tenantProvisioner.containerSecurityContext`| Tenant provisioner container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `jobs.nodeSelector` | Node labels for pod assignment | `{} evaluated as a template` | | `jobs.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `jobs.labels` | A list of custom key: value labels applied to jobs | `not set` | | `jobs.image.PullPolicy` | Image pull policy applied to jobs | `IfNotPresent` | +| `jobs.podSecurityContext` | Pod's security context settings applied to jobs. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `jobs.containerSecurityContext`| Container's security context settings applied to jobs. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | ### Database Node Pool Configurations @@ -690,6 +705,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.minio.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.minio.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.minio.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.minio.podSecurityContext` | Minio pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.minio.containerSecurityContext` | Minio container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.zookeeper.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.zookeeper.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.zookeeper.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -700,6 +717,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.zookeeper.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.zookeeper.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.zookeeper.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.zookeeper.podSecurityContext` | Zookeeper pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.zookeeper.containerSecurityContext` | Zookeeper container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.coordinator.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.coordinator.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.coordinator.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -710,6 +729,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.coodinator.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.coordinator.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.coordinator.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.coordinator.podSecurityContext` | Coordinator pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.coordinator.containerSecurityContext` | Coordinator container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.kafka.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.kafka.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.kafka.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -720,6 +741,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.kafka.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.kafka.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.kafka.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.kafka.podSecurityContext` | Kafka pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.kafka.containerSecurityContext` | Kafka container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.broker.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.broker.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.broker.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -730,6 +753,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.broker.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.broker.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.broker.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.broker.podSecurityContext` | Broker pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.broker.containerSecurityContext` | Broker container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.historical.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.historical.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.historical.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -740,6 +765,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.historical.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.historical.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.historical.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.historical.podSecurityContext` | Historical pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.historical.containerSecurityContext` | Historical container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.ingestion.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.ingestion.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.ingestion.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -750,6 +777,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.ingestion.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.ingestion.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.ingestion.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.ingestion.podSecurityContext` | Ingestion pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.ingestion.containerSecurityContext` | Ingestion container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | | `druid.middlemanager.pdb.create` | Create PodDisruptionBudget (PDB) object | `false` | | `druid.middlemanager.pdb.maxUnavailable` | Maximum number of simultaneous unavailable pods | `not set` | | `druid.middlemanager.pdb.minAvailable` | Minimum number of available pods | `not set` | @@ -760,6 +789,8 @@ The following table lists the configured parameters of the Druid Subchart: | `druid.middlemanager.tolerations` | Pod tolerations for pod assignment | `{} evaluated as a template` | | `druid.middlemanager.affinity` | Affinity for pod assignment | `{} evaluated as a template` | | `druid.middlemanager.additionalLabels` | A list of custom key: value labels | `not set` | +| `druid.middlemanager.podSecurityContext` | Middle manager pod's security context settings. Overrides global.podSecurityContext settings | `{} evaluated as a template` | +| `druid.middlemanager.containerSecurityContext` | Middle manager container's security context settings. Overrides global.containerSecurityContext settings | `{} evaluated as a template` | ## Druid Images The following table lists the configured parameters of the Druid Subchart From b2350e46f2a175e277d0db8a6b27145ee6e8f83b Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 16:07:52 +0530 Subject: [PATCH 05/13] Doc changes and chart changes --- charts/druid/Chart.yaml | 2 +- .../historical/historical-statefulset.yaml | 3 +++ .../templates/kafka/kafka-statefulset.yaml | 3 +++ .../templates/minio/minio-statefulset.yaml | 3 +++ .../zookeeper/zookeeper-statefulset.yaml | 3 +++ charts/portal/Chart.lock | 6 +++--- charts/portal/Chart.yaml | 2 +- charts/portal/charts/druid-1.0.12.tgz | Bin 9139 -> 0 bytes charts/portal/charts/druid-1.0.13.tgz | Bin 0 -> 9485 bytes charts/portal/values.yaml | 20 +++++++----------- 10 files changed, 25 insertions(+), 17 deletions(-) delete mode 100644 charts/portal/charts/druid-1.0.12.tgz create mode 100644 charts/portal/charts/druid-1.0.13.tgz diff --git a/charts/druid/Chart.yaml b/charts/druid/Chart.yaml index 3b6d0d7d..45ffcebf 100644 --- a/charts/druid/Chart.yaml +++ b/charts/druid/Chart.yaml @@ -7,5 +7,5 @@ maintainers: - name: Gazza7205 sources: - https://github.com/CAAPIM/apim-charts -version: 1.0.12 +version: 1.0.13 appVersion: 0.17.0 diff --git a/charts/druid/templates/historical/historical-statefulset.yaml b/charts/druid/templates/historical/historical-statefulset.yaml index 986b9887..47fe6255 100644 --- a/charts/druid/templates/historical/historical-statefulset.yaml +++ b/charts/druid/templates/historical/historical-statefulset.yaml @@ -45,6 +45,9 @@ spec: securityContext: {{- toYaml .Values.historical.podSecurityContext | nindent 12 }} {{- else if .Values.global.podSecurityContext }} securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} + securityContext: + fsGroup: 1010 {{- end }} containers: - name: historical diff --git a/charts/druid/templates/kafka/kafka-statefulset.yaml b/charts/druid/templates/kafka/kafka-statefulset.yaml index fcd17b34..70edd947 100644 --- a/charts/druid/templates/kafka/kafka-statefulset.yaml +++ b/charts/druid/templates/kafka/kafka-statefulset.yaml @@ -54,6 +54,9 @@ spec: securityContext: {{- toYaml .Values.kafka.containerSecurityContext | nindent 12 }} {{- else if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- else }} + securityContext: + fsGroup: 1010 {{- end }} envFrom: - configMapRef: diff --git a/charts/druid/templates/minio/minio-statefulset.yaml b/charts/druid/templates/minio/minio-statefulset.yaml index 6ab43c22..ce479647 100644 --- a/charts/druid/templates/minio/minio-statefulset.yaml +++ b/charts/druid/templates/minio/minio-statefulset.yaml @@ -51,6 +51,9 @@ spec: securityContext: {{- toYaml .Values.minio.containerSecurityContext | nindent 12 }} {{- else if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- else }} + securityContext: + fsGroup: 1010 {{- end }} containers: {{ $address := print ".minio." .Release.Namespace ".svc.cluster.local/opt/data" }} diff --git a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml index 7a4988a8..1ab05c5b 100644 --- a/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml +++ b/charts/druid/templates/zookeeper/zookeeper-statefulset.yaml @@ -48,6 +48,9 @@ spec: securityContext: {{- toYaml .Values.zookeeper.podSecurityContext | nindent 12 }} {{- else if .Values.global.podSecurityContext }} securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} + securityContext: + fsGroup: 1010 {{- end }} containers: - name: zookeeper diff --git a/charts/portal/Chart.lock b/charts/portal/Chart.lock index a31705ea..bcf0cd5e 100644 --- a/charts/portal/Chart.lock +++ b/charts/portal/Chart.lock @@ -1,7 +1,7 @@ dependencies: - name: druid repository: file://../druid - version: 1.0.12 + version: 1.0.13 - name: mysql repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami version: 9.4.7 @@ -11,5 +11,5 @@ dependencies: - name: ingress-nginx repository: https://kubernetes.github.io/ingress-nginx/ version: 4.7.2 -digest: sha256:77bef6109e5ced4a4f00e93044d4bbfd15d0c4b619bae3419dd692a8620a696b -generated: "2023-11-15T10:29:33.351726-05:00" +digest: sha256:52ddb3e04c6f6b75b023041b9cca016beb93590982f57379950b0ee18b6691c1 +generated: "2024-01-23T15:57:52.7895836+05:30" diff --git a/charts/portal/Chart.yaml b/charts/portal/Chart.yaml index 9d92adca..9148a838 100644 --- a/charts/portal/Chart.yaml +++ b/charts/portal/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 appVersion: "5.2.2" description: CA API Developer Portal name: portal -version: 2.3.5 +version: 2.3.6 type: application home: https://github.com/CAAPIM/apim-charts maintainers: diff --git a/charts/portal/charts/druid-1.0.12.tgz b/charts/portal/charts/druid-1.0.12.tgz deleted file mode 100644 index cd15959f2e018437e246b4c0affff3575821ac95..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9139 zcmV;kBTU>MiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKD1bK5ww?|kN8fh*6c+L;qk)YFNo{6S-DGd@XdAIZt=-mNVc zOhOXJ6v-h#CraY`x8DN52LL`KQnoB-)gKa>1i;3l8$kCD4J!z3t98170nt}*>HPEr zWEh4q==IqDhGD4x8{OlquuGYdp`l=DVR|y!~_OE8C!o#t=tPC z=-Z!AfNjqmg8PmJeLwlr(A&qlp;-ufyc9nowp=-bPtNt0r232m1^+eHB$YE9rmn)NOG z`V}5`jK0SIW`k72UKp5&CEKiQvhvXoK;L(46H@-Q`?zjx-O$?|?YUe3`H9Q_J#<2Z zpGpC&k^kd%CnNv;e&-LKc7+Krjt&c|van$O36clKKE==pH$qkAg^#Xxb5Y>v*@& z0en1abN1Iz1Hfk~Cdl`&O}t<=1SX`S-lFe9$C)BCKx7DRqYpIcOAUY{`e95No59c_ zl+EP||K$LT2(jHc2JqIqN3VdnfbJXtdq(T;B9p$Psi6zd7lHy8I>3Si-a?FY?TF?N z{WG-m&Z37yK!OlyAW3!2v=955@bq^Nlk8L407KC28Ux|sM~tS^_nC4h=&#TY_^TOo zFp{$bTxCLQX}iLksDU&9aCmEZRP9~`Xl8#I0t?+YdHZSrIA{*d73GqagVRs&7jbPb z#Fs~DJs`%Py}%lRV+XEKplLHNFwq3@fe~lW>?NEd%FI{KyF)C*Dye@c;e5t z;{X?N-L!_aN?`v1|FB?UEsAG}v?g*>`A_JmKw@KAD?%UExQxi!J058#>@m z?73iOJBTXV=(F@QY`ol|70WR<={Nre)6pD#_Xxc8yt#vT6@edke9!(jb zze0ow9)fQV5!Xw!WYa*WKls4q#<7=nNs=SrdKQ`@2boNJe0$K20G!Qi*Cwl>rfI3% zQ4J9(KtU}fHR-fpw{t66t8Q!9-l+QP>LzQ)T;3fz2=0+H1b>Vs7fkV4=nGFxwHgcv zpQK*5SwGUAxA>Dmzu)aYLD%-)uIX5sU|rRtS!BaHKXMJ)>uS*1pa$ZcCyh+uMP6n2 zV0~>o=3p(UYroxDCx|@By7~%}Casozk6eWDRp8x5?9zlbbk2|iS5stqu7!u7-QlB> z*h}PvBz?}F&Y+dwbT|Pl5bC4$XPWh^%z-f@;pp0?iKpjG(#?@48} zs8Yv$<7q1O+`HNXZA#q!L(tN9AVIiwad|zS>f{S~#BZ##{~E_V#s1SX+U{nG}Cv?nxk`vBVDHf{S$XS(3F?=Cp=*Lcm;JPt z({MJkzko(FEeyF9`^~vKW#%pblW)vI$60~DLg?5tn`$)QXMF40ABdOE(i8d(S_cen zkqJYL0QQy$ybEtp;39%BukFl6j>WYkTP$(A60}*k=-T-V z1js=UM@?pW%-Mx`qw!}p;ijrv1VS8}&MET|w*?JLQ^<{L&yu!`UncDtrzuRZQG+`; zE$L^*{P1M+J{9;(+JTp%Pk1Bo%n7g3)5;9`f$fqRX#5v${ugd2rSb1p8D&MkrO_vJ zD;1T<-AKEXb!{|Gcq#|pBB!u>S(-*+WyH4TzazIT_|Enb&_tl|-wn{XX;hOXUL7z+ zeCk&%iCh%CfW3^|zf%IuI}H?6L^e!c6pdK!>d8qB9@v)T+qYz(HKHGl%`ztgBl}S~ zgU&7Hj5{EI@^7|lI-!*#eEKg%rMc?&bIQ$DrL2&3BQff{w}?c1HWJ4S>$rlk*0gS$ zsV0dy%yvzV11Rbn!1F|-H2HQ?Sla$#;-6>3lS~iFzNv(vlqt0I$qM{D6HALroI%?G zjVrEiqbjN;+Aa{B-3^r~l~Ji?O#W`D{QW#jYAMKDlgnFEEz`B6w%~u}NFD1q?)_NX zb3ECjcU}DTAH474YCd-7#hu3dsSQAXTEKH9pD?cj?@?J8<;*H4yoZ!V7ahn2Q&Xg+ z&pgxf>85U8IGS|2_Sb2Oyosj)8ZqpKAah}PCe~wjJ44`vxP{!737g0zDDVRtqbBxd zgyj7~G&X6sN1Ne?2TfEFK662~5>0XCS!Xs5LIw~2Ewtu{NIIifJ4o8Z zw{A7;Ba%Q8e)WLgNoW)`fWp&|Blh^ALjp^kSPDq_i;M4Pout{ zDpUHNDuUQd7O-<1Ki{F%EAaC@bU@Zp2`!7E#-PI|-84JP2Ob`Vph5qj*&iMns`YP^ zPerSNZ9f&Ow@M3!1b2QRcU1&1!+FaV5q!p(41Eg{G$jEfXda=x`H8xT=Qy@I|Hu+B zO>2EfYLu$|Cj>VFH&v ztFr5TmbYp-{TeqoNYVR(KZzBi_=55rT)JF-c6}K`qm`rcEgmh~77hb#qEzc({%Z78;!^AdQ3j`gqxG@*VywmaG z-%{o>ptLBgS-^Bm`2gvd@`2JZ<$%a{Sv9KjaJJXbj9Pt-Pb(3X&j?9Y1G>Q~NfTCkATs%k4XSl+#T0+6n zcA3I?8$c6X$(=NKG3z~*)b+n`s6_m|l_y}$`oG)mE9bvE?e5@!|J?~yw*O}bMcyVr zKAW@;o&Z5B2+S3l{GZxO@ZtR8{PO1GJN?$=v9eB!B(e$J2LXxlHc$PEV@x z(#}TLqu)l;@y+!=uXtSpeoEX*FcmY~ae%Er5mZD)0lI*t71+-OnPg7H%bcYRs&r~I ztFOhw^3nHFa7RvwCAnp;6Mdf)l5|?Ss+VCHy4-I`#*fqS4LgHh%m6>YUyy$?{@;)1 zleJ}}r~Q?3CLhnwZj#cHF)nXTQhbnJ%}FJSh~TNBo5;|m>lfV*JRb$brfY%kO(vPr ze&~eHEUF^lX?zFTEYILS%qV%WO$?a&_G`rUl9P!l^U~#FzIdaJ<0M zql3#QQFMhhslDjORH|J3RLCD4o7IERb?H83<)f1TEj@yA5=FrRc&b>{7BF*XJC5$T zW&E-vaVxaX%2HWTe2;5yg6QJ#-|_K5{&ztI{$CdVr+o951PR)!%^&wr zT>9{@5G6Z7anU|Wmdb0lNO3f+O}9x&`tRU&&_k{%ueqPQt8-~{`LB-zSu6j8jQyv7 zz<=(BD&jwsm^1q%`4y2MZ4n7lG*Np&Vt7_CBJF&Ph}-}#04TDt{BMB-StI|)Z9~O> zbb9^6`hO=>7yq%xiU8~v5=62n?Gz58DkA|CBEQN7hKPLc89GEAT|X8?L>e&Fa3Z-` z>wz@HqG}>W3X9mDqgvRJq5>WPK$0DiU~3eKP-Yb12Gpm;4v7 z7W1FFr$*E1AD5G}C#-<7iB;hioT3BVf0cR&8!W7KqondILDP?-M5|wrqz%-^JLS5l z(*k%4ZIoLGgv{x=Ayb3@5XjWdpkW&#rrO1bDS4e#12&akKn3g+rF+i_m*@jsUtn2Y zmh{;bB#U9xFOgr?owYJ9+E&)PD>V(5kSI~JAQ294`R57?d+A^=O>A?4r$jZ0JrD&3 z_~2P+2ztGqIFA#wRC0zr4-CX6n)N`Tj%2#^L^_-B4xxUuIO~nSatmJGcJiqyHp^UMk9O9cU}9~jOkKY}J zPyY3-LFd@Uu+h4QL9}>^(&EOe#u9#++Fwy)*zOt$J^VY{7E!_zAz9KI{~MxU1x)&B zA*0Zj$9C=Kt;D zfUL!TsptPYMz`HP%>TO}*>EnXk0*qGN%Ko)RZ#-|QrN42{aTx|4Em*Ju7>>DAa@Pm zm(Ye=#Ru6;{cu2K; z0T7Q;+ED(tiUU$E|81k!Rrmj$cKaazJE6MxkG)j{V875G!tB3W@Q0$M1nh_OCKvi4 zFuiBU4`pEeSilc)tW?8&IC0i+zMaAs6^4V?r+Sv4(_PYWaxR5GT_u#>q%yu?9>gH~;QXGQ!4qHy|01yL@Qg zdrs4IpuJQeAu0P==hOjqvj?!7vU#{F>PCxO;gpVq>)3k3>(tC_rE*wMhmp9q0RS=u zL)#7y!M{Lbf}r(BU=wudny3L%6<%gxgximZdwe>9^>+nClZ2aH8aftu56RM2= zQEyc*K>_7lz`hSypd7Z|jsE^_bo1Nf^4)kc9RhwO`y1m;M+1OAjc`9n4DriP&qO(Qt{`+Y!$!wxVWXO(d7F4`uy_Z=JfL8 z#kH*VlituHH6vf@A58(1@zwkD(@{|&tix1WW#dPRQz}#&BTA{bq@HSolvp=?=0!{4ORhrIsJqEas{R{-J^K| zH*mrM5QtCWUC|PLnT7#vymtCTf-tpz3W_f=l@ir%YDd~k1!Ugw8! z_jF&(7V1UQCj0+wZvkF^{->wf{|)01|8XZI@0L;}^@PWNl8@wA6G{&M$h=iJ`?D@% z+0h>*Z?%&@>oeCl_>x0pRhd=5Bmv^GxiZ- z7WV?dx|4GVJP!|dobu8@IO1D%J?5~ zXyi#hd%q`0pO_a8?}-pRZ;Uq#!NVV>fqhOdFD}NX3@T9^4d~%vnD?4$2F5BcbaeJ< zJh?ufjyXIimm49?`}67b_<|viuHKK%FRsV`xE{7zF#w6DUy~?8DV?9)oL+wTFuFJ! z0%R^c@H1tAejj`X0lEj@ff*9ev_PZT0L>X_@8`7?2ig&p>Hlr*J~6Fb|MmK+{%`mC z2mQYblI=enNB4xbpI8Tqb4iKKC*`Mty{9ZwnXO02SIy2-p0S3FhquyphMf(mO#Zjs z_rG=7vpq$Z=s0QOyGSvf3@6ggTBbVQ97`=0MOL6wO;N&^jg4cW5b6W~ z$ZzAr*?)faKi199y(Zr!sr$dBZCMUlvPE4W|5e)`xMu&?H8TGHjxjjce|JKa{eO8w zB5xlkrP~vKAm`~r!qbm>5s1|GRqq0!Q~wtf=t1bZDA1!xDp0O=5I+#-NRr0glv^Nj zt<8#y63T_iH1z6Q;I{A2jv<1aS3bT314Is1T?Ua%Smffs=0 z8U2hN5}REEGq>Hj9yRTW7tD296Lzl&f8}`d-kp?tZ_HXe?YLK17)bn z`mZh?V4eT(SoQyR+TG*B`H!8DY+{us;wQubsH?-gwPgt|Aj@Y3e847|%WwiY`K#dt zHY=b8Za{9;jqn3iAbbByw|zMOu^X!E|KD>(0QL(HAkX-_#RX*blz3V95!YT*lti+F_4PbFbGHWQhS1}zg zw5A+9pt}Al1c{GT!Jg;{ux~a&wk>=Kq2P^T%OI^o-7xU+FsNnqi$~CpX6<8xqN`KPMZCbh2Fdg6E5v+x- z?Nzf9(zeXA4oY#kb2|@r=a8V!aHS)cst+ZIacWcnjn=L0w(z3yN_gLBnn-@o3URQ>-MF2UGxM83VeeEWWUGrAIP44jP5#uwM;qxaLiM#veVt+|PB?$ApA z6MJrB{fOLnE^JoI#t-AYL#v|Nj{cYmx5htG9jBX~cx%vet-3 z)qV;t{EWH%K53XunUteEI zuX4RzvcF34X2~zh9bx6JuDt8+#rI{-&4P9+tY>}`(l4yo+szs>x3#)P{pK2M*<2-; z_QxCiTD~+n>&xH1Ri#0|0}cqK4bjHPVW%^cPFHt|Da>@ zNzZ+7yM`!BrRO|iekz^sD9%)Vt|Q4;^*l#e##-k%Xe&KS{6|s#x4rixrZw{4G5W_D z|L@=s|8XZ&?f#E6_I2(o_V7TLKp9i}0y#?^FIo%FyBh*OKuz1l1Uk4_~i`AMTBa|8C+xA9s4knfpI`2mI$wC|Y5-9;uB1TX#@& zuQUeup+R7kU{}gPQ2wwI%nh8ur@Iyps72!$KOnrD<6y^l{twegi1KTCP zfVSv|X@X4vE>T=JDT-n9o1yD^_d#q1p8{?$A8c++$XD<@qzWuQlez@swQ(dJ&($MLb|00;`<1G!G| zji3Vs{_X;I`g%9GdIGjAp8BRS({tehhS1zaXo1{jDMSiXzzO8G+FmwJdHi-RE}O(} z7j*d^c>13s4tsuE9pbR_aHa9oD;S=idz<{jl4}2n_9{)tH!GP3bqqmk@gK(>HU8(I zeTe_H6N;1vbge`rcWS*(XR>BtBg{g_5qNxTm8i;p62w0JwRIeTb@JbBXY9ZI_Tl{RPN?$v ze|1>oiCL0n=OXpo&H3VJ6Zzj32f9xFj}0~cw_&so@xOOMvgKU3!sO{NprUqAbxH{q zROYP$9&}yCGEAtFw;C>VedZe2(6sd)1s}SJ{BMf`Sug);{BPsfIIRD7LKX2JqU`R` zw7(VylJUbbNQdBvl`n5fOt8Yb{O3FI+*yJYVI}F3u~%?d31E?I5rIcM({qGk;ztVV zE*D~waJ*IjZzTU);y~8Oe}6DAGW-9|0splVqC?O1EX4hSxdM^(9BzXL*;5Sy_6rx1 zw*KQ`Lj<&k*v`3#kAmK>wN9ym6RCj%k;lxBg$3DJESkb)Z$%tRPR4pDkhGwhc$9(y zw&kW4E+s$vZm=oo8b%cqur)>^DX~gyp|mm9L?6#_wJSdLPWyGc^!@ACugl(d<@bf5 zK+;P;r{l?|@gzTrg!E8Q@HSQKp-XH>oN99r4AIqy-@XB8Su|f8JUpDF>oBV2Z8c*- z$bc;CSC^CPT)shrwxihcg`>aLLGZln6%K=g((pBz!JX@Y2032nbfx=a`J+ME>Ge!R z^^&~_}_odX}5cW{odt{s8vg^d9YeQqSd3*B5}rfX(vEU!i}-9i4xsCT0Nf(5M8O*GYQbFTNh-#g6I&9q2#@I?y`${{a91|Nny~Dc zVQyr3R8em|NM&qo0PKD1bK^F$Z$7Ka{{ya^QxWa#fEK-!Be*Z9Vh%(RXQU@ZRiMVuHg{&>?hZTx@NDy-c%@f6gpqo_)!*VuRK?>}+*e}blm z@N+4E0{I{HdmUN+2ZPa3{&$g11?j~EYL7s(t+}!ATqZG~1tt#EmIz$XfpXF~1$Rrs z7j$4?pd)N7ETjWsg9ik3TE?!OVN$8SObBOGHbH3ItrBCuG_Va(zv5(x6%1 zoAv`V0UwhmjRpI6e9{2GVYzORV`GEZ?s^O~NCm#lUV5fELz;`o7(Do2Y0 zru@yJXA;WoYK{Le0Y-!v)&c|gU_YTZKwCmpN;`>Jw!hm0GD}He z;WPYAQ17eQ+ta8%5aZ9btB=9Rglpu|PM+JYhHeobEn%6HhOvSR#F+ZiwjU94kUJLs z94IP%_u$%(^aayh!9&fqUEQ!CvE?@_L)T5Tf)-pPO05jbu*d!{|Jl;O#C8o0no{OR zIDdp=|Cj&FuoejOxiS2+g^~LduzS*Q=%j-QvNT>bN|17rO4T!S)fOj zKF631ohvr3ScVpV!rz{PiAU_#0$Ip~1nGVjTAm9c)HHS$cr{|(KJo9J6G=YVf;wwL-)-G)!61 zOxx3Ees@Q5gL?}|&}X>z8x&da!9=={0|fmwwRFceEHVboCV#;{{tH@1k9Y$Lj}{s( z{=zBkb{$#7fF}4I+ZLD`CZej^|2F*;8%2+3&5JBF`r-eU+# z??@vpI#W@a(-o# z8y8_@5l$#rHS)YJ`olw*;4%36E#QBJR%|Zm4u&6n;WCYtk(=ohShkL4$V3`bI5gua zfb+Rw8D!05=cEydC{ruG1{D-qRIhI5Z6~ARn^v{34kg>8L{;M&HlrRU9VJi59E0B` zw^v+u>gbDKfT~645rwWBFB=}y`a*uc zQK4>>V(8tD_}SBl?{06zM+>@|!S!R@ zfBI@yJ=%YEks|94bP+HtOrU9U`wi7ufGiO>pJZ5T_Rah;)lRbf-!GBrAQvmd*_tW1 zK>ml_q3r+ZkGh?s{O=-t{o4K;crsRFfDvI90J3(_*@`xcwnSs_xAwPhCk>kIq%r;C zKuc#jfo=kPvo2un7UiT7WNiT*%?%5ICL3J}&D#Vm;U%-qDBSBvS3p4dm3ts)*6Sza zx`vLxUx2utrGa6O{b{Ub-h6I+0nL^`4Ou$>Ct&iN8M6Qkzccqta}ECRplQqvs@fcf zv9Fvoenb2dtN@`OqIJRG0cp^~2w;1Kz%SkdaxFv<=Cz(1$ke&MWD5^&EMn%PA0F1M zMJ}#pG_PST0Cte}qjJ)?oC6n`2x7nOG@JRoFmFBn%plwV^?-nf10yI%Y3fK01Zs~b4Uko#xJ~*hb0l+LP)c_2 zjW7Mbehr6T)BmGcvUE6DQob86qHudT=Mcod`h#Ii7*5Lbjj9x%<4h<7DZ@7Z?D=O18EFd__n+d)W%*N`+w*ya>;scF;Q{$*a7 zpo=AWjh9dG#Jf!D1JNCwGrRc;{=(L5hi(}cIm1k$dkcl;Nu9fzpc&wL2-23itzji_ zM>xYgCZcTKM+$@_oqzw&>zxDC55F09D@H|)yzuTgi{JMRB?kz)AI z&Pn6Zu=FuFXZ`*WIwy@4B9P7n%tX&!f3d;AoIG^D5*YEJ;{;jw1GZZk(|J1>X3{=J z31>uqhs-j^wMUR+iClv)IE9!cz`f91A+xjT?XQ>T)BCH*$EnEC|GmEcWjei?-roOw zJ-g$Cd<7bM=9R$F>3=vXb8~&0RfbM4;4kopXOp1Z`SsP^9The>fNokMh5Z6kq52!;yBozsIG+Skw^?bLF)o zRdHkM7Y24c1`z+r(-(+HN+VA@#1x97Kb$nMgEW>`T4o8Xtqg1O1Pv2Dn1P&$kJ1Dz zqgZ@Jp7TZc<&y>FZ^j;Gel@LV{JS{tLh>eJu(J&G-vidxM@Gs8=C21g51lSF}SiV6aXzapTP-}=3Dh`*GDjh zK&7sak%8_41xPgisU)IOWii6E1t$S|0Gyi!vdHDlzI(Sg705q<1kF7YqdKRJd$uZ2pk>XIP@lwV0*=cBi9+VVw2cKOVD zjt&W$5f>7)2=LqdoZYQ$nufLb#By-0tA7kFaRCJE2D;ER5j$BD42Pf+;t-?Bj8`aS zXvuc!*trtHdJ8SfChS0yNRAjQgb7?Ztn!xqS=zj%^>x?-AOh(No+L&|asj0|w-o6U z$z^8%MH6cg&M&kGvHuBIW@fR!fMr-ZvIyvObLx}zc@Z5aWR^g4nQX+0*JOp*CgP{j zL~n!eG>;Lna7{iO288uogRIYOi=Zz=D1zf}@>oitlgF8fQHm?3HZ$3DN;i{lRYtBT zRISA95G0NYWg0HQMEqPI`1Vc6#LD@N7pX;o=8XU`Z6?(iFCXDhWg6+d9ab*8nJe~t zCdG^fFBkz^WUz>05reT&0obvPr@y=QYAil$`H1L`(78qPaon+%X<7_YD%3sv+!sM9 z2T8M6D@fNd|H8{Rplv&(ts8J**_aqwdx@Y)miO8cX^#qC{ySbe7egPU3@m++GNAKe zzobLxgOqmEV7Ju`&oJzyzR?yfO07u4+(>&gp3)^ZM3qZ}GD4f@2x(Nf(x6YrsYFMT zg{+~<;%}l#hkMf$1t}70W@}^@`KPG3GMt#7;TnfCCURGX#pc5IF4WLXyu*esX3ug= z+e`BPUpUq!{$0xxSg`-^b-R-NuiNPj2gm*YF489czvQ?`Hv&jU1P{d%D5zI~!)%Y= z^Lq(DUS3^Z-+#LOz@z4j+iiaEJ~-{n-~aUK{FiB*D#xcpC(wO*7n8fmPm|g7{_dYQ zyuvOI6QPHwsJUU9z>qLRGA1em62$U~HAn@EB?4neyhY6_b#E&<|A`?pf-edHtrVI$ zGbMQzT_P%uYdgp#23=_V)#Ab$vxJ=SNhhHmcqYe$ z2HSSfHQ!lqei#5TkH`gE@vx=q+09)~on__Y>(l%^5MMtb*R)+-@q-ea1p!wIvfKV2 zvse{_ry>FW)Vtz(mW5n}9k+1N$|fi+mme&IXA5+37C(=MX)3mr%QMRpv_W=BlX9j^t>OZ-(%!PxsXG2k4*Ya* zl3yJO)`=m(vSw=Ajm-EGMy!)EN2j&L;Q_@;%YO|dSibys)c&X|$$z&$>>uTS7pVsR z>);guI5;F&%y_g1I9Ng*379bHT`Dk46zpB7ey$I?#2sDTitmT+G{k1UlaGI}C%1W%7>UBq6z z60_;~?ey+oE0M)sP>IN+I+@LWyS}}6-dadTm<05SCqID5AGz-BCcBrRnb!m?N6YcA zH%NSAi>SzSz(quYw^X_EVyu3i4ggv?{Lg|`?i5K{7FpRTIdg3WuS};L z=_(mZax+zq z$}83xevF!rwvNW2-|xp3R|Ku(u4C%7s7qF9)Btb_IslZ^qPD{~2e(s%L4(Ix zK7#)aJC&RN>&1a8#Q*gY_`hEFIREb?#hoL9c6e_1UwlqUEG%-te-fKjuz$rxbD@87 z@rua5GQ~Fo{)x?5B|cO+`L7oTsu2G-kp2IiZs!>PWhbdR{wFTD2e<66j{fP%aiILW z&m@dbFGUz9`-%YB4|2c3)01giQBh3E$0RPB( zO2GcaU!_8S1m+JD`6Cav*9iO(M^HuFPg>DU@hk$ZO;JBtB(}iPW|*H00$bpxHohjG z){6oB#4ps4zY~ex9KUyM&l!V`+EKF`JQp&QR0g0nVo11rz6xMS=)H<~A<)H%!P*}LD|f=K zjKHEfczc}Fv2hm|G5xBwl9q!MJ`zJKwu=Vf~iJ9V?g*0)G6iQsp{NW*-P-s5sn8I|Biw#VWrJ>MeAKUdD zuY7-PNw)tR)&gNFhtXfPZ-Fbq|MmNF{6}@rJ)ZyHN!kSe7mW;#S;|EL%9;1#3&_9% zrt$X6N^&Am_PP$f6*N>*S}70KV08lBte8Z0Vcyj z2^3)>>VO=g@A~%Q@@jH-oq}4-`Jh;?>NmHIUA&px-d)~ZUSHjxUw^u~i%))GwyCiTquvWjF-h8+`pJY*CJtzArny)WdWirI0e5rG0w93unT<$2a=%GZ`+_#o~ zzEo!Z=Pon4r+Sw7U!$Qa`~N%r-f{llNy_p6UxeLWY87z6(?2*kC_psDZ50Vn%Kr|4 zD?SSMg)8`F=DD;TJHn$Fl##tig$G0xNBH_dLIQ-5R1p!7QgTyo zcSLGaJU|A8`V4J`21qYopPSmQ_gqph1`1H#k)I{Vptd_dq+H3HAGLo)XMSu`vn@Ay z38F_=ev}R(X2xN7@{fT(o;mPG@Ze+{K!+TQTSTWQ3P^&;Glc?yj`Nb@V{8KlP`}E% zy=^UXZraROomRfGS})~wf2a1l8H=o!=-2J--A+)({!{PtXPNV#3IC6J^#AN8#W%#l z?&6t`e}-R5GbrUA{*3cjN^hL;!mT%Zs*rm zSJQKbjmZuN_wCy_?KM>loL^3La`Ef*_U>{vx|{yv zZrpB%7&Km>D3^~^yS%tRzyA1fa&<8VNL$+Ad&&c40sIAA^aTC_nnyrO2hCO!wC135 zI9F30(+*Oe{;zBI2~y$uPrm=JGwcjTNBzHx6u19y%;a<1enQQ}h%1L0=yoxkaeZw2|&w9Or>>%M!he#({qT2a5ER3QJu(QqKk|7du;|92;;M*OdX zR0QDQpuT)Xu#bRWVK2mDeT7d`alEOgW=;+x!j~|rUL%s%A1D=3yi%!6A*!6rrs&<2 z()AeG47HmqTaSy{=-5m$uLh~xk|zV6>OpfEu{fSK7nIAJIUkUl+QFq@uH`$rI>xmw z1ov41xG7QF^5V8hk=uYoNCJE%v5>h)$aKpyPg_APYVg33irF~Dlqy!QU>Q_mZtZgG zmRqw_(M(4o=Hn3MlKCTB8jv#nFa>+~t{c71h^!OShv{)^n2*U)w>)2Z)1OO!T!Ie4(0p5 zx*hds|JzC0#Q&Q%D$?x$v7CFc2W0qzIb$Cq#$NM9V6k4Peis;>LcbtaaXrgIuHq|r zSGvYY{6tV9%o=uBDn(@J<>>htC2H}z$`U=BbzRvze+9ySo`NfH^?+Pp&jEq>5!3Zd za+n0fKHKgiaup3aP&3H-tQV(s2k|2?p=W7J;6N9y5Ron|lbYan_yn&Vg3o-Y5NQ2l zg*yxS>kIvL;bG*mppAdp7CQTMcMe(?bHhXmvNT&ati{=pi%FNPDTdwBs0F#h3WbVzk&+ZP!;MG{oQ5B%BLAD>L5k#mFqHBC-R@|3l>c3%>iCa@)E?rt zuktN$?>f>gaKZLK#Dj#7(*PlfO23Gk;3~=ghIo*C`R}M|SDycSol*ZN|GP*v@Em=>RT&dvQU`UQz(Fl2>%SixsMK8CJ{_xZC@%a%YIm0=8w* zsH9w94de*C_F!Q5ZBL(Z zR8Ye8U+tEdP!k-Ik^l$j6kxmRmvk45n&TUwm8o$LOgJ(&wflzy>vh`u*;uJ;=Z}@z z++a<~Y;M<2l&;6frgnU}?511(!Ass=!2c@1y`=t%c=F|QYU!*vtJA+zE#pa(Nm6eA^jx&x+AHF*J_aCPBlN;go;oIrO^y=<%@?nk5l$e7A={$a*(40gc_r)QV|*1x1sWwo+ahk|MwXGxjX0`?f<(-^7%ii z3ZDPmpKq%YRan6}zksi5=lgO>6`bn}OIAM5ms@hvb9}79b`k$sl>fT-eg&yO{=1#7 z?Ef2%21oz@PEzIjzoIKIQr8XNzOhwk(x0+K=1RfK_R_W=$G~w>%djwkrdgmP4&%D8 zuV0gfTv~CycfNlN_ldFrC2M0V6bvs0<4Z2lJef+(g_b@soh7{TR-mIM%lkSai)Y?h z37#W+N&aTM9M2N97|;DYo~syVL>o#9(?Yq0M)$t|gKbOxbSwYc8RnIWCY88>B8Ano zqA3@~Rbp5+VI*wqM-K4{R}cM^Td8Sti1S? zc=@KPdO*D1>Gfwkxt@YZ%f4eFcEdt;^QS;X>4X7w-9;GFImdAgi-4xzn9cYsiXEsS z&{Xh~ruYkL#k4hO^0Tp!z^3rAR)~WW-IG2ZPJGnT1g}5W$_oO1$eB?70)|C?1f7_l zwgt*y==>P7u?Wkpud1Rby>DV$h?L`otPQ>vwoja<1f)ns>~0;eyCGUPA|RvK%3;{D z5ibRJmpW*dLhM>Op3G{<#A`C<*VYc`&VJb{G75v;8;DRca5i8iLB<+BF2g9=^jgBcM zMoY4}?Am`JsQy-FW6V9%6dB!u){x~tytpR%t9BfaBKhz2RN4MN=p6AsJ4u_w|By#U zx{!sr_99UGZr7KR%E*6R9B|?MpNRjhs=cHCZzn1491*T9du9x9OgqSGB^L`E=dlVN zxUgg{CRi$65f@yd^k&##p&>WH2bYomx;UU>`5(&iKk9am^1q8z9sd)P+(Vo8%iw?# zZg__15&ZD+%Nrwmrm!&o{xNnkG=vH*AbkHgU92_nv>Wb}R zg9NBgtjSa1J{jX-vK~Z6_iWr#h{d)A7~S;6BFtO)W&&)BrC;ci@L7jZ6r~_E#B}^g6QkJg(MAo zAz>`KowuF*3~%4Q&CSr0GGxc0imtAoO>cjl-e$xtia! zjza(`ScGUF_bO2dAU7yV@&bhP%N+6?8c~W}`JfI440^H|EFz~PkI;x1G(w!{_Ps}b z&57H8lqE7(#=^2)^bFr9vi~OTf9`Y#-J}0^C+QU2KthmfVL)uahXDAzL>74P3{y9( z1#qDD2p0$|Cyi5Zw=^)op2IDpc!^9CP_4oD{D!r716*W6Vmu*+8Wf&GOQ#epv|!2| z{NT7~ZhS#H_-v3R_&+}?;My|Rz_wUX$`qgqz%(qRoHUe++5L>zE}}%v?bXV*z^~^s zpc^heX($VWwD~VyiIax%@Tc46zrsh$MVtK$AK)jeEf9Qw+N0-yxnUxF()gQ#KRfi- z1AL^v$cp`EyL5{9+yA5Geub`Kdl+0^Oeq(B5%1VEhZxqUZw=2niXV@Pc<$o9H^c4K$+ECZ*6`0&yegrpc7YZg8G}pw? zFgRaAmz*@1;JeZ0)ZcnwK$a*hxHS%)OY>IXwlRFkB$e0)&z@Fn|Di4=u(l zu;)HU{ulXE1G8hUm_SR1CbTW|1~|!q(j{ndb^g2iR-$h~&WZz>N9rzCK fiF;|o`IwIBn2za~N~ZrG00960e|;v%0CWKW3C6;r literal 0 HcmV?d00001 diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index 4f95c404..c43b5bd2 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -488,9 +488,8 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 1 - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} image: @@ -542,9 +541,8 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: @@ -585,9 +583,8 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: @@ -630,9 +627,8 @@ druid: replicaCount: 1 image: pullPolicy: IfNotPresent - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: From 9b97d4b1639b390e0fbd5d2572d34820932686aa Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 16:23:44 +0530 Subject: [PATCH 06/13] Doc changes and chart changes --- .../templates/kafka/kafka-statefulset.yaml | 2 +- charts/portal/charts/druid-1.0.13.tgz | Bin 9485 -> 9480 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/druid/templates/kafka/kafka-statefulset.yaml b/charts/druid/templates/kafka/kafka-statefulset.yaml index 70edd947..d74bbef4 100644 --- a/charts/druid/templates/kafka/kafka-statefulset.yaml +++ b/charts/druid/templates/kafka/kafka-statefulset.yaml @@ -56,7 +56,7 @@ spec: securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} {{- else }} securityContext: - fsGroup: 1010 + fsGroup: 1010 {{- end }} envFrom: - configMapRef: diff --git a/charts/portal/charts/druid-1.0.13.tgz b/charts/portal/charts/druid-1.0.13.tgz index 23bf5b9ad30292be5b31683fea458c50b9359d6c..0f3dba76216f6986c952a2efbe47aba7aeb3fe95 100644 GIT binary patch delta 7572 zcmV;F9c$u^N{C93tAEZw9dy4_JKbJq@EuT}gBdw_m_YYCwf48<%Ds>T9phKzV#Bt^ z;HleyjuZZ?DxHy{HgtqF*Ki1X_LFNvU9(qUa&!3++}JLGCYV^zToXgXfQ_TZ(q5r4 zSQ6skal5@R$kKaIG<(%PpU`4$=oqV(Mzi9^3K|xHhJ{=_Zhy3Z1!>Xu@XtTtsH+Yd z{C_q`8`$<-4Y6$HXp^;r#sE5wX=sr0-*^h@)=^ZY(`)Rz_4l8+{69g{L-@HAK!N;^ z`n`@U|ARsIDF3@ir-Jli0<}k=+1A`xcrKF|&;k<&YD)wz=s-DXoPxWh;R`x2FwhY; z78cS0vB3iZI)8FZdyRAeF@Rv^J@Ab79FQfVr9}k-F3=M)Z3nr&COK))EbmSG0h)l1 z$&NsFp|wE3nA3K!kVaq9+<(vl=nFxv1x=ts0v{ko3gs3f z;yD*+WncJD$AGvVq8|Q)5==Id0`1BJ-v)P9v?OXJRXSn>` z9GVzOgJmaxo8!&t!uVod#M+m8r2$Q=uR4iuHX zdvNVX`hw}M;Gt&Qu5MV6*z%i|q3b4EK?^PtrB;Sz*kk{f|7>YsV!MV0O)2vuoIk>` z|I2@7SPO*t+!+4Z!pMCJ*ga`Dbke~DSsJezrGFk&Gyb)K`rhDAeZKnP1OMBd@PW`k z{2^`g8FHTt4S|WK*`7tf+;+L(0?gmwlZOA7pM`Ouxd@VQ;GXhXm{R0y&@9j+OP^!R zhRzimS1dz|KjCjr!NenWYk@4}LV|QZ3oXwD5o#L3`2G>C$NT{=?LVOU1@SWA!P6cQ z0e@r(30T^uj)lfz!;95#ZF{b-8JIx+w2q{lswx8mwkV(l-cZ5zFqP@aZ?iYx{rSxs zF!|GS(HoxmvtgRRLR_D%Akmfp27Ih-4=mvm@@oKyt+3I^-ty*vj?r2n;u;#JtZ1g~ z=`+8(Be}u71tjP*T>A}*Ecjp|UC04~{(qWUx?>v_8G~k%zu+JL1+Ak;ya9zr3k?^4 z;goi}jx1t86a0>C3(O4@QC01Kn|_LoqDQpmMHU+U@c&>s+Jldug7>z)FcGgTa9sO$ zq>&b#E9h(g|4Th60cmR&apxkoW;j#O2g8rPaGA!+$jx*LEL%r2WFn0z9GdYI z!1>&;46U4^$ z(=AyYaaN5FV&P4C&G^86t8RT@=T&{s=@!edpQ%Lkg~^#!(s)7^!uZCu9|F#4W&@fR z$b{<|(rin|W67Qn2;dczPi4f&J^;6Z1EdK_Fr{0 zknBHwwbMJ=e|C`~>ko7hFq0q#E&@9Jvrq>30s=5RlS&D`0(FkF3JN;|f7Rpue-~*J z|6g)kq#FUGBZ7zG2^7?;z+tw>@A+ODqnK?%-+fGY*rZU2v1tct-?k$`{dU2#3jLaxG&TexUt6O@+A4;I3+ z1-dwkpGU(q72C??ndJ%EqH~d(P4}Y!-PyN@uEWo6?m9o`mRP|rGqhMCi{P{FAlCPO zMYys$%U5Fio)!Ode^S}?UmYY!k^gtpAIbio;qVy$Zzm}}b;tDOGlM`R^`Bf?=E6Z_ zPOD%-N|en7h9t^YM2D0rzZpa%)~IE0B4y>D#~6B+{hvA*%JSdot4I0YNy@^1@PJ+g zo4+XT*WqpcxKr}lfq&4oP*@3ZrG6W(jtjR(K_tDhTcj}me_!BX*hiKoEwlIC?O`e} z|C=MhisXN&CgguGIL3e2Nve+jk^?^-oa9$Wf^}j@u&kNdb|W*sgc0kc%+YCWad<$n z((+#e36?Ma9koB|O7h?B4@O7%-$kl{|2lX@01gfb7Be300S=Z>M*=2HdY1|e6Zt<( zbXa1{y+(*we{2|4#EGSr-4q!m65A9pmPun9Ol^i8%c8Iij%ow93W&WzC|Qb3gW7m9 zfoLUAnb`alk!51hEuyzdk$sgIvjkp>PpWU&`iBJ!wCX0zX}Z!ey= z7LpMr0lnhM4fL0Fw zv!InbMUs|9R(49xT${lw(I2JIwP zA>Ke-e{TF-t*l(wd*C0;Cig0Up+QF8`XXbY@``naAEV}@t)nsM_xrKM6+tVx>zFz% z>XKC&H2|D~4ge*!sO|90cVZ zoup0hpNWByZvKn1?Zx_+f&Pqh^^#GZMNqw{f2MVjdU8)@0QGt&4gUTV{CszJ1NdDA zfGp_>6U*dj!xG{smbbd&InH`&MB&D@>8gfZzs6s)xTz1`e2&~0F(=Ha@V5#!{zN~m z3BqR`wf}Z78V1+NBnk*0A4K2wA#A}-U2)FYt8=I=kz(5XUP*lRudhuy5jDrn_7imd ze+7r17dPKDSMbZs_!Bk9ot_$|Z~snd6F=vfkWXlp|Mif&1{(dkSXSt2_D=CIVk{=0 zfQg)r?RZoc)3ftD41B1;`5YNm%4^!(msZf=ah8wZzr#-D=Kp$epbGJSy#)TR*FDbv zJ4tcph@c&w8~zucQxXe{T=1X7W)Y7>&1a8 z#QzOs|9_{e9^=34Bvr@%#0B@@mi^VyKRr1Plz;b`gz@R6h+|5H4-ev#n@Y-mtvFBx z_@AyiRAu~6=P3WXNj3042d)Uf!J&VI*?%A4A6ZWc*q`{TROpYu{9z)0fE4D*vgU<>@z#@FQ2dNF{X_=OtscOuc72gE5u^@tXV(sm#!uLCahJb0mvaWScm zs308xtR-vtBr>L?luR_F3=kh$!K~qANlp+}`lc1OcqLd;k7faAh-cDYMu3Su_ zyMGu^hObWKYm1{JPInuFBTjKUV+w-}QZNLX1V(6rW#ZjV&=# ze6x@y?vX-?tC>GMgcAzQCmmCm4sx-939>X4y6j`Sp5vA8uPw>;f5TcJOyw~8tM)B$ zMfksdUylE%4m!v4|2s*Wf8hV3k-;%bxhOz6^Im)b8CbwH-hP?<{g=u8Pq){)VSYh%hI>WLPMHB1}XbkVEuc-(Fl^P42E! zP>VSq6w6ip=C-kmHIsYcy14 z|9_|7J#Yf@3a0S22JeRg(M|c#2 zGO`z`@PMd7Dd>Q*e+Y%N!Lk_`Abr@qMo54#k}4tsQc7;>?T$!oiU-J`P@kdA&;aS> z>vL1v^`1-W#XtedJMyyx8Ps;?hm9RDmO|8?$u_^!^|LygU^1q8z`TmET zRpfzMe-HO2e~5i|erfrybNai){SUpqEdL|*IREb?RX_jzg8V+=5<=WtwETnK;#NXD z>McG`7#c+Lt1H?{(hi2Fx-*zEIuFjKpX~d@xGet+HNk(@#(f2;K>j;wSBn4884i#0 z|8CMI_%CsEq)R``u@{lgKzfA?ad?*x;CiRN;{Y!He>4j0c7AyIBNR~KV|w51Kcr#w&=z+b>cPv9@0c?7g{&}=n9YYsYxb2Zg5?I7jp|GIXc zAQi6vf8_iBI>XMOd({8CNOAiQ$4oxA?I+ZI;&hU0^NIMXV(-Z;S<6qMY| z#^X0wCBsh1lqdgn_kBSslK=ilvj28QYX7+Z+exav{|lw}kd}QFqke@8KM-yP-}#%q z_*RfVP21eDy6(I8>Ze@!uNCzxN(J&i91Z)jfBcUI$Nk?80&r8Jw&lfb zf6Iv6mX7yILLqa3km-hJp0)y7)Zl>w6|-TADOIdq!7`x4+}h>VEw^T=l9>)f%!eV$ zCG!WiG$3X8VG8u{T{n825m+at4%5Td$Z>Zx7~6E2_5#P7&JUVH7f6{oUjY`9$GF)n zo=Zk^A49psLb(Lfs<{7?_x~$H*G;ryf2(&l{@=#_;DY^sPaVqle|6Q-(f+rSw2A*W zZB(S&0b)7#Vh_mh2Xn?gMvT4Yi@;*NQ2j12I){EiuHt%@g2O z$Yntr|FkW1_UY~%v@Yg`i42H;t_-02)8h-h2l5yf0^wr6j~W}s~LY~+Kc}0%I}`3e6SZOZ4gv}HkZQA zPeJ^6VYp{eC_efs-ZGnC3@1{_zZ?$O7PvvSmD=EQ+kFfM`&!xX2Dy^N;aVC z*)D55d~MzG6_juh+bQ@N>bC6wR?4sznUt0+-*2}2XjlunXcT&aziW||ei2vP9iks2n)9!QQKoYCNwB=RiW7;~;xO?dDWmT-;zpzaRS`duQF>G0M4a5Fc#<3{+hJ@od`UKq z?Qm5a<55WN)!qkdrf|$Le0A?kx=z13`ROd3Rm?vrRke<@G?>)!hkqyqbYR~>ZZ^Pj{1(f+@alvrHS-JNFIo<8HKpoHtc z+AT4mCO9M|0S?e9z;@Ly=`I*G$2UMLQ{x_(aAa(1_YViw>$LZ?u~OO2A1k%F!J3lU z+^(M}U5}AX?f7!pO}PjTcW6tbdnR%vV_58Y`mqqHWX?vnf4~YZjCrsH>$hdt6|LU1 zP1CI1@jDPwyAk&mkf6_StsskP7ukjzS*t*^{a{#ayllP^Gc;QolAg3Z?6SPNtvw>Q zg)HK(9ow*of|tC#fd5s1drAEj@#M?r)Y4gTR;PcbTE>$mlce1K>A7gXwPh^SsKP?S z`>nu2!^!>bRGf3+!625ozx;rmClR({8})hshc zOHZAxisksR*k8~(v&xg-X2O`bzkKG~oGN!X{ER0-B`y;eGHukDA=kN$;*YVzm1p=F zb013BKIK~{`8?0dNY&(fL=qL@P7L3!#QlnGN+*$zY0@-hOP9#BA%4EQyNSO`bwo;z zM9I%6f4wbmQWkh20hmL>^jwscA=eF^)neK8O>a&5ku`f;woOypt*6#$xMA&v>lLoY zHuZJJ%f3V(r|g|9S~79vAcqMEHAY#bA~LdXL*+3&OUkqV?=k*!w?91E|96q(^M6zo zJpZ{r-&Q56u!3`b0bkY5_vMr-IM)}JtbCp?f4AhO=lEEI?IQlODF1cu{R&cn{C7KD z+5a~j4UYc*outb5e??bbq^=vjePgT8q(5be%$0(d?WJu$j)CK%mSJH6O|w8p9L9BF zU%w^|xwPVZ?|lCl?h|DLO4i0!C>UN0#+O{8c`}un3oU(OI!k!vtw2XjmiKi;7SFu1 ze-b=L_LBU~csZUWYB8Ssc|2D!&WJXY6sCo83yto5{|DQa{OMNyw=>Ku6-_E}14Rm} zX+={mjH|@3Y{E#|0&*FNikD*KxKDVIDS!Uo&HWF$P+tFcRke4F|Fe_iuOTd( z)W851M+!JVl>z<}K!8;NcTyw(|7kUp-$9)GKOz8+2*8~n0E0zA?UVZ%WM1Zp{d8D) z@hS20O;z=Pc)io>&vlv|{OW2GwJW@6qDIHl; z4vCb7naM)sl)%!+p$>8{RVjaON-FwD6`MX2e3afm*}$VJu%q+_Jltj~xXFc!QmLC< zM8$s~z@dFz$db`&#|v3v7qSGiw&+3GvHeH3|M@%77UWye#Dh%?fkpQJf03Gq|2^y+ z&;RZu`GN&4JshcVV?=-i`av`i1|pO&Tl|L?Kc0j&^;n|W# z#}pHzCD~kd?Y|IIe=D;w=ALPajBY_|$nqavToe6OI}S*Z{P%jQZ2up0j`*LQq)p;~ z$Ri_N$iiHE5vYB)>q|*xf8@U|4!CgsPsIOL)$Y;%x04iijtJM5Ju?P4rX6Ipl8Xh7 z^H>EBTv##}6D*akhzl-JdNXXW(2$$pgUiT&T^vxc{10XMA9V&t`QJsVj{k{C?x9Wl zWpF?VH#|f12!8nZ<&BX&Q&^aP{}?+N8bXB_EhT0=6}^%IS}28xe`^z4vrU0e@F;<@ zOh*}ojF<2KQu1FD2UH;cqi$cm|EDwTc8~JEi$sT-W$TFh+fs!f>5;382RdjK0uBxr z6m`XRu|WdVC)VVtaG#9vu<>H08ct|47?3oOULzD}mjS3U7sOSONGT;ZMV3UQHbo?5 zP^iz)X2_)U^7Xl?e~k*tCG}!ZO3x3piPnh;^#f|-JVKI{VzWhESMfHIsNfcF_$Wd2 z_1!{}hP{w57TwO)X3@f964xwrIKGy;*3HwDOfl zMov7ngd$1DA%GMtLbQ*2m8b-e8x$pZ0Yds^4tWlZD8;UPPzM7BJ=qKvk<*b!XhaMe zAx?Dr-Xp)}#O*)I5}7MwVc9NvhHn(ve-rmVce;b_(f_-XbP8@DA;`5bAU5Db0DN8| z3p{v+sThNkgbRd~lg25yTN)T(&*7F)yhNr6sMg?ne#2V40WLBjF`f`Z4GPbp zrBezPS}^4fesEkgH@+Ypd^X4u{GT5caBZ1uU|XyxWeQLQU>X)uP8!O^?0!aU7f~YT z_G)EY;MemR&j6H}Uu4Dpvt2qx{O$kIa=${?ussYeFQ$|WKl1EJLosv&+kPR}{{5t( zJYmh&QTwob(_H>!y0^mYvhi?HdGEvx{H&4(VfxOjMfuhj%_34TPzjHzuK4MKlBFO{!#vS qkr)Ko_n1ZpzQcRsUfOUzreiv$V>+gi>Hh}+0RR87n)lWKbO8W*i~;`u delta 7577 zcmV;K9cJQ)N{vd8tA9?nKNxxWa#fEK- z!Be*Z9Vh%(RXQU@ZRiMVuHg{&>?hZTx@NDyHn8ov8e-YX(I#sLjRABV)6gL0zws2*t)r+)r`Onb>+e5t`G10@hwyVLfCBj+ z^?Myz{s)86QT}(4P6g@31Zs~!v#q(Y@LVP_pamul)RqWb(1CK&I0bi0!xwa5V4x#x zEG(o0VuJ?+bbsWS_8RE`VgSL+d*B)EIUq|!ON$BwT%adp+75DkO>)wpS>BuW12h32 zlP8S@`*(cO0Kj3nZjobSgV^qR3^YguzRg~Gra42Ji^v!}_+M$!xAf&H{XVAr&7o%! z%I#{6|1beYgc#NW1NdM+p*KKVLTiD5F{kZdA&tJIxqqPr&=-PS3z|TO1U^8F6v{0| z#B(mt%D(WQjsbB!L_ZqjyJLEYeNTM+vyDm0W7-sB(Ceu~@#!awX0s1T+PCNr&v5y> zIW#en3b|Z^LVaae;w!(U=p*bs=r+~EH!hkRU&cU3Pc6sq5CBZHfZCceOG#njGyF|Z z@2l9`(|@Qw5aZ9btB=9Rglpu|PM+JYhHeobEn%6HhOvSR#F+ZiwjU94kUJLs94IP% z_u$%(^aayh!9&fqUEQ!CvE?@_L)T5Tf)-pPO05jbu*d!{|Jl;O#C8o0no{ORIDdp= z|Cj&FuoejOxiS2+g^~LduzS*Q=%j-QvNT>bN`F15X8dad^}WHL`h4}n2mZG^;RB(8 z_(R&}Gvq!Q8UhndvptJ|x$Sbn1(?6VCk_8EKMUhRa}gxrz&+)&Fr~=Zpjn_tmOjUr z4V^1Cu2_Z^f5P9Mf{91$)&g0`g#_t-7FwPQBGfd5@%$+J8Xx3*u$KgQq{eHvJSEMUQCBi!3zy;s3#Ov8L{;M&HlrRU9VJi59E0B` zw^v+u>gbDKfT~6459@F|l ze!o$nZj@r^-H!O#(}?eGZ^TCnx|+k5@1uf@&?N??Do<&A-5@U=%hq3WJi7c-SC!-- zD3vVMQ3fTOiLXa@AlaE!91Yaxtm3{m<~vH<{zK5pF(E;?eRX{|ohjrC+2S{f?7!-0 zAlZNVYF9nle|C`~>ko7hFq0q#E&{rpvrq>30s`1OlS&D`0u7I|3JN;|e+S3?|1Q!d z{=ek7NH+pVM+6VW6DX)xfx~Q%-}8G3KVDv4Uf+MZ{lKHHL>z zoGQnsL?_UFdKZ(s$xoBn^#1OjH@w0w4-=t>sHnMNn!u1SL^38S0}{mYiZw_DizNbM zNW4YODs^uwIsb_vGlDM)e*mo%nmOeq&Z8MLBop>tw3ClRs1&IK!;+t7(|Z<+Bbx^v z$s>!v?eu>?UEUTFiNb!!gl<1wUfhS|!Vw?0Nko7@xh6#pYf)kZuQf9zc@|wFDvoPA z$R!3{X#LgV!Wy%LobgE~p&oc9$AkvkcF;B7S#W+B05Olq1zYj3f2Hf$&0SBOW#!}R z)BHRTUq2z&v|U~CgA$wt0apsL+x{Q3SQUe(A_4!@yW)D5gW=BlX9j^t>OZ-(%!Px< zoL0evlqj1E3`vx)hz==Lelv(jtWnG0M9RuPk1_Nt`#*Isl;ywE?;PcSCn*d6!2@~~ zZ2qFSUx&B(<4(zI2mV3VLSZGumHKVCIxgHE1(Ed1Zjr+Le}938VINtVw9MXjw}+{` z{BMo~E0X`Anvnm&@EHGLC#gFAOAh>WaFSmg3D$`r!Lnv*+l|cl5=N|(GDoMi#o+

2|2RK+l9SN8)>0K%?OyvJC z(P4=(_ZlH$f3aay5hs>fc2i`ONNiKYSSF2aFtr(WEQ`W6II0cYDj@a>p=2pC4Qk`b z1frEdWn%MJM3#v~w}{>G|#Sf9_x_k;Pt6iO8cmnazH?zP)(f zT1ZBi1oVn0KY+*|x$f;IyO*Jv*90s_%ki%_NPJ_9sK|7{MMQ$PRJrnEtbU#j09rZx z&w^I&6iHeZS=lK$b8QB%Os7y;=|9<~w?ZH3Dj7?1w4x7hAX$$6F7iPJ*1Vm-8?=*H zg?IyTf4T8x+zq$}83xevF!rwvNW2-|xp3R|Ku(u4C%7 zs7qF9)Btb_IslZ^qPD{~2ed8Hs0o3cAH2C{d@blf>4d8bf z0J5YjOe~Y94NHilSl;T6=Q!)B5rrGqrmGru{ThGG;-)@$^Eq;3#GEjv!rv;`_!IrK zCJ3K()c)JSXc$~4lPDm3d=P!xhp+`Vb;UVnug;;iM2czidnNJNzrHrYBZ78#Zunn(PDv~*a>0KRn^mxXf5k;}p?`Amipak*#Ww@~iOpFhK2$mRuNMcZ z5dSxj{r{bA=NSKGC#gFACoZ@Lx9qQu{^`kap!~bfB#cilMI2Kqe0UI_+*DHjYsG;o z!2fjBp(^8lI!F26O{#(aIdDY)4i5bz%>MfT|Hyhu!2ZNvr9yuM<_{D3BM-ONe+c{$ zM^HuFPg>DU@hk$ZO;JBtB(}iPW|*H00$bpxHohjG){6oB#4ps4zY~ex9KUyM&l!V` z+EKF`JQp&QR0g0nVo11rz6xMS=)H<~A<G0F9r%w-jSar$e^}6KcrmAn;*4*MQ46&Q?o5Mc?qINSALWZB4);6c=C^d zKb|@8NATce8$gE~i(5peC<;h|$TNikfsXT%;$v(B2T;Gtf4jYHEpu+#%vYUOzOq^` z<#m6j_PZI2te5E5?d{!8P{#gK@APMx^PdU-k9zd~>?XxG#KP|4nU8;lUrIA5L!*^xQe~tzT|8Ku@l>c3%%J)Cy ztRfH8`g^!He?jcK^GnNrozveX?tkd@W%(am zqu%24grPw+zq+EWB<)~$syl-zqx0Zw`pLdejLY)RP!s%TZQNIo3go||cBS|ao#F5} z|L-Pkg8vdnN4oU09D5P@45U}c5Qlg90IqlHI}YIDe@~;pZs*rmSJQKbjmZuN_wCy_ z?KM>loL^3La`Ef*_U>{vx|{yvZrpB%7&Km>D3^~^ zyS%tRzyA1fa&<8VNL$+Ad&&c40sIAA^aTC_nnyrO2hCO!wC135I9F30(+*Oe{;zBI z2~y$ue^0*uuQTinMo0a>ixjv2aLnX$+kQgbCr&51HlK*ED)ye-Qn|Jsp=3onPeIAe zY&?F0RWj_9OnLHOci$JJBKhx+B>Qh?qz;bzzn!G&`@c|n4{6y~G3r;i@B`sy@SVTu zi*E(_)3nVUtLwgduYSsv|5{PMqEsON!_jacf6M=9c)b62C#gpKuY*(s;NYOXd_}O2 zfL~!R#A1DgPg8Ncsi$U64kN;sFsfc7lGh(76;ZrWsZAlOoXn=^-IUVx7}*T9n=D(8 zi`wYeOfs(qsoRn#1D@(Za~ZKXo;DYh%bPhLkek}UrC_e*JGwf?wJrqrSpm2yQQPw3 zf3``H+kiw!0(>R0khw_6bjveOTR|;q@W7FZ**L|NDps#x8B}6!?Q-juTeDQrOh+Q- z;}GSN`6F8zkTU)-1$+3e8@2Yi1z&jd@?Yc~Rf#Xf*N6n!tq|BVJ01U~4 z+-w%mC8N2Iv0P%YT!ML3*#F7<|COQZe)2Z)1OO!T!Ie4(0p5x*hds|JzC0 z#Q&Q%D$?x$v7CFc2W0qzIb$Cq#$NM9V6k4Peis;>LcbtaaXrgIuHq|rSGvYY{6tV9 z%o=uBDn(@J<>>htC2H}z$`U=BbzRvze+9ySo`NfH^?+Pp&jEq>5!3Zda+n0fe?Hsp zBXSiDI#4sn`m7hHbqDbyFrjB@OW;5kt`LzfEt8tyclZRa9fHq%s1RuVV}&~l`s)k* zb>U&;vY?HB+7>$dbaxI~7jwfz3bHg?H>}0kr@Ozm-h$RY{xSaV=@)}sTh|`Bo_|Cu z+g(px*LFecf__Hvh{0}zTNu_tfAO36%yt(Ftqi->jK4DNMgMo@ch6Kl*o%}l2&zDv zOJV1yAbz|s+_NYYAAJ>XnawYT6RG514hL)t+#uUZZScA6J_dt*t!#LMTuEZ_+vPG^ zjxL#Omo*-~wr=?XO1Oya6#NWz+jameWmt<$N=ugSH`{$QtOZ>&3O&K!f3?WU5nFPD z+u4pG;9ga#vi{o?4^rg+9m)8QZl{05|L!Km&FJxI_qlN(iPd4+@-i0}lH|7vKBQFX zT%1S>g^GBQk`y+>jYtigh99XS|C{1LisXMVl=1)F?r3Y9t9^$sI@-1-h zI?^q0!S+DJgM^RM03nG=f4_*E;3~=ghIo*C`R}M|SDycSol*ZN|GP*v@EiKM9XqP2I&AUe|vF3%wAFevyxYIy^9s9a~W356S&*^uySXJ%>uS%(Ws8v=b)4x+K<4KcAQf~kBT(sZXG8Sr7 zVWHvuR$!swe`J3NTsf}&JJQIdUazZcyytq_IHjI3uK0-jbo(KrrU`FI{im5$)J;c= zq{Lbtj{EUI{LEytjfmFPTtwBi0ZrVLGrI`t*Os{+g9t^RU#E0)vVT`RAx_eIE}aZj zRmrV!bU7XB6-9Li>HF*J_aCPBlN;go;oIrO^y=<%fAV3L+7u~+w!P5s{Ucf{zhm2K zmKmd^r_NTza{N^6FKC@v<;ia|VNBd#KJ#r(l{*}M#*?5Dmx&9RHfqd}>)b~1$JpV@ zGyIIX4<&4$@~xA6p66wxYVtiIiHdM1hHqEme#JJWlgP(3X_~U7OJv#*Ki}Qm#NVYl zA|*$nf8=MB-WE713%rm3%%Nd=F3QS~>xRy1vF!S$wkCU(e?HHbTXNHLe5}EC5&v0~|GM{n1*t&( zyPdA={~L}5NB{p$Qsw)_*A3sku~lf&pRz>eO2Nza(zYMRz;RK_urPt9S)d~h zo#9(?Yq0M)$t|gKbOxbSwYc8RnIWCY88> zB8AnoqA3@~Rbp5+VI*wM9qAWr@t5r9Vo;7$;L!J?q{$^8s6FZ0BH zI;_0-lz923s(L`Y-s$ycJh`5NNXx!sA$G$;cJrq|Md^eAb=^f6(>cd+4U2%Lf8UtR z_$-PYs3Fi)@RO$a3u?u*HE8m)v5>%~@Ud2igA?78J|0ed)Y1g6KiA3&0)EJuQ2qjj zMScXGn4h)<%3$dH7_+em%dM}fqA0y@Vq1um!9k06~S~nsf zqu9z}*s>8X1$dV_XqQ6lS~=v}f4+H7<7=aPQsfhQJS9<%*%-%MgkuGC#+I-dX?Ub; zG*UXUrW_I}3p102$|-@RkwYEi-lp3G{<#A`C<*VYc`&VJb{G75v;8;DRca5i8iLB<+BF z2g9=^jgBcMMoY4}?Am`JsQy-FW6V9%6dB!u){x~tytpR%t9BfaBKhz2RN4MN=p6As zJ4u_w|By#Ux{!sr_99UGe{R>8lFG<`T^w-X{GW*bt*X7F|8FNL?i>-WEqi7Ra7;VM zY9$v79OtnL9=Nb%E+$wiT@e>tqV#6iV4)#5!3UR-|GGG!V)-A+@;~Z!kMh5ZR2}~l zliWj__RHXa5^i{g=n?$z@yi<{d#123|Nb#{GBkt=FPwq~0G zq2N&hWtomL3K=io|E1)=CJv}T{zu)ueE&~p*c~0^e;0`kHOtl!_qU}ALDC~v7Y}sM zDg+!HE-31X?P7xjs86iPQ{g@t<6+~)N;RC&W-uUWAiYK?&@KZ|WiE)TB9T%`Zi+04 zNNtKp%Aio6q0Nv2;XcMgy6Y2-l#(9J!E5&Aux~}4FBvHXF z-tbX^=c~+cj?T7CT-Dj!+W#P zB5CC-kBppnY6(S>jza(`ScGUF_bO2dAU7yV@&bhP%N+6?8c~W}`JfI440^H|EFz~P zkI;x1G(w!{_Ps}b&57H8lqE7(#=^2)^bFr9vi~OTf9`Y#-J}0^C+QU2KthmfVL)ua zhXDAzL>74Pe+*MMtOanO_6QdUD<_RpaJMutz@Eb`qj-r-6Hu+e_xy&ncmrHyLSj52 zh8h%}LrbR=EVN+C9sJ<9Xl{H#I{0jmCHOx-D&X2O*TA+|QOXpc3cxfhq?|OAi`o5* z*e;?(&h6F8w!p9FGoTwTK4~ZmgS7cCUWt>2^6;nIf9Ai!N6ST<{R|)AC#x+Ge1O`c z=YY9kB7D;Ln}R<(^w$G?q`%0D{b##$iul|Aqvd{uu3>u^TwY8m7k=c~lZImG2)6w~ zuKoK-LwUlQt)uo~`KG!2-%ckNAE(Mnf0l0)%73>j$$w|q9~|X>7wPmA{N&nD*X$LT z++2PHe>ZFw3MLjb*Tm2;IA21SoHUr=yV2&<-+Ev`mMARbKy8V@1sziYg&Bd`qjJ*l ziF`Ip6VL^d3my!q(j{ndb v^g2iR-$h~&WZz>N9rzCKiF;|o`IwIBn2za~N~ZrG00960e|;v%0CWKW&7}b@ From 62e5d7809f8f9fb3b49adfa3ce0e8b294e6bf08e Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 16:28:50 +0530 Subject: [PATCH 07/13] Updating production-values.yaml --- charts/portal/values-production.yaml | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/charts/portal/values-production.yaml b/charts/portal/values-production.yaml index 8cba60de..a2957b4f 100644 --- a/charts/portal/values-production.yaml +++ b/charts/portal/values-production.yaml @@ -554,9 +554,8 @@ druid: # consider changing to mode... standalone/distributed. # Once Portal is installed, minio can not be scaled up or down. replicaCount: 4 - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} image: @@ -622,9 +621,8 @@ druid: create: false maxUnavailable: "" minAvailable: "" - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: @@ -684,9 +682,8 @@ druid: create: false maxUnavailable: "" minAvailable: "" - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: @@ -747,9 +744,8 @@ druid: create: false maxUnavailable: "" minAvailable: "" - podSecurityContext: - fsGroup: 1001 - runAsNonRoot: true + # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + podSecurityContext: {} # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} resources: From c23dee598d7f3fa8d98a0334734aeedc230a5632 Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 16:43:28 +0530 Subject: [PATCH 08/13] druid changes --- .../templates/kafka/kafka-statefulset.yaml | 6 +++--- .../templates/minio/minio-statefulset.yaml | 10 +++++----- charts/portal/charts/druid-1.0.13.tgz | Bin 9480 -> 9453 bytes 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/druid/templates/kafka/kafka-statefulset.yaml b/charts/druid/templates/kafka/kafka-statefulset.yaml index d74bbef4..23bc2940 100644 --- a/charts/druid/templates/kafka/kafka-statefulset.yaml +++ b/charts/druid/templates/kafka/kafka-statefulset.yaml @@ -45,6 +45,9 @@ spec: securityContext: {{- toYaml .Values.kafka.podSecurityContext | nindent 12 }} {{- else if .Values.global.podSecurityContext }} securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} + {{- else }} + securityContext: + fsGroup: 1010 {{- end }} containers: - name: kafka @@ -54,9 +57,6 @@ spec: securityContext: {{- toYaml .Values.kafka.containerSecurityContext | nindent 12 }} {{- else if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} - {{- else }} - securityContext: - fsGroup: 1010 {{- end }} envFrom: - configMapRef: diff --git a/charts/druid/templates/minio/minio-statefulset.yaml b/charts/druid/templates/minio/minio-statefulset.yaml index ce479647..b2a2ba36 100644 --- a/charts/druid/templates/minio/minio-statefulset.yaml +++ b/charts/druid/templates/minio/minio-statefulset.yaml @@ -46,11 +46,6 @@ spec: securityContext: {{- toYaml .Values.minio.podSecurityContext | nindent 12 }} {{- else if .Values.global.podSecurityContext }} securityContext: {{- toYaml .Values.global.podSecurityContext | nindent 12 }} - {{- end }} - {{- if .Values.minio.containerSecurityContext }} - securityContext: {{- toYaml .Values.minio.containerSecurityContext | nindent 12 }} - {{- else if .Values.global.containerSecurityContext }} - securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} {{- else }} securityContext: fsGroup: 1010 @@ -68,6 +63,11 @@ spec: name: minio image: "{{ .Values.global.portalRepository }}{{ .Values.image.minio }}" imagePullPolicy: "{{ .Values.minio.image.pullPolicy }}" + {{- if .Values.minio.containerSecurityContext }} + securityContext: {{- toYaml .Values.minio.containerSecurityContext | nindent 12 }} + {{- else if .Values.global.containerSecurityContext }} + securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- end }} env: - name: MINIO_ACCESS_KEY valueFrom: diff --git a/charts/portal/charts/druid-1.0.13.tgz b/charts/portal/charts/druid-1.0.13.tgz index 0f3dba76216f6986c952a2efbe47aba7aeb3fe95..8c4c8b945e19d2027cc5cffd7e3c2b7641c728ea 100644 GIT binary patch delta 9189 zcmVhxHNxwhNP;h z+V6JRZ&g+0-)d*j|Do0G^*V#rpxf>JptjnbcJBwEJ_j>$@_#Ua?hoq5-;yi$LK1Y0 z-;s+A+Zuw$b`3gC_^+z828vqK5!PJ8A?(>Nt_^j~UV_ohZWRHfCa?Ys5&pSb)#LeoR| zxfDQw{13XFmMs6he)}l@yGW;k^kM?F2cX&3%$R#FlNitdBL`{=1TN@6IjNn3+lAo^ zIxsNM5jN%)(gCr-Jpwv%OnZfN05O1I>fQ5<_6(2(qJO1D1p+S6BQk9VxxOYjsnIO& zP5U02fRD+O+MNA6JgEWTuv`=5*w`SpyBY!wQh{%>m!4@(k>(;Y1o!?|8uTrFc}l;J zDStEQnS^q?T;ab=fDs{vHOBzn+mGlC&=$~|BVf#EJ6K4gFKKRQ0rZ6+*McU{A%XW0 zBZYE{5r6TV3$(N^{HH@eTo2KY2KjE89%A1UAOC7&lJb}~#SnBlYF~W%38U%sLz4Cc z{pA@he>a0BMp7Y{Yfz{!4NH9Gw-kMZy?foJdicggGvmt;=;*QG_#Fa(iRMsSQD!MA zEPRH)3F>_ndwUwy2V(r$cJ(0`m~e$$+Q~E9)ql_g@zD~NIjI>-I7f`BueSYwkb~Tz z@Mlj^>AQQ^exNUy?g}1iw(aVM1&J-cSsJ=-q9wH8JW*1k7xg3ogL?4L+&)fB9J$7n+M82?y>epM@z!&IZi_ zJ+kmQ#%$R4zjHoRE8#ir>b1+mXQQe#eZX)hPE1l z%h{DpZd`cjBd<`lnw5VR~*4tJ_#n-KBVI4}gM~SM&HEc#bOgc&) zkvRl^j3!rHck1YiUx2Db=n_8py>0Pcrb9#LkNUk{r}tbv-+f=$?<`A+rho9~rt)p@ z4Ap5BSEpUFI^wJvAH>3&^qTR3{Z`%jz|O0BuhlM=VLwxe>I;)ItEBOWEQIlmYu^W) z)651mFOUgWQ>59Jj)$Pt_Qx+VmdN%<^nyR0LBsT1bh~g7rZd|Rbo_Qeu3_s@_MR^r z9@F|le!o$nZj@r^-H!O#(|?F>Z*Rm$3%U)5E#F548KFxIN>!fH__{$}I+m@!=6H1Z zr!FhWK~O4LtfllyHWOcu?m)6Lt2pSX&soKNZ_Ia;xc!HqrDH;ZaP#W=c05(c7qZ1~ z6xn~(K~J*(bk%m}X#d$oimX4-MZmByfu_mrH&kZ8OYSRzGMpz zZY*Nvqo3|qtVJ%arZlf%%>j0h_Oo(QyPN?RnFwOP?KGSDy?-!oJ^suf+yHftfQJJk zI%PlLH>-td9;ua$S=gw-+puB7Oqn^#HNA-iT0gQX4A08`hVfZf8n}BkAJ$_sLTFG8jnIZQyKC-k+h3hSNj8p=Q80vGIP3{<*H}b zN^E%kx9`*i-+$S19cl>F|GN(AclF9b7E}vN5nmn1)dp6v_#D?m#|`Vr%t6@D?;C>3@qd|3_En0LDCjJ}3;E+W{C-4E z=nygckF()fqEq8etca5Z3j8>W(F@)Rd(2L9| zTL<({9e>zX%)iVl6Lhg8ukrE;o_Lo@eIUA{b7nVR!C%;#?a(dbJZG3GbZ?>1JgIY6 z9n=F{4?)^Ow>7K;j(i63@o*DaO$|1XMUd;b21X5R&&X%!q9*e#4;st^#~cw$WRWKQ zR}c2BzEiu|YpBYC&`wXUSHw5-LmpRG2e-P~_kXVG^(1-!&;3{auLieaZ;A^mvj6ql zGX87O?)Q)T|6QaQ{h$N7IZDSiI;=hK|o|KO(m zP;Y3ahY4~oZ-(H?wom}H;Cu!rOzLmdw{0K67y^~rK1K$*a}*%a{HKzLN|nV3(-s^B z=mBtU8ptA-H~a40;#4621QIm!OpG=;9aiN3Q(N7*{I}K4e^LH-lSKK4j)R4ned>4q zG%=$ev?2(sS}r@t@#6zpy#YTyLK7tIj8NAZC<~f=x)sW^g5c?C242A*h5n#Aq_(6-pUevYk41u0*ijLd&uVJJ2MOBgPV8 z0+$Y}yk&ouHg9Qt9rgf-K>C6wiBXbVKxxh`MfyZ?*%?65#9D;&3oSzIf5N4iS?oKo z3`<8A0j+jUeX>3;qT__j5@;@yjacywSs}KG_-QoJf7>8D&0|C?ydfVB1HyW)L00Fs zMbH-_6v6Q~c`T*S$>Yq#D8&`CF*Dh8N;i{lRYtBTRE@;!5G0NYWg0HQMEqPIczO~t zv2uRnMQTx?c_Tnf>q#}n%SSj=nMQhVhn352=8FBENin0r3r4^e87!h$#9(Yx0CsHS z@$as^e;kU>8a^WWBXlNcHjF#gGEIv?N`<L61AnifHi+{&U=VIuCl!2uWQU-KB?3Z*1eUQ?Q8tk^Z;TeXV)Hm9q zMX3>Km>X%2##6fFhNyCBP)2C;93hPgR~q!`e>j!sNV1SMR9XB@ROxVUnxY^@LiKEo z>>~dZ6<3BM^D|uGaK=RL(y-WE_}+yYx`}sK|HbTCj%j;I-v0~7y2QUX@&p#_|2yrr zWdCcoIs^5%|KCMg$N!fc7wJX->4@N=cmf6WDsY(X@q2zR;m6CX%j>&OlMg&<&am0! ze+Tb_)6V?;FQ3kT8^@_~d`ffz-KTdkx*h#8nvU;o|9QhJ?D8-XdWede8Kwyg2}2}f zqB0;sEU#FDRIpegFowii)T~nXHj?w77&0UHq5#lJp_x-&;yju`Lo#9SMLYR8gi4V* zFf93LI=*AEII?-*kvy^pOveBF>2gv?ey1cjx$%P|6Zj*=re{xNV9M+=5 z2wrPuO7bkaL{uEtc92U9y3qRG;KCZSgq-n7C!rpACdY&Z+jh`3-&t^e7yvPk$OT*R zu%+wS&22}WX657S)BHRTUq2$(v|U~CgA$wt0apsL+x{QZSQUe(A_4!@yW)D5e}!Cy z9k+1N(k3V^mme&IXA5+37C#S$X)3mr%QMRpv_W=Bl zX9j^t>OZ-(%!PxR>ZxL=32`QuK>YX|;C*Fs?>#FhFaTpbr~kAg^gWw%IS{_o(v z-$j-tEwlIC?O`e}|LY^cisZkqCgi`@KgNI9Nve+jk^?^-oa9$Wg0*5uf3U2X+IAx| zzJw8LrOeT3ZE<)&vC{It0TL`<{#$By(3a%C-R%#K^1q9;0siaY6#+OnBv{ONvfc3otYNNioiSSF2aFtr|bEQ`W6INBJv zRY2?&LdjBO8f=Uw6NpvNUlCa*7TqFxs}$K+i7`vyh4^^k?$Xiu`FJ|L`)&Ns z6A3ECHt-32T38hxOFIpt211-#!hHcfvQVPP=!wV?JUyUQ5qt4UOvmSw@$JD@B8$DC z5|KxBG@br&J-K+^T1ZBi1oVn0KY++zx$f;cyO*J!*90s_!||^-e@J{|i>SzSz(quY zw^X_EVyu3i4ggx&|IdO}?i5K{7FpRUIdiQCuS};Zz#BA^ScP~4ak=qxHL`MH@1B1!o7}4ah6WjV>x+zq$}83xevF!rwvL9N z+wH~{R|GBPu4C%7f2d2AY19C43OWFk)S|Y-H{-E8GV+GPzAZP~NwWPfig+*lxnUfb z0{efv-R{Wtf3?P9{-6_;@e+whv(oZt9A2&R(5EZGjZi=J!hC zvwwZ7(}}1)tT!K_>n}L`ytw|RzJy<<##dAywmNES5?49Caf5cc!Kmiju9ozA!ET(7Yc^LRmgR>bjtd!TZxi77t!Q(6+!GDLH%FX|q z#epis|8)}hzfR{k|L-Klog;#Fcy9P#d`?L$EONnr5}Q@9f5k;}p?`Amipak*#n%J= ziOpFhK2$mR-z*MPA^xu?`~O?*)-nFePEvLJPh4;he{R`d9sSdh<3Ra$pGg>>PKr3D zRQT{9KDnu+{BINossR7fR{N@q|7jiNe>Z6Z{Lg_a0&sBXA7S?22lz+UQv&uU{wfvv zBQSrM$RByQy++`VID#tTe$tAri)RsNt&94}BC!RQ*2DZ{5ZD4g8{=#8X}uW0Py9j+ z`8$#56wUB^*Y=ztXsInVyTNlILrG--Hk14kBmuRPAro01b;`}%>j9=x3G5UvC76PC z2A2Y85Y+#0 z4T7#M4b_35=hMfT@A^JBA;zL?iqEgI#+H~VzF9~U_ei0{)y!WW!U=`ula47&2f5h5 z1X&siUG}kE&+*Fl*Op}azhTW0rg9klwec-*MfksNSC0Rv_S(nu|2uz4>)`*Qk-;%b zxhOz6^Im)b8CbwH-hLbX{kPHGFO%!v#*^s~Jiyrl9KKWEvB1Opv5)(U?vT0ueLVSa zJ-JAN2y+5VhJ_L+!bH>oIYi&}FSyWih$-avE>kC$y4Dl#m>YN#^a{V}$ zI|?j%D3LYyt)-tYm6`v!%Z%=+o+bX*ps&jQ|5mqiod0){a{T`nVYioB1sw474-O6r z5KVDgMFN!azXRZkkHUT75`LL_E^Wt_@F)glWG_2WeBR@-!!N%_Vka8t& ze$@UIo%yj%&9>a+C5Rqf`B6HEm>GxR$v+1Ec;>(#!Gn`+03C8HZV{cLC?E+U&lCy- zI?hXqkFgCLz~+Bd-tBE`nRC;6zUs8{mDPGFulqZ-+s;^Iy+prmXYY1`GWMU%PJfm; z|C#Xrs7L?LZc=GckNCO1e` zj(?Vt|4r_G_@T`C&p|KY|Lt~<^1q8z`TmETRpfzMe-D56CWw7^erfsN$-3-bGfO9*jq(eMv?i(3itsJHk$VQ3J|udZk-Njn&x>ds)w=sY-^ zezNZqxAW_(tMNI*#$<yIBtR~JKow1o|Rq&!d-z<1!H zNAMkJ9svy<)Ejlsn1R;eTupUMJ4ku@e^a|pkP1uJfAal*t$wTDKI;Enq`3WuVo&`ZewpntsocPD9slerfzf9pb2Ihl3QyD6nNV`M$l zZnErVTx^Vv%_Q?;kh;$ww5uUcCp>Ki?q$T{h}>LQFYl;)NN?&8DFu`*KUAutWH$xz zJ}ZPb4e6BxLFPgr(@oAiZ3V8V!2^dVW&;#cs#v{(W#EXpwacwrZp~69DjkBD4?vVl zRvM5p@Gu2*TKKLVz0L@!6H{a90c+%lI~t5_w@iDE<4xy>%b`o7%$%e2qUleCVL#~2@f zlYT+2;(C^aT*cS(u5^u)_=%uIm^JLMREo&b%hB^QO4Q$$dbbAgO7c;{|3bHg?H>~;Dr`x|b z-h#$I{xSUT@fU+!Th|`Bo_$11+g*)a*LFeUf__Hvh{0}zn;X_#@tgR}cIOJM47=5g zzcTH4_fO?d&s09x^OQCSsz94dVdtkHez-8)vnUiFeHCw+^)H4KspMY{2W$&}+#uUZ zZSa}xJ_Lh(rL1{_TuEZ_+vPG^j;@?+mo*-~wkCWXC0xXI3VwyUZ99OKGOT$fr3K6P zhwVNX)|@UKg`VK=8f58+ExE?+Y{w9AuPRkp|E-G$Df0ggWc)|F)ji^Wca!2~^!T*< z+&GZL>M(72nTrca@>>NTQmS-+E>0wcLPfktNeb)XMx+K#!;e&v|8?;oMe^V4%lQ9x zM{OPDe;27b{v#o^hq&#ld<)#WmUIhTussm*AmQUQKuDs}FXAS+O7g!Z9wcA>TdLZY z=l@P?FgVKpF46}0j~Af`z`@}`;xqm}a3Lw0O2CIC-lpP2;#HC6(*cd?)BU>p%oMgMM z7A7uUc#C1!N)kSXi;L1>+?jS5@#3B*VBFdP(Xw2SK{|lT-(Fl0vzHXWtmGA4?_z~E zxeP1j3Eb^{Sh+LAdI8&ivS?INuCE4p1YZ2TT1D!x^3_`VHcK4Sj#AS8XBjsCxvTge zYA132t3T)+?f*MT>*2qm(UE2MvkZGL_P$KK7h`DOt$lbYPyRQ(_a#UL_W!opYsu$7 z`@N(6e2gL`1Y zk+H7bKO9)E)85ao_X6=sOfsopbxHE?YeTFLqSya2oHr&Ws1?tUv z!)oG1{f(HR-q4VL^rY!wm*v%M?E$$BWD$4e*oH+Eyx{Ex{I3GsN$RhNCtp6tmd=W^ zI{iD5z(4|nv1BqHlT^?a%LAn{n|2D zLlB|p^XrsuPWJDLC&Wow&!q#Rsw%lPjxMJ|y`pH-LHhps`u&IT-RMTReRwjy7+>99 zjy_CNn<8b0?dq6AYPi$NDGGny#)Y+(5jvtQw4XrY(Jo;lQjETF;XTHs;a)-mu zcobCPGI1e)(^`!ga-G{K{un!4d4``c_o0OCQ@(YQ&-1*DR877|BvBFW#PID(+^^WA zbQ1ZPCQVbebcswG;@8{ToA|p_N2KIPl>Cg++X5$Lffo{h88l4KMOhhg-OyPrmR;ZU z)}$XLv}>-?-sAh3m0(eVy^LFVV+;DSIc2mP}kZ$iV_ajZs#qh>Yyp zP>QE1&1f zExGPFKGtBni2p3g|EBkT1*t&(+pV_j|LYI>NB{p$Qsw)_*9}ikY!#aHr!0`U zRPdsIxv=erA#hyOFf2@xOB zPo`3Hp{0*ZX92IgC1|P1^1hD9;+c0=g6GIylD`=*$FoE&#&b81=PJe-(T0-3v`}uY z(Y^2gVB3;E-N^rThIyr;NhNNeNMSXtXv&3uag`XBO&CdAKrSOu@luQ&_X#gD<3M@Z@!KM}7brbAfZsBQ78D>? z{&#Z!Lrd*<MW+{CFoMur7S85kk2{51S9^5+5}*!EwzM%bb9pa&+Q%U|8g5(2BVl8=wpf z%ny?q3liM;rYefkc@o<~q#U=!tnsyfuzlh*B`iQH=ydCl(=`F7BIjwR8@6>VMgh53 zb!CTithEf9EgSn%fPC2m_fm*rD~Dm*H}7eDt#xsVd{&RAB;GL_?U;*otbo(l5=tX& zd}ia4(lIvWFiBbHnJj!x2~>?7^dR?=mGbwfq~efNvFS5mNa+of4MC~`KuT|az{72( zf}35qD3!X|MVvnm1VXg03tBQ-?RY^;?1GkH@gw?Dc4GgL?SKAGv;p~6H1S{^Ltv5p zf1oDffA`zR^S?VuzBoZk565TR7!e?WeiBWDf#4*}7C$FUg$bvEpF0CwP{lH01^c|D z9guJTc($a`F~!7aNj8^V`!584h2O|*jG1SeBBNW-6|($?7uQ68Z5#)rNd7w=Rkr{4 z+DH7)PSQH@Kje{-E@WY@y$IC4+x4ZSGV;GE4!CgsPsIPGI^ih)yGU{8h;VJ$Gh={b z+Cf$;xme&hk5%x%g(Y(_!BXjpxZo0{*TV)24Y>|JxQzU7iUTT^|Gq4L|ATh#DF3@i z)$uEVEzq~QBVhRiMA0J{TLqn(#qou@5rlMC;KntZ1acyF2 zwkZ$_9wktg=_sR+@$&s&O8z&*0Tsyqpxu@4|7rC*?W6qfBGI8{**fCR%2Xjpx-&P$ z10A#q0SAW*in?OE*dPIa>Jw}7RJc#ZcvyR}QVl1x9t=ntNUsqJw95cgnG52oNTigK z>%wm$QtKj;GAL}$(0a(E^zxf?voR_tm(&rZl;SWahK`gWI}TNJb^UZa`F%Wp$%tDNe=4j~47xt? zEMl1A@-Yq6;@{}~?Hho)P7Aic)6-eBxuA;`BT+IdE=`jEo9oGKI`g1TTeRHpUN5vr zTKUQ&BPX6(LXo7S4?qe6A=<~iN-P4%4T_Sy03rP{hdhTylwwytsJ$KooU8|i$mz%< zAR-2c5GT5Q?~z}BbK>?NWr574F}G|NJ;OJO?7xZopIhx-=ji|4Nje2LkPzfr7!Vuq zApkxvkOl5N!_*CH4jiaGz&XOoN$nKeE({E?=Wxp?ULey1RBP}(zhTYa02i5%7>|fy z1%>C((kTTC&6#osKRGU%8DEeNJ{x2K{?E?}xVFp{uq{@9lrjaV0x%5=DJM1MVtO|v zwu>l{b9=e8E%5vK6zGPFPio5CAWi;@SK_3m+<$eO{8#vBF>kV;;RF0=H3fqAPmJMd^#gxwJDfoop z9DxQPl%#0^EvXr$e$XR9dpG5S~@hLZJ{^7VfJ6(hoT8fu`gWN1o;Gh zMds3{@)=^l9pgHHRZ7J-I^Ts&^HfCXvM_wdg@ z;i#()8vK7YNPipH_FN6IY~^T^wS&e0I*w^*kn-Pn3hLHTRHf5v?7Q{%pSb)#LDNI{ zxfDQw{Ezy*jx7I!LH8*CyGW;k^kM?FN1)l(+*o)nlNitf69;Nb1TN@6Icc1NyQSd^ zIxsNM5jGYU(gCr-0|Gj7OnZ%V05O1I<~{I?_8gEUqJO1D1p+S66EbZFxxOYjY0xb1 zP5S|wfRD+O#)ADjK4}2puw1vuv9UpHcRdCgqypb&FFn(oAiLu%FNype>=bK){&OcCe5}U((#r0_Y1tt_4k?LjoTl zMhfK?BY)yK7ieW)_)o`xxE`V(4f5SFJ;c5zKK|LpB;_$}iZST*)S>wF6GpSyha~M= z^oM7-{M{Uy7)ga(u0f%`GA!|x-%|7u_8xSb>fsv~&5bW(prfaj<97%ECR#vkO_`;n zu<#lFCaCvS?Coh(ABgd1+ttTlWWqIaX(!KZSARpdh>w=A%t^yo!3APW{b}2e2sy|d z3x5t2mA-p$?MM28>8{|RX4|fASdiHAo0XyKCR#xYE)u0yhGp1e|Cj%4X<%Zzh6YV3 z^CO%;!m!TtoCjq@1cM0|T}wpatGg!S*nf>B(=i zH{kvG%^NWJ({s@qp82z3n!rL_pRFL#mH-BPtZff0;S=&}0En%y(a7HN=75gTS|Q>Z z8m6phrtRr7zq=#3!Mz0}=rdgV4T>!IU?N?}0fPRTTDoH!78!$PlfU2}{{^k1M}NEl zg+~hw7k}ZDcDs%&Vn7r8j%^Ff4HHpS?SGqoijAU2wB|(?8vXG9U^?1^kDr3~w!JVB zuPks}`*);~7M&~TYybaCJtzTbYZr0nBDQ8bXCoAJ0^L6b?^KnG-71nGs`zhg)6mvq za5=xS$&HIJvIr*>tQvV<7yaQOOn>kgeEk;izd|cEmvjfikG^o3#>&XebP6n6M>Aw1 zjVTo23N5NvxAV4>QSnWyT3CmY?NOqtaSfYM50j3P zCuEMnZM1NEGb5r>? zc!uh9imTHtSsig!jSphsO?u7vz<#T4ePHKRebDI^%dnrRMD>NqnN`wwLKedK#; z&S_=?nit4~>lxB)OUGl->H6cB7%OCZBznOg&!J&@F1lN~2-BHu40?V$AlI<T_0c-y8ECC2s#AXyurYAl$yXzMIYz@`Y^i z8%6eCbu^IdKYg{+JKBGCks|94bP+HtOrU9U`wi7ufGiO>pJZ5T_J7U%G1X48{NFE; z=^z&?#MzoDxIq4g-J$IN>5n@7qx|n8ef`@08+bBSV}KE1767t#(AkPMi?&2#@VEB2 zZzm0!?W8gN;y_DhI)QEie6ucK?iS^w5oB!v9nB33fhHSW3eDRDE#W1z&M4gLNLN5W z`IUPhXx8f|Gyx$2BZ62hIP&t^dMJi5~xSwNaP-k2D^IZl*Hidm?EUv#$0B4$o!62V~}SH_O$` zu9evE{BPf>3xED%%XO$B(ERTvXx=v~3t3PtFhhKGAX^K$jMy%F>3fK01Zs~b4Uko# zxJ~*hb0l+LP)c_2jW7Mbehr6T)BmGcvUE6DQob86qHudT=Mcod`h#I;#%IEjzcc-X#A28FI;blDk7nbS2OD41F1J@E_5cL1mw*H-lbe zPT3})e}C%0wqpKeUYVeaC3%gPPw>RMOzH#C9i20~`3nBR)@+Av85cRjOrd)Vh2}|} zyPBXG;Ccwsmb$HBC2-_3h>wTc$ZBh_g)D+x$2Bl&VS7$KLl?D~Z+X;W9ysQRSRsqF z>A!lgZ}pwp?LkXbmV|bCdc7jPnIH1Fx;nVk)qlQsO|K`(`+x4g@_)6s4ZAKbtjPX1 z?8^ABQFkyr?*Dg@V))O_N#oJ5^f5SR{r(X;Cyf;%kj@3nM9*D+vBANdJaoSj81bRw z1X=h4wp$s~c{>V;v zsej1P|GmEcWjei?-roOwJ-g$Cd<7bM=9R$F>3=vXb8~&0RfbM4;4kopXOp1Z`SsP^ z9The>fO*j`F{Y6kq52 z!;yBozsIG+Skw^?bLF)oRdHkM7Y24c1|$&w$FWxUwx204+G5!3mS*TlH<%M=*v!rLK>Wf$jnYNHqVcB%)GfF~YP3 zCjoi@oSO!+$mPwxd$%|h$UlJu%{>#NI;X>m{C{evAD92G+B<*B|89~f|Il%;FtgA6 z&YvY_^n+FefmO?82RXifMC&);`zL6Eq@5A!Is;`vlTWuoc~%g7`!)tm`VTGt?OQWx zw=45Ce>Jd$uZ2pk>XIP@lwV0*=cBi9+VVw2cKOVDjt&W$5f>7)2=LqdoZYQ$nufLb z#By-0tA7kFaRGk>>;}5fG!Z*l5)6l+65e#sw!FmfV%O>nVlSqyj zD})JLIjr)Q{aM<)rS)~#10VwF3!WrKNpb}Ip-blW$cAf9RF1wj4_IoD9j0P_l0b69Sh++|gu~7lo zv5lv{yY_!-EIw=bi0F^dxkdAF+_9EvS`1Pu)II#%7eOfpNwZfgNY^p{!pk?HZ9Al` z8*pLSm>61niJ(cA_u3L^j|yJ?J6<{$Lm#9JEPaqNpz~qBq(kU~ly=l$x77{LFzlqh z(H1RAtw_V%NP9G%(j_-Ul}m#%LYwCZX;iq6x6H0VYbKb`Mrc6FRw1I??2ss;8AnN z?KXcucpsd0=I?*{bpFdUPL<$3*kwxHk`oEtpZwr5kL}5QD#~6B+{hvA* z%JSdot4I0YNy@^1@PJ+go4+XT*WqpcxKr}lfq&4oP*@3ZrG6W(jtjR(K_tDhTcj}m zU*KWbN0ufnv-jQYVJa{GnM*=2HdY1|e6Zt<(bXa1{y+(*wY#3FH{Of-W65rS&Dl#2# z5s~06Rj#}ktDmO>fL0Fwv!InbMUs|9R(49xT${lw(I2JIwPA>Ke-Zv0%WtX$Z8;2+E;_bPy)K}O#CB4eTQigkt`qvoTn zqcQ0B`?19pK`XiIm^yzg>XKC&H2|D~4ge*!sO|90cVZoup0hpNWByZvKn1?Zx_+f&Pqh^^#GZMNqw{rgf2ea!+Oe z^?D}_{{9sFe0O&P_+18oEa?gp%j9Xp65=S9x4Ppw&U$J@;l_Wp>8gfZzs6s)xTz1` ze2&~0F(=Ha@V5#!{zN~m3BqR`wf}Z78V1+NBnk*0A4K2wA#A}-U2)FYt8=I=kz(5X zUP*lRudhuy5jDrn_7imd1&5y(H{Uc@@XO5j6E(-3o*Jfa|4wNWKj)c{PiU3@^^m&; z8vVLhR_JQ>PVs**Vk{=0fQg)r?RZoc)3ftD41B1;`5YNm%4^!(msZf=ah8wZzr#-D z=Kp$epbGJSy#)TR*FDbvJ4tcph@c&w8~zucQxXe{T=1X7W)L-iD7FgO0^OHef3;fi^*W}ZBF@T@= zg&OjABGD9^=6f9?V!reC#I(sGc(M`CEjcJTl}rh#ZX;xYIaXx<{I z|K=J5U0WJz0zuEGk2Bx(eQrXGMcEXeUuBIgF;jfAkS6YtLW!%HKRkpJ3e6`SQ zF-y59KsobXd;u9)z%<@|nf(2i$^B2a*S}0}XJhaP=Z|pwPJPD$5A(-9?k~DS=K9y^ z?T72zizJ9JC%|M_D1jnOL>-Vr^j+UxTwYD?u2WEpIUf|uRsH6+v5Pm8+q=uV%j>KA z^XpGnck#(D>=wn>JPvdTe{+`vE(g}?x6_*sm*UeFM)y?D68~#7RAv8vr{6u!|2s)J{{M@x+e@ti4tV+p z2L}a+rns#l0ZRGb0dU1f;l6MMzsx+Bwqr+l6oWFd7pd@os6r{|e}J+Gg|xx485kga z*u6$bfH0COA_7uMZtCrhNNtJ-$e>W4q0P_$>E-KlQ`_~POX|fy0m?h_vjiE`cIStb zD|z#y_OIy7k8NtU!rNz@6>)bW0Ca|{kpxq+X>3pf9jq7 zEOY)d;r~&O{-52X_=Z^6T|D#g&+toW2BqA?pK%_moc$~;nS1n8DqZp9XNl6A9sEpg zkg6R2EG7SS?tb{L%=ypJAmRV*^^fwui&Xjkhn!X9fm(kLlP?wsf3I`;yTttuy}m5} zBlS4{?<7?}|NVmeKH(BV+*`E#gWlp+LOkj%K2I1LMDwdF+Dg(6hNrqSm@+yK&ZeL2 z`^2~`{|q(3f7Zr*1*t&(J8D;o|Iir@kMsX-(kA#Xadf0hKg+Qfk~?;Ae|0rIXV{qRaB$zgjniIJ#lZRHR3{g|PH*onXHyOjOJ_*P^x<-L zH@#xuvzrf-%d5NTKkmluc8Eda1&VU{NVUt0`}6CMA17BAV}P`!4Zf#5P!_;nz(r5s zFQ9n@v~0*I)`&L)iLcL<>~*rcAp>>uK(ow|2o6YL!f)q|GP+W`wz!VKDX^B z)P3S~l56vc_^M*>$t{&@>k&#;wDS~{+|0(~H&`XZPRW!f|8@6$K`N5}{z$U_c1CLd zlXw><8S1B8`L7lAD@q0OKO7DFviy$*$Nk?2?W~q{y4n)j{ zA<8B52ex4}AZ7Sr3iR+@H+r2BSSO|q)5F%tad$Kr+jN=s0>_)q51K<4NSQfb0Tzki^aU_#H*mcW57Tp=P|S|&BY@9+s;I|QHkP$AIz#|n2A^w$^q>%zmx zWkDPNv@LY@>Fyk~F6M@b6l7_(Zdi-6Pj`QBy#=j*{A2vz(=P_Owyr&LJ%9g*R<^sI zx~}bl)&>2H;t_-02)8h-h2l5yne8qVS{Zh$8GmKki~jG*@1CiAuoo$95LAISm%`3Z zLHu}OxMxu)KKd%&GMirvCsN7391hqPxIwm++Te5BeGCTsTG{Xhxst@XUX{&$gT;6Gl3A^-=62Z_)4 z`@n^yXet38l6aen6N%U2F!3TOqwh81Mx+5%5kHbqdQ;#;oZO~(k{l}AVQe#eNj8n` za8(=QQAqC9;7+2&TYsvQgW4FB7}-i8;w0O3wJ>qrRkDNp|E-un`y0{eeg9dzXLpTqvq{=buySX|QGoo3peKI5pMgzLZB zEis`cI3y(j4$vvUcGWNGE*Le(H$W>>;~toBWNd2p4+qxkwD+^IQrXTQE48`7nv&Vv zuAeAfkC9F7_yp0qvevb?&jJtDV- zEaI*m+pvg&m%P1z|5bo{N&OY^A7gXwPh^SsKP?S z`>nu2!^!>GnfLO%vXb`cE^hsGE)!Nr|;Q z9QWga_@T*W8xgIoxrnN31Dd!gXLb?PuPt*u1`&!rzfS4qWdE*sLY$=aTsj)6s*+pd z=yE#LD}RdW4$}A6*Y7_}?bRGwJA~tZF`~N`$x1^e#f@eEHg$+ zPo1rb<@mAKU(hij3+@QE)y3rZPb_{*SU@2kFmp*XZRU& zA4=FhVeN+N6|ToN z^>xO}zC<6V?42xHGI8Y~hY1KZMp>mIGO}+&MiKR`rJwSV*e z$@O|NNLye%OV1nRiQg8%y+G-~0sNLZw4eaF^1qY&A3Ew#UjKJhwRepFvyr^QX~NXX*HDJL7e}6RrP>)z0>Q@cyc`jk(PbOLVxNF3#FiYD93D!V=lt60y<+$*o-thQZ^bX9a&Qj ziIjzz$wK9nz|zQ}4stJ5DSvNDD*8wjn?4hKl-@wuz@sX#qx1$m+-54c$%TtjsheCx z#eX2cp?zJ*lF@3%3t3_pvVR1#w&+3GvHeH3|M@%77UWye#Dh%?fkpQJk(!AAJ?tFM z|L!FDf(0!-9I0_*M1TbPK{OEtB9t&&{FpEmCY%a>?hJ5270ZYfY*mtWK)!?F*^)-b z6ceK**<5z*zYtV^E3+}?o@t7VZb56v@*iGY6a7^?4oH#w_j;;q|9>BJj`*LQq)p;~ z$Ri_N$iiHE5vYB)>q|*x+?$Q6ZlN5K32-lW9GX^-O9b~nViv^DJ zSOpJUSTYwAES0W^3ocQ5Gixlc?QiUMtk*kXbI%pLF4h|O- zb;WkEK?2k#*5s*hpN#Ra@nWSKPG~b2kTj59BNS+t0jM$;#D7(hNGT;ZMV3UQHbo?5 zP^iz)X2_)U^7Xl?jS9*o^lA~oPdtklrnr1e zgSYrMdVl>2pntB@f*tVf+gY@^po)X3@=0TITXu09NS!j{8@|8zM zPCT`QB1y*~fD|l3w2yn0s05H36eW29Li%M6c@B*z#jbo%2LlE@*$ftu(~(DLL<|}s zPIUX;BfsXv?LW#AnJZ&q*)Dp9Zxq>o6Zb!Nx`Xb~|9`uabP8@DA;`5bAU5Db0DN8| z3p{v+sT>D;g(UnM5YO-*5G@7!&=e|T>fvTlZ%g2Wu-sMHwxvy+m+NBQ4HIz0tHxi-`_dj%#pmmk3m z+l7LO1kK65qL6+WwqS>qV`Gj)ShK{jnF>^1bbWTsfCkz(|v;d(b z4Sx(Ez}`cPF$?Uu&yoK{{?x$im@6jG(xC}$3%vmjv;P7=6irx)ec{R`$S3eKGFLv8 z&kzId7}vqW8hn6j+f|I;N88{|yHK0RR87n)lWKbO8X0Jv?au From 23f36bbd0a958f4cd91fc67480a00e7113c1818b Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 16:51:58 +0530 Subject: [PATCH 09/13] Removing redundant comments --- charts/portal/values.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index c43b5bd2..0e4f6fec 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -822,13 +822,6 @@ mysql: elevate-admin.sql: | GRANT ALL PRIVILEGES ON *.* TO 'portal'@'%'; FLUSH PRIVILEGES; primary: - # primary: - # podSecurityContext: - # enabled: true - # fsGroup: 100 - # containerSecurityContext: - # enabled: true - # runAsUser: 1001 configuration: |- [client] port=3306 From c7fa9f47c0920d7bec6419a7120d81bca34a3685 Mon Sep 17 00:00:00 2001 From: Kiran Saladi Date: Tue, 23 Jan 2024 19:58:34 +0530 Subject: [PATCH 10/13] Global values commented --- charts/portal/values-production.yaml | 5 +++++ charts/portal/values.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/charts/portal/values-production.yaml b/charts/portal/values-production.yaml index a2957b4f..e482c8d9 100644 --- a/charts/portal/values-production.yaml +++ b/charts/portal/values-production.yaml @@ -25,8 +25,13 @@ global: subdomainPrefix: dev-portal # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod podSecurityContext: {} + # podSecurityContext: + # fsGroup: 1001 + # runAsNonRoot: true # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} + # containerSecurityContext: + # runAsUser: 1001 helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: diff --git a/charts/portal/values.yaml b/charts/portal/values.yaml index 0e4f6fec..63b113ba 100644 --- a/charts/portal/values.yaml +++ b/charts/portal/values.yaml @@ -25,8 +25,13 @@ global: subdomainPrefix: dev-portal # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod podSecurityContext: {} + # podSecurityContext: + # fsGroup: 1001 + # runAsNonRoot: true # ref:https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: {} + # containerSecurityContext: + # runAsUser: 1001 helpPage: https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-developer-portal/5-2/ # storageClass: "_" # schedulerName: From 2488a8423a515b0fc35114bd41f2b83b2fb36498 Mon Sep 17 00:00:00 2001 From: ksaladi <69457674+ksaladi@users.noreply.github.com> Date: Tue, 23 Jan 2024 20:48:27 +0530 Subject: [PATCH 11/13] Update README.md to add the Openshift installation steps --- charts/portal/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/portal/README.md b/charts/portal/README.md index 827f31f5..991741bd 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -925,6 +925,19 @@ Resulting hostnames: | TSSG sync | `dev-portal-sync.example.com` | `sync.example.com` | | API analytics | `dev-portal-analytics.example.com` | `analytics.example.com` | +## Installting in OpenShift +Fetch the OC namespace openshift.io/sa.scc.uid-range values(/) and openshift.io/sa.scc.supplemental-groups(/) annotation values. +[Refer to OpenShift documentation](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) + +Set the following global values in the override-values.yaml and do the helm install. +``` +global: + podSecurityContext: + fsGroup: + runAsNonRoot: true + containerSecurityContext: + runAsUser: +``` ## Persistent Volumes With the deployment of API Portal, PersistentVolumeClaims (PVC) are created for components as below: From 9fec3ee98fa3ffaa60bc830b4e1bd1be4a091a40 Mon Sep 17 00:00:00 2001 From: ksaladi <69457674+ksaladi@users.noreply.github.com> Date: Tue, 23 Jan 2024 20:52:45 +0530 Subject: [PATCH 12/13] Update README.md to update the OpenShift steps --- charts/portal/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/portal/README.md b/charts/portal/README.md index 991741bd..f09cce95 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -926,7 +926,7 @@ Resulting hostnames: | API analytics | `dev-portal-analytics.example.com` | `analytics.example.com` | ## Installting in OpenShift -Fetch the OC namespace openshift.io/sa.scc.uid-range values(/) and openshift.io/sa.scc.supplemental-groups(/) annotation values. +Fetch the OC namespace openshift.io/sa.scc.uid-range values(`/`) and openshift.io/sa.scc.supplemental-groups(`/`) annotation values. [Refer to OpenShift documentation](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth) Set the following global values in the override-values.yaml and do the helm install. @@ -937,6 +937,10 @@ global: runAsNonRoot: true containerSecurityContext: runAsUser: +ingress: + type: + kubernetes: false + openshift: true ``` ## Persistent Volumes With the deployment of API Portal, PersistentVolumeClaims (PVC) are created for components as below: From 7a54e19947db4b9c689aac958ea0747564b8615a Mon Sep 17 00:00:00 2001 From: ksaladi <69457674+ksaladi@users.noreply.github.com> Date: Tue, 23 Jan 2024 20:54:08 +0530 Subject: [PATCH 13/13] Update README.md updating spell check --- charts/portal/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/portal/README.md b/charts/portal/README.md index f09cce95..6174789d 100644 --- a/charts/portal/README.md +++ b/charts/portal/README.md @@ -925,7 +925,7 @@ Resulting hostnames: | TSSG sync | `dev-portal-sync.example.com` | `sync.example.com` | | API analytics | `dev-portal-analytics.example.com` | `analytics.example.com` | -## Installting in OpenShift +## Installing in OpenShift Fetch the OC namespace openshift.io/sa.scc.uid-range values(`/`) and openshift.io/sa.scc.supplemental-groups(`/`) annotation values. [Refer to OpenShift documentation](https://docs.openshift.com/dedicated/authentication/managing-security-context-constraints.html#security-context-constraints-pre-allocated-values_configuring-internal-oauth)