From ca14a08f9c58454700ec85248e9656ee21a06d37 Mon Sep 17 00:00:00 2001 From: Samuel Lang Date: Fri, 14 Aug 2020 12:49:01 +0200 Subject: [PATCH 1/5] =?UTF-8?q?=E2=9C=A8=20Skipper=20Router=20Implementati?= =?UTF-8?q?on?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Router implementation for zalan.do/Skipper Ingress - An HTTP router and reverse proxy for service composition, including use cases like Kubernetes Ingress https://github.com/zalando/skipper/ * The concept is to define routes with specific weights via the skipper specific annotation predicate of "zalando.org/backend-weights". * A new "canary ingress" is created that has higher "weight" thus receiving all traffic, which distributes progressively * After the canary process is finished, this ingress is disabled via the "False()" annotation predicate to route traffic again back to the apex Ingress. There are certain Skipper principles which are taken into account: ``` Skipper Principles: * if only one backend has a weight, only one backend will get 100% traffic * if two of three or more backends have a weight, only those two should get traffic. * if two backends don't have any weight, it's undefined and right now they get equal amount of traffic. * weights can be int or float, but always treated as a ratio. Implementation: * apex Ingress is immutable * new canary Ingress contains two paths for primary and canary service * canary Ingress manages weights on primary & canary service, hence no traffic to apex service ``` --- go.mod | 2 + go.sum | 9 ++ pkg/router/factory.go | 5 + pkg/router/kubernetes_default.go | 3 - pkg/router/skipper.go | 235 +++++++++++++++++++++++++++++++ pkg/router/skipper_test.go | 107 ++++++++++++++ 6 files changed, 358 insertions(+), 3 deletions(-) create mode 100644 pkg/router/skipper.go create mode 100644 pkg/router/skipper_test.go diff --git a/go.mod b/go.mod index e41fd666c..6255481b9 100644 --- a/go.mod +++ b/go.mod @@ -10,6 +10,8 @@ require ( github.com/prometheus/client_golang v1.5.1 github.com/stretchr/testify v1.5.1 go.uber.org/zap v1.14.1 + golang.org/x/net v0.0.0-20200301022130-244492dfa37a // indirect + golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d // indirect gopkg.in/h2non/gock.v1 v1.0.15 k8s.io/api v0.18.8 k8s.io/apimachinery v0.18.8 diff --git a/go.sum b/go.sum index c5d33ed8a..01e48ac36 100644 --- a/go.sum +++ b/go.sum @@ -188,6 +188,7 @@ github.com/prometheus/procfs v0.0.8 h1:+fpWZdT24pJBiqJdAwYBjPSk+5YmQzYNPYzQsdzLk github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= @@ -220,6 +221,7 @@ golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo= golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -229,6 +231,8 @@ golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee h1:WG0RUwxtNT4qqaXX3DPA8zHFNm/D9xaBpxzHt1WcA/E= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -245,6 +249,8 @@ golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ym golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -293,7 +299,10 @@ golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5 h1:hKsoRgsbwY1NafxrwTs+k64bikrLBkAgPir1TNCj3Zs= golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d h1:7M9AXzLrJWWGdDYtBblPHBTnHtaN6KKQ98OYb35mLlY= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= diff --git a/pkg/router/factory.go b/pkg/router/factory.go index 15df37fe0..2a970c901 100644 --- a/pkg/router/factory.go +++ b/pkg/router/factory.go @@ -122,6 +122,11 @@ func (factory *Factory) MeshRouter(provider string, labelSelector string) Interf kubeClient: factory.kubeClient, annotationsPrefix: factory.ingressAnnotationsPrefix, } + case provider == flaggerv1.SkipperProvider: + return &SkipperRouter{ + logger: factory.logger, + kubeClient: factory.kubeClient, + } case provider == flaggerv1.KubernetesProvider: return &NopRouter{} default: diff --git a/pkg/router/kubernetes_default.go b/pkg/router/kubernetes_default.go index df4a8bc40..739dc4c7a 100644 --- a/pkg/router/kubernetes_default.go +++ b/pkg/router/kubernetes_default.go @@ -125,9 +125,6 @@ func (c *KubernetesDefaultRouter) reconcileService(canary *flaggerv1.Canary, nam metadata.Annotations = make(map[string]string) } - c.logger.With("canary", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). - Debugw(fmt.Sprintf("Creating Service %s", name), "metadata", metadata, "service_configuration", canary.Spec.Service) - // create service if it doesn't exists svc, err := c.kubeClient.CoreV1().Services(canary.Namespace).Get(context.TODO(), name, metav1.GetOptions{}) if errors.IsNotFound(err) { diff --git a/pkg/router/skipper.go b/pkg/router/skipper.go new file mode 100644 index 000000000..6b5a8c7cd --- /dev/null +++ b/pkg/router/skipper.go @@ -0,0 +1,235 @@ +package router + +import ( + "context" + "encoding/json" + "fmt" + + "github.com/google/go-cmp/cmp" + "go.uber.org/zap" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/kubernetes" + + flaggerv1 "github.com/weaveworks/flagger/pkg/apis/flagger/v1beta1" +) + +/* +Skipper Principles: +* if only one backend has a weight, only one backend will get 100% traffic +* if two of three or more backends have a weight, only those two should get traffic. +* if two backends don't have any weight, it's undefined and right now they get equal amount of traffic. +* weights can be int or float, but always treated as a ratio. + +Implementation: +* apex Ingress is immutable +* new canary Ingress contains two paths for primary and canary service +* canary Ingress manages weights on primary & canary service, hence no traffic to apex service + +*/ + +const ( + skipperpredicateAnnotationKey = "zalando.org/skipper-predicate" + skipperBackendWeightsAnnotationKey = "zalando.org/backend-weights" + canaryPatternf = "%s-canary" + canaryRouteWeight = "Weight(100)" + canaryRouteDisable = "False()" +) + +type SkipperRouter struct { + kubeClient kubernetes.Interface + logger *zap.SugaredLogger +} + +// Reconcile creates or updates the ingresses +func (skp *SkipperRouter) Reconcile(canary *flaggerv1.Canary) error { + if canary.Spec.IngressRef == nil || canary.Spec.IngressRef.Name == "" { + return fmt.Errorf("ingress selector is empty") + } + + apexSvcName, primarySvcName, canarySvcName := canary.GetServiceNames() + apexIngressName, canaryIngressName := skp.getIngressNames(canary.Spec.IngressRef.Name) + + // retrieving apex ingress + apexIngress, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Get( + context.TODO(), apexIngressName, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("apexIngress %s.%s get query error: %w", apexIngressName, canary.Namespace, err) + } + + // building the canary ingress from apex + iClone := apexIngress.DeepCopy() + for x := range iClone.Spec.Rules { + rule := &iClone.Spec.Rules[x] // ref not value + for y := range rule.HTTP.Paths { + path := &rule.HTTP.Paths[y] // ref not value + if path.Backend.ServiceName == apexSvcName { + // flipping to primary service + path.Backend.ServiceName = primarySvcName + // adding second canary service + canaryBackend := path.DeepCopy() + canaryBackend.Backend.ServiceName = canarySvcName + rule.HTTP.Paths = append(rule.HTTP.Paths, *canaryBackend) + } + } + } + if apexIngress.DeepCopy() == iClone { + return fmt.Errorf("backend %s not found in ingress %s", apexSvcName, apexIngressName) + } + + iClone.Annotations = skp.makeAnnotations(iClone.Annotations, map[string]int{primarySvcName: 100, canarySvcName: 0}) + iClone.Name = canaryIngressName + iClone.Namespace = canary.Namespace + iClone.OwnerReferences = []metav1.OwnerReference{ + *metav1.NewControllerRef(canary, schema.GroupVersionKind{ + Group: flaggerv1.SchemeGroupVersion.Group, + Version: flaggerv1.SchemeGroupVersion.Version, + Kind: flaggerv1.CanaryKind, + }), + } + + // search for existence + canaryIngress, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Get( + context.TODO(), canaryIngressName, metav1.GetOptions{}) + + // new ingress + if errors.IsNotFound(err) { + // Let K8s set this. Otherwise K8s API complains with "resourceVersion should not be set on objects to be created" + iClone.ObjectMeta.ResourceVersion = "" + _, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Create(context.TODO(), iClone, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("ingress %s.%s create error: %w", iClone.Name, iClone.Namespace, err) + } + skp.logger.With("canary", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). + Infof("Ingress %s.%s created", iClone.GetName(), canary.Namespace) + return nil + } else if err != nil { + return fmt.Errorf("ingress %s.%s query error: %w", canaryIngressName, canary.Namespace, err) + } + + // existant, updating + if cmp.Diff(iClone.Spec, canaryIngress.Spec) != "" { + ingressClone := canaryIngress.DeepCopy() + ingressClone.Spec = iClone.Spec + ingressClone.Annotations = iClone.Annotations + + _, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Update(context.TODO(), ingressClone, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("ingress %s.%s update error: %w", canaryIngressName, ingressClone.Namespace, err) + } + skp.logger.With("canary", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). + Infof("Ingress %s updated", canaryIngressName) + } + return nil +} + +func (skp *SkipperRouter) GetRoutes(canary *flaggerv1.Canary) (primaryWeight, canaryWeight int, mirrored bool, err error) { + _, primarySvcName, canarySvcName := canary.GetServiceNames() + + _, canaryIngressName := skp.getIngressNames(canary.Spec.IngressRef.Name) + canaryIngress, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Get(context.TODO(), canaryIngressName, metav1.GetOptions{}) + if err != nil { + err = fmt.Errorf("ingress %s.%s get query error: %w", canaryIngressName, canary.Namespace, err) + return + } + + weights, err := skp.backendWeights(canaryIngress.Annotations) + if err != nil { + err = fmt.Errorf("ingress %s.%s get backendWeights error: %w", canaryIngressName, canary.Namespace, err) + return + } + var ok bool + primaryWeight, ok = weights[primarySvcName] + if !ok { + err = fmt.Errorf("ingress %s.%s could not get weights[primarySvcName]", canaryIngressName, canary.Namespace) + return + } + canaryWeight, ok = weights[canarySvcName] + if !ok { + err = fmt.Errorf("ingress %s.%s could not get weights[canarySvcName]", canaryIngressName, canary.Namespace) + return + } + mirrored = false + skp.logger.With("GetRoutes", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). + Debugf("GetRoutes primaryWeight: %d, canaryWeight: %d", primaryWeight, canaryWeight) + return +} + +func (skp *SkipperRouter) SetRoutes(canary *flaggerv1.Canary, primaryWeight, canaryWeight int, _ bool) (err error) { + _, primarySvcName, canarySvcName := canary.GetServiceNames() + _, canaryIngressName := skp.getIngressNames(canary.Spec.IngressRef.Name) + canaryIngress, err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Get(context.TODO(), canaryIngressName, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("ingress %s.%s get query error: %w", canaryIngressName, canary.Namespace, err) + } + + iClone := canaryIngress.DeepCopy() + + // TODO: A/B testing + + // Canary + iClone.Annotations = skp.makeAnnotations(iClone.Annotations, map[string]int{ + primarySvcName: primaryWeight, + canarySvcName: canaryWeight, + }) + + // Disable the canary-ingress route after the canary process + if canaryWeight == 0 { + iClone.Annotations[skipperpredicateAnnotationKey] = canaryRouteDisable + } + + _, err = skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Update( + context.TODO(), iClone, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("ingress %s.%s update error %w", iClone.Name, iClone.Namespace, err) + } + skp.logger.With("SetRoutes", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). + Debugf("primaryWeight: %d, canaryWeight: %d", primaryWeight, canaryWeight) + + return err +} + +func (skp *SkipperRouter) Finalize(canary *flaggerv1.Canary) error { + gracePeriodSeconds := int64(2) + _, canaryIngressName := skp.getIngressNames(canary.Spec.IngressRef.Name) + skp.logger.With("deleteCanaryIngress", fmt.Sprintf("%s.%s", canary.Name, canary.Namespace)). + Debugf("Deleting Canary Ingress: %s", canaryIngressName) + + err := skp.kubeClient.NetworkingV1beta1().Ingresses(canary.Namespace).Delete( + context.TODO(), canaryIngressName, metav1.DeleteOptions{GracePeriodSeconds: &gracePeriodSeconds}) + if err != nil { + return fmt.Errorf("ingress %s.%s unable to remove canary ingress: %w", canaryIngressName, canary.Namespace, err) + } + return nil +} + +func (skp *SkipperRouter) makeAnnotations(annotations map[string]string, backendWeights map[string]int) map[string]string { + b, err := json.Marshal(backendWeights) + if err != nil { + skp.logger.Errorf("Skipper:makeAnnotations: unable to marshal backendWeights %w", err) + return annotations + } + annotations[skipperBackendWeightsAnnotationKey] = string(b) + // adding more weight to canary route solves traffic bypassing through apexIngress + annotations[skipperpredicateAnnotationKey] = canaryRouteWeight + + return annotations +} + +// parse backend-weights annotation if it exists +func (skp *SkipperRouter) backendWeights(annotation map[string]string) (backendWeights map[string]int, err error) { + backends, ok := annotation[skipperBackendWeightsAnnotationKey] + if ok { + err = json.Unmarshal([]byte(backends), &backendWeights) + } else { + err = errors.NewNotFound(schema.GroupResource{Group: "Skipper Canary Ingress", Resource: "Annotation"}, + skipperBackendWeightsAnnotationKey) + } + return +} + +// getIngressNames returns the primary and canary Kubernetes Ingress names +func (skp *SkipperRouter) getIngressNames(name string) (apexName, canaryName string) { + return name, fmt.Sprintf(canaryPatternf, name) +} diff --git a/pkg/router/skipper_test.go b/pkg/router/skipper_test.go new file mode 100644 index 000000000..e782f38e3 --- /dev/null +++ b/pkg/router/skipper_test.go @@ -0,0 +1,107 @@ +package router + +import ( + "context" + "fmt" + "testing" + + "github.com/stretchr/testify/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestSkipperRouter_Reconcile(t *testing.T) { + assert := assert.New(t) + mocks := newFixture(nil) + + for _, tt := range []struct { + name string + mocks func() fixture + wantErr bool + }{ + { + "creating new canary ingress w/ default settings", + func() fixture { return mocks }, + false, + }, { + "updating existing canary ingress", + func() fixture { + ti := newTestIngress() + ti.Annotations["something"] = "changed" + _, err := mocks.kubeClient.NetworkingV1beta1().Ingresses("default").Update( + context.TODO(), ti, metav1.UpdateOptions{}) + assert.NoError(err) + return mocks + }, + false, + }, + } { + tt := tt + t.Run(tt.name, func(t *testing.T) { + mocks := tt.mocks() + router := &SkipperRouter{ + kubeClient: mocks.kubeClient, + logger: mocks.logger, + } + assert.NoError(router.Reconcile(mocks.ingressCanary)) + canaryName := fmt.Sprintf("%s-canary", mocks.ingressCanary.Spec.IngressRef.Name) + inCanary, err := router.kubeClient.NetworkingV1beta1().Ingresses("default").Get( + context.TODO(), canaryName, metav1.GetOptions{}) + assert.NoError(err) + // test initialisation + assert.JSONEq(`{ "podinfo-primary": 100, "podinfo-canary": 0 }`, inCanary.Annotations["zalando.org/backend-weights"]) + assert.Equal("podinfo-primary", inCanary.Spec.Rules[0].HTTP.Paths[0].Backend.ServiceName, "backend flipped over") + assert.Equal("podinfo-canary", inCanary.Spec.Rules[0].HTTP.Paths[1].Backend.ServiceName, "backend flipped over") + assert.Len(inCanary.Spec.Rules[0].HTTP.Paths, 2) + inApex, err := router.kubeClient.NetworkingV1beta1().Ingresses("default").Get( + context.TODO(), mocks.ingressCanary.Spec.IngressRef.Name, metav1.GetOptions{}) + assert.NoError(err) + assert.Equal(inCanary.Spec.Rules[0].HTTP.Paths[0].Backend.ServicePort, + inApex.Spec.Rules[0].HTTP.Paths[0].Backend.ServicePort, "canary backend not cloned") + assert.Equal(inCanary.Spec.Rules[0].HTTP.Paths[0].Backend.ServicePort, + inCanary.Spec.Rules[0].HTTP.Paths[1].Backend.ServicePort, "canary backend not cloned") + }) + } +} + +func TestSkipperRouter_GetSetRoutes(t *testing.T) { + assert := assert.New(t) + mocks := newFixture(nil) + + router := &SkipperRouter{logger: mocks.logger, kubeClient: mocks.kubeClient} + assert.NoError(router.Reconcile(mocks.ingressCanary)) + + p, c, m, err := router.GetRoutes(mocks.ingressCanary) + assert.NoError(err) + assert.Equal(100, p) + assert.Equal(0, c) + assert.Equal(false, m) + + tests := []struct { + name string + primary, canary int + }{ + {name: "0%", primary: 100, canary: 0}, + {name: "10%", primary: 90, canary: 10}, + {name: "20%", primary: 80, canary: 20}, + {name: "30%", primary: 70, canary: 30}, + {name: "85%", primary: 15, canary: 85}, + {name: "100%", primary: 0, canary: 100}, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + assert.NoError(router.SetRoutes(mocks.ingressCanary, tt.primary, tt.canary, false)) + inCanary, err := router.kubeClient.NetworkingV1beta1().Ingresses("default").Get( + context.TODO(), fmt.Sprintf("%s-canary", mocks.ingressCanary.Spec.IngressRef.Name), metav1.GetOptions{}) + assert.NoError(err) + assert.JSONEq(fmt.Sprintf(`{"podinfo-primary": %d,"podinfo-canary": %d}`, tt.primary, tt.canary), + inCanary.Annotations["zalando.org/backend-weights"]) + p, c, m, err = router.GetRoutes(mocks.ingressCanary) + assert.NoError(err) + assert.Equal(tt.primary, p) + assert.Equal(tt.canary, c) + assert.Equal(false, m) + }) + } + +} From a9ad6c92a61803b4b5dce7b7cd6f3cc360e0993f Mon Sep 17 00:00:00 2001 From: Samuel Lang Date: Fri, 14 Aug 2020 12:49:21 +0200 Subject: [PATCH 2/5] adding CircleCI tests --- .circleci/config.yml | 16 ++++++++++++++++ test/README.md | 18 +++++++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 758b14dc1..c98be8f10 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -143,6 +143,18 @@ jobs: - run: test/e2e-contour.sh - run: test/e2e-contour-tests.sh + e2e-skipper-testing: + machine: true + steps: + - checkout + - attach_workspace: + at: /tmp/bin + - run: test/container-build.sh + - run: test/e2e-kind.sh + - run: test/e2e-skipper.sh + - run: test/e2e-skipper-tests.sh + - run: test/e2e-nginx-cleanup.sh + push-helm-charts: docker: - image: circleci/golang:1.14 @@ -212,6 +224,9 @@ workflows: - e2e-contour-testing: requires: - build-binary + - e2e-skipper-testing: + requires: + - build-binary - push-container: requires: - build-binary @@ -220,6 +235,7 @@ workflows: - e2e-gloo-testing - e2e-nginx-testing - e2e-linkerd-testing + - e2e-skipper-testing filters: branches: only: diff --git a/test/README.md b/test/README.md index d595d8473..2ac3292a9 100644 --- a/test/README.md +++ b/test/README.md @@ -53,4 +53,20 @@ The e2e testing infrastructure is powered by CircleCI and [Kubernetes Kind](http * test the A/B testing analysis and promotion using header filters and pre/post rollout webhooks [e2e-nginx-tests.sh](e2e-nginx-tests.sh) * cleanup test environment [e2e-nginx-cleanup.sh](e2e-nginx-cleanup.sh) * install NGINX Ingress and Flagger with custom ingress annotations prefix [e2e-nginx-custom-annotations.sh](e2e-nginx-custom-annotations.sh) -* repeat the canary and A/B testing workflow [e2e-nginx-tests.sh](e2e-nginx-tests.sh) \ No newline at end of file +* repeat the canary and A/B testing workflow [e2e-nginx-tests.sh](e2e-nginx-tests.sh) + +### CircleCI e2e Skipper ingress workflow + +* install latest stable kubectl [e2e-kind.sh](e2e-kind.sh) +* install Kubernetes Kind [e2e-kind.sh](e2e-kind.sh) +* create local Kubernetes cluster with kind [e2e-kind.sh](e2e-kind.sh) +* install Skipper ingress with Kustomize [e2e-skipper.sh](e2e-skipper.sh) +* load Flagger image onto the local cluster [e2e-skipper.sh](e2e-skipper.sh) +* install Flagger and Prometheus in the flagger-system namespace [e2e-skipper.sh](e2e-skipper.sh) +* create a test namespace [e2e-skipper-tests.sh](e2e-skipper-tests.sh) +* deploy the load tester in the test namespace [e2e-skipper-tests.sh](e2e-skipper-tests.sh) +* deploy the demo workload (podinfo) and ingress in the test namespace [e2e-skipper-tests.sh](e2e-skipper-tests.sh) +* test the canary initialization [e2e-skipper-tests.sh](e2e-skipper-tests.sh) +* test the canary analysis and promotion using weighted traffic and the load testing webhook [e2e-skipper-tests.sh]e2e-skipper-tests.sh) +* test the A/B testing analysis and promotion using header filters and pre/post rollout webhooks [e2e-skipper-tests.sh]e2e-skipper-tests.sh) +* cleanup test environment [e2e-skipper-cleanup.sh](e2e-skipper-cleanup.sh) From 39e55daa040b9aa5991a84e16df8e2536a8e5baa Mon Sep 17 00:00:00 2001 From: Samuel Lang Date: Fri, 14 Aug 2020 12:54:11 +0200 Subject: [PATCH 3/5] =?UTF-8?q?=F0=9F=93=88=20Skipper=20Metrics=20Observer?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Te be able to distinct Skipper routes we need to combine the Canary data to generate the Skipper metric label. "request-success-rate" and "request-duration" queries are implemented and tested that provide those obersvations from Skipper metrics * Takes into account how Skipper renders the paths accordingly and reformats the quieries. --- pkg/apis/flagger/v1beta1/provider.go | 1 + pkg/metrics/observers/factory.go | 4 + pkg/metrics/observers/skipper.go | 82 ++++++++++++++++++++ pkg/metrics/observers/skipper_test.go | 106 ++++++++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 pkg/metrics/observers/skipper.go create mode 100644 pkg/metrics/observers/skipper_test.go diff --git a/pkg/apis/flagger/v1beta1/provider.go b/pkg/apis/flagger/v1beta1/provider.go index 9dbcf0174..a27bbc885 100644 --- a/pkg/apis/flagger/v1beta1/provider.go +++ b/pkg/apis/flagger/v1beta1/provider.go @@ -9,4 +9,5 @@ const ( GlooProvider string = "gloo" NGINXProvider string = "nginx" KubernetesProvider string = "kubernetes" + SkipperProvider string = "skipper" ) diff --git a/pkg/metrics/observers/factory.go b/pkg/metrics/observers/factory.go index 35555c7c7..ac20884dc 100644 --- a/pkg/metrics/observers/factory.go +++ b/pkg/metrics/observers/factory.go @@ -56,6 +56,10 @@ func (factory Factory) Observer(provider string) Interface { return &HttpObserver{ client: factory.Client, } + case provider == flaggerv1.SkipperProvider: + return &SkipperObserver{ + client: factory.Client, + } default: return &IstioObserver{ client: factory.Client, diff --git a/pkg/metrics/observers/skipper.go b/pkg/metrics/observers/skipper.go new file mode 100644 index 000000000..9f4effea0 --- /dev/null +++ b/pkg/metrics/observers/skipper.go @@ -0,0 +1,82 @@ +package observers + +import ( + "fmt" + "regexp" + "time" + + flaggerv1 "github.com/weaveworks/flagger/pkg/apis/flagger/v1beta1" + "github.com/weaveworks/flagger/pkg/logger" + + "github.com/weaveworks/flagger/pkg/metrics/providers" +) + +const routePattern = `{{- $route := printf "kube(ew)?_%s__%s_canary__.*__%s_canary(_[0-9]+)?" namespace ingress service }}` + +var skipperQueries = map[string]string{ + "request-success-rate": routePattern + ` + sum(rate(skipper_response_duration_seconds_bucket{route=~"{{ $route }}",code!~"5..",le="+Inf"}[{{ interval }}])) / + sum(rate(skipper_response_duration_seconds_bucket{route=~"{{ $route }}",le="+Inf"}[{{ interval }}])) * 100`, + "request-duration": routePattern + ` + sum(rate(skipper_serve_route_duration_seconds_sum{route=~"{{ $route }}"}[{{ interval }}])) / + sum(rate(skipper_serve_route_duration_seconds_count{route=~"{{ $route }}"}[{{ interval }}])) * 1000`, +} + +// SkipperObserver Implementation for Skipper (https://github.com/zalando/skipper) +type SkipperObserver struct { + client providers.Interface +} + +// GetRequestSuccessRate return value for Skipper Request Success Rate +func (ob *SkipperObserver) GetRequestSuccessRate(model flaggerv1.MetricTemplateModel) (float64, error) { + + model = encodeModelForSkipper(model) + + query, err := RenderQuery(skipperQueries["request-success-rate"], model) + if err != nil { + return 0, fmt.Errorf("rendering query failed: %w", err) + } + logger, _ := logger.NewLoggerWithEncoding("debug", "json") + logger.Debugf("GetRequestSuccessRate: %s", query) + + value, err := ob.client.RunQuery(query) + if err != nil { + return 0, fmt.Errorf("running query failed: %w", err) + } + + return value, nil +} + +// GetRequestDuration return value for Skipper Request Duration +func (ob *SkipperObserver) GetRequestDuration(model flaggerv1.MetricTemplateModel) (time.Duration, error) { + + model = encodeModelForSkipper(model) + + query, err := RenderQuery(skipperQueries["request-duration"], model) + if err != nil { + return 0, fmt.Errorf("rendering query failed: %w", err) + } + logger, _ := logger.NewLoggerWithEncoding("debug", "json") + logger.Debugf("GetRequestDuration: %s", query) + + value, err := ob.client.RunQuery(query) + if err != nil { + return 0, fmt.Errorf("running query failed: %w", err) + } + + ms := time.Duration(int64(value)) * time.Millisecond + return ms, nil +} + +// encodeModelForSkipper replaces non word character in model with underscore to match route names +// https://github.com/zalando/skipper/blob/dd70bd65e7f99cfb5dd6b6f71885d9fe3b2707f6/dataclients/kubernetes/ingress.go#L101 +func encodeModelForSkipper(model flaggerv1.MetricTemplateModel) flaggerv1.MetricTemplateModel { + nonWord := regexp.MustCompile(`\W`) + model.Ingress = nonWord.ReplaceAllString(model.Ingress, "_") + model.Name = nonWord.ReplaceAllString(model.Name, "_") + model.Namespace = nonWord.ReplaceAllString(model.Namespace, "_") + model.Service = nonWord.ReplaceAllString(model.Service, "_") + model.Target = nonWord.ReplaceAllString(model.Target, "_") + + return model +} diff --git a/pkg/metrics/observers/skipper_test.go b/pkg/metrics/observers/skipper_test.go new file mode 100644 index 000000000..b75a6e8c8 --- /dev/null +++ b/pkg/metrics/observers/skipper_test.go @@ -0,0 +1,106 @@ +package observers + +import ( + "errors" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + flaggerv1 "github.com/weaveworks/flagger/pkg/apis/flagger/v1beta1" + "github.com/weaveworks/flagger/pkg/metrics/providers" +) + +func TestSkipperObserver_GetRequestSuccessRate(t *testing.T) { + t.Run("ok", func(t *testing.T) { + expected := ` sum(rate(skipper_response_duration_seconds_bucket{route=~"kube(ew)?_skipper__skipper_ingress_canary__.*__backend_canary(_[0-9]+)?",code!~"5..",le="+Inf"}[1m])) / sum(rate(skipper_response_duration_seconds_bucket{route=~"kube(ew)?_skipper__skipper_ingress_canary__.*__backend_canary(_[0-9]+)?",le="+Inf"}[1m])) * 100` + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + promql := r.URL.Query()["query"][0] + assert.Equal(t, expected, promql) + + json := `{"status":"success","data":{"resultType":"vector","result":[{"metric":{},"value":[1,"100"]}]}}` + w.Write([]byte(json)) + })) + defer ts.Close() + + client, err := providers.NewPrometheusProvider(flaggerv1.MetricTemplateProvider{ + Type: "prometheus", + Address: ts.URL, + SecretRef: nil, + }, nil) + require.NoError(t, err) + + observer := &SkipperObserver{ + client: client, + } + + val, err := observer.GetRequestSuccessRate(flaggerv1.MetricTemplateModel{ + Namespace: "skipper", + Interval: "1m", + Service: "backend", + Ingress: "skipper-ingress", + }) + require.NoError(t, err) + + assert.Equal(t, float64(100), val) + }) + + t.Run("no values", func(t *testing.T) { + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + json := `{"status":"success","data":{"resultType":"vector","result":[]}}` + w.Write([]byte(json)) + })) + defer ts.Close() + + client, err := providers.NewPrometheusProvider(flaggerv1.MetricTemplateProvider{ + Type: "prometheus", + Address: ts.URL, + SecretRef: nil, + }, nil) + require.NoError(t, err) + + observer := &SkipperObserver{ + client: client, + } + + _, err = observer.GetRequestSuccessRate(flaggerv1.MetricTemplateModel{}) + require.True(t, errors.Is(err, providers.ErrNoValuesFound)) + }) +} + +func TestSkipperObserver_GetRequestDuration(t *testing.T) { + expected := ` sum(rate(skipper_serve_route_duration_seconds_sum{route=~"kube(ew)?_skipper__skipper_ingress_canary__.*__backend_canary(_[0-9]+)?"}[1m])) / sum(rate(skipper_serve_route_duration_seconds_count{route=~"kube(ew)?_skipper__skipper_ingress_canary__.*__backend_canary(_[0-9]+)?"}[1m])) * 1000` + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + promql := r.URL.Query()["query"][0] + assert.Equal(t, expected, promql) + + json := `{"status":"success","data":{"resultType":"vector","result":[{"metric":{},"value":[1,"100"]}]}}` + w.Write([]byte(json)) + })) + defer ts.Close() + + client, err := providers.NewPrometheusProvider(flaggerv1.MetricTemplateProvider{ + Type: "prometheus", + Address: ts.URL, + SecretRef: nil, + }, nil) + require.NoError(t, err) + + observer := &SkipperObserver{ + client: client, + } + + val, err := observer.GetRequestDuration(flaggerv1.MetricTemplateModel{ + Namespace: "skipper", + Interval: "1m", + Service: "backend", + Ingress: "skipper-ingress", + }) + require.NoError(t, err) + + assert.Equal(t, 100*time.Millisecond, val) +} From ad8233cf460cfb559f5bacb8bb8c8214ca59cc2e Mon Sep 17 00:00:00 2001 From: Samuel Lang Date: Fri, 14 Aug 2020 12:57:32 +0200 Subject: [PATCH 4/5] =?UTF-8?q?=F0=9F=91=B7=20Add=20high-level=20E2E=20tes?= =?UTF-8?q?t=20steps=20for=20Skipper?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add e2e-skipper* files for test setup It does the following things: * install Skipper ingress with Kustomize * load Flagger image onto the local cluster * install Flagger and Prometheus in the flagger-system namespace --- .circleci/config.yml | 2 +- pkg/metrics/observers/skipper_test.go | 15 +---- test/e2e-skipper-canary.yaml | 66 +++++++++++++++++++++ test/e2e-skipper-cleanup.sh | 14 +++++ test/e2e-skipper-tests.sh | 83 +++++++++++++++++++++++++++ test/e2e-skipper.sh | 22 +++++++ test/e2e-workload-ingress.yaml | 17 ++++++ test/skipper/kustomization.yaml | 67 +++++++++++++++++++++ test/skipper/namespace.yaml | 4 ++ test/skipper/patch.yaml | 13 +++++ 10 files changed, 290 insertions(+), 13 deletions(-) create mode 100644 test/e2e-skipper-canary.yaml create mode 100755 test/e2e-skipper-cleanup.sh create mode 100755 test/e2e-skipper-tests.sh create mode 100755 test/e2e-skipper.sh create mode 100644 test/e2e-workload-ingress.yaml create mode 100644 test/skipper/kustomization.yaml create mode 100644 test/skipper/namespace.yaml create mode 100644 test/skipper/patch.yaml diff --git a/.circleci/config.yml b/.circleci/config.yml index c98be8f10..09c6a5982 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -153,7 +153,7 @@ jobs: - run: test/e2e-kind.sh - run: test/e2e-skipper.sh - run: test/e2e-skipper-tests.sh - - run: test/e2e-nginx-cleanup.sh + - run: test/e2e-skipper-cleanup.sh push-helm-charts: docker: diff --git a/pkg/metrics/observers/skipper_test.go b/pkg/metrics/observers/skipper_test.go index b75a6e8c8..9c16243d9 100644 --- a/pkg/metrics/observers/skipper_test.go +++ b/pkg/metrics/observers/skipper_test.go @@ -33,10 +33,7 @@ func TestSkipperObserver_GetRequestSuccessRate(t *testing.T) { }, nil) require.NoError(t, err) - observer := &SkipperObserver{ - client: client, - } - + observer := &SkipperObserver{client: client} val, err := observer.GetRequestSuccessRate(flaggerv1.MetricTemplateModel{ Namespace: "skipper", Interval: "1m", @@ -62,10 +59,7 @@ func TestSkipperObserver_GetRequestSuccessRate(t *testing.T) { }, nil) require.NoError(t, err) - observer := &SkipperObserver{ - client: client, - } - + observer := &SkipperObserver{client: client} _, err = observer.GetRequestSuccessRate(flaggerv1.MetricTemplateModel{}) require.True(t, errors.Is(err, providers.ErrNoValuesFound)) }) @@ -90,10 +84,7 @@ func TestSkipperObserver_GetRequestDuration(t *testing.T) { }, nil) require.NoError(t, err) - observer := &SkipperObserver{ - client: client, - } - + observer := &SkipperObserver{client: client} val, err := observer.GetRequestDuration(flaggerv1.MetricTemplateModel{ Namespace: "skipper", Interval: "1m", diff --git a/test/e2e-skipper-canary.yaml b/test/e2e-skipper-canary.yaml new file mode 100644 index 000000000..7e0965e45 --- /dev/null +++ b/test/e2e-skipper-canary.yaml @@ -0,0 +1,66 @@ +apiVersion: flagger.app/v1beta1 +kind: Canary +metadata: + name: podinfo + namespace: test +spec: + provider: skipper + progressDeadlineSeconds: 120 + revertOnDeletion: true + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: podinfo + ingressRef: + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + name: podinfo-ingress + service: + # service name (defaults to targetRef.name) + name: podinfo-service + # ClusterIP port number + port: 80 + # container port name or number (optional) + targetPort: http + # port name can be http or grpc (default http) + # portName: http + # add all the other container ports + # to the ClusterIP services (default false) + # portDiscovery: false + analysis: + interval: 15s + threshold: 5 + maxWeight: 100 + stepWeight: 10 + metrics: + - name: request-success-rate + interval: 15s + # minimum req success rate (non 5xx responses) + # percentage (0-100) + thresholdRange: + min: 99 + - name: request-duration + interval: 15s + # maximum req duration P99 + # milliseconds + thresholdRange: + max: 500 + webhooks: + - name: gate + type: confirm-rollout + url: http://flagger-loadtester.test/gate/approve + - name: acceptance-test + type: pre-rollout + url: http://flagger-loadtester.test/ + timeout: 10s + metadata: + type: bash + cmd: "curl -sd 'test' http://podinfo-service-canary/token | grep token" + - name: "load test" + type: rollout + url: http://flagger-loadtester.test/ + timeout: 5s + metadata: + type: cmd + cmd: "hey -z 10m -q 10 -c 2 -host app.example.com http://skipper-ingress.kube-system" + logCmdOutput: "true" diff --git a/test/e2e-skipper-cleanup.sh b/test/e2e-skipper-cleanup.sh new file mode 100755 index 000000000..b789007ec --- /dev/null +++ b/test/e2e-skipper-cleanup.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +REPO_ROOT=$(git rev-parse --show-toplevel) + +echo '>>> Deleting Skipper Ingress' +kustomize build ${REPO_ROOT}/test/skipper | kubectl delete --force --wait=false -f - + +echo '>>> Deleting Flagger' +kubectl delete namespace flagger-system --ignore-not-found=true --force --wait=false + +echo '>>> Cleanup test namespace' +kubectl delete namespace test --ignore-not-found=true --force --wait=false + +exit 0 diff --git a/test/e2e-skipper-tests.sh b/test/e2e-skipper-tests.sh new file mode 100755 index 000000000..2af94271f --- /dev/null +++ b/test/e2e-skipper-tests.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +# This script runs e2e tests for Canary initialization, analysis and promotion +# Prerequisites: Kubernetes Kind and Skipper ingress controller + +set -o errexit + +REPO_ROOT=$(git rev-parse --show-toplevel) + +echo '>>> Creating test namespace' +kubectl create namespace test || true + +echo '>>> Initialising workload' +kubectl apply -f ${REPO_ROOT}/test/e2e-workload.yaml +kubectl apply -f ${REPO_ROOT}/test/e2e-workload-ingress.yaml + +echo '>>> Installing load tester' +kubectl apply -k ${REPO_ROOT}/kustomize/tester +kubectl -n test rollout status deployment/flagger-loadtester + +echo '>>> Create canary CRD' +kubectl apply -f ${REPO_ROOT}/test/e2e-skipper-canary.yaml +echo '>>> Waiting for primary to be ready' +retries=50 +count=0 +ok=false +until ${ok}; do + kubectl -n test get canary/podinfo | grep 'Initialized' && ok=true || ok=false + sleep 5 + count=$(($count + 1)) + if [[ ${count} -eq ${retries} ]]; then + kubectl -n flagger-system logs deployment/flagger + echo "No more retries left" + exit 1 + fi +done + +echo '✔ Canary initialization test passed' + +echo '>>> Triggering canary deployment' +kubectl -n test set image deployment/podinfo podinfod=stefanprodan/podinfo:3.1.1 + +echo '>>> Waiting for canary promotion' +retries=50 +count=0 +ok=false +failed=false +until ${ok}; do + kubectl -n test get canary/podinfo | grep 'Failed' && failed=true || failed=false + if ${failed}; then + kubectl -n flagger-system logs deployment/flagger + echo "Canary failed!" + exit 1 + fi + kubectl -n test describe deployment/podinfo-primary | grep '3.1.1' && ok=true || ok=false + sleep 10 + kubectl -n flagger-system logs deployment/flagger --tail 1 + count=$(($count + 1)) + if [[ ${count} -eq ${retries} ]]; then + kubectl -n test describe deployment/podinfo + kubectl -n test describe deployment/podinfo-primary + kubectl -n flagger-system logs deployment/flagger + echo "No more retries left" + exit 1 + fi +done + +echo '>>> Waiting for canary finalization' +retries=50 +count=0 +ok=false +until ${ok}; do + kubectl -n test get canary/podinfo | grep 'Succeeded' && ok=true || ok=false + sleep 5 + count=$(($count + 1)) + if [[ ${count} -eq ${retries} ]]; then + kubectl -n flagger-system logs deployment/flagger + echo "No more retries left" + exit 1 + fi +done + +echo '✔ Canary promotion test passed' diff --git a/test/e2e-skipper.sh b/test/e2e-skipper.sh new file mode 100755 index 000000000..f5dbe2a27 --- /dev/null +++ b/test/e2e-skipper.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +set -o errexit + +REPO_ROOT=$(git rev-parse --show-toplevel) + +echo '>>> Loading Flagger image' +kind load docker-image test/flagger:latest + +echo '>>> Installing Skipper Ingress, Flagger and Prometheus' +# use kustomize to avoid compatibility issues: +# https://github.com/kubernetes-sigs/kustomize/issues/2390 +# Skipper will throw an Prometheus warning which can be ignored: +# https://github.com/weaveworks/flagger/issues/664 +kustomize build ${REPO_ROOT}/test/skipper | kubectl apply -f - + +kubectl rollout status deployment/skipper-ingress -n kube-system +kubectl rollout status deployment/flagger-prometheus -n flagger-system + +kubectl -n flagger-system set image deployment/flagger flagger=test/flagger:latest + +kubectl -n flagger-system rollout status deployment/flagger diff --git a/test/e2e-workload-ingress.yaml b/test/e2e-workload-ingress.yaml new file mode 100644 index 000000000..b7a2c619b --- /dev/null +++ b/test/e2e-workload-ingress.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: podinfo-ingress + namespace: test + labels: + app: podinfo + annotations: + kubernetes.io/ingress.class: skipper +spec: + rules: + - host: app.example.com + http: + paths: + - backend: + serviceName: podinfo-service + servicePort: 80 diff --git a/test/skipper/kustomization.yaml b/test/skipper/kustomization.yaml new file mode 100644 index 000000000..2417e7f7c --- /dev/null +++ b/test/skipper/kustomization.yaml @@ -0,0 +1,67 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../kustomize/base/prometheus/ + - ../../kustomize/base/flagger/ + - https://raw.githubusercontent.com/zalando/skipper/v0.11.140/docs/kubernetes/deploy/deployment/rbac.yaml + - https://raw.githubusercontent.com/zalando/skipper/v0.11.140/docs/kubernetes/deploy/deployment/service.yaml + - https://raw.githubusercontent.com/zalando/skipper/v0.11.140/docs/kubernetes/deploy/deployment/deployment.yaml + - namespace.yaml +patchesStrategicMerge: + - patch.yaml +patches: + - target: + kind: Deployment + name: skipper-ingress + patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: skipper-ingress + spec: + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "9911" + prometheus.io/scrape: "true" + spec: + nodeSelector: + $patch: delete + affinity: + $patch: delete + containers: + - name: skipper-ingress + image: registry.opensource.zalan.do/pathfinder/skipper:latest + ports: + - name: metrics-port + containerPort: 9911 + resources: + $patch: delete + readinessProbe: + initialDelaySeconds: 5 + args: + - skipper + - -default-filters-prepend=enableAccessLog(4,5) + - -address=:9999 + - -disable-metrics-compat + - -enable-connection-metrics + - -enable-profile + - -enable-ratelimits + - -experimental-upgrade + - -histogram-metric-buckets=.01,1,10,100 + - -kubernetes-in-cluster + - -kubernetes-path-mode=path-prefix + - -kubernetes + - -lb-healthcheck-interval=3s + - -max-audit-body=0 + - -max-idle-connection-backend=0 + - -metrics-exp-decay-sample + - -metrics-flavour=prometheus + - -proxy-preserve-host + - -route-backend-metrics + - -route-backend-error-counters + - -route-response-metrics + - -serve-host-metrics + - -serve-route-metrics + - -whitelisted-healthcheck-cidr=0.0.0.0/0 # kind uses other IP addresse diff --git a/test/skipper/namespace.yaml b/test/skipper/namespace.yaml new file mode 100644 index 000000000..1f7400c3b --- /dev/null +++ b/test/skipper/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: flagger-system diff --git a/test/skipper/patch.yaml b/test/skipper/patch.yaml new file mode 100644 index 000000000..fa89e85a7 --- /dev/null +++ b/test/skipper/patch.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: flagger +spec: + template: + spec: + containers: + - name: flagger + args: + - -log-level=debug + - -mesh-provider=kubernetes + - -metrics-server=http://flagger-prometheus:9090 From e09f44df770f8c83b1835e88991d6fe000cf917b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Hohenga=C3=9Fner?= <34940716+dhohengassner@users.noreply.github.com> Date: Fri, 14 Aug 2020 17:35:53 +0200 Subject: [PATCH 5/5] =?UTF-8?q?=F0=9F=93=9D=20add=20documentation=20about?= =?UTF-8?q?=20Skipper=20Ingress=20(#15)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Skipper Ingress Controller support is added with https://github.com/weaveworks/flagger/pull/670. This commit add the documentation and links to mention Skipper is now an available option. Currently only Canary deployments are supported. --- .gitbook.yaml | 1 + README.md | 27 +- charts/flagger/README.md | 2 +- cmd/flagger/main.go | 2 +- docs/diagrams/flagger-skipper-overview.png | Bin 0 -> 48083 bytes docs/gitbook/README.md | 3 +- docs/gitbook/SUMMARY.md | 1 + .../install/flagger-install-on-kubernetes.md | 5 +- .../tutorials/skipper-progressive-delivery.md | 383 ++++++++++++++++++ docs/gitbook/usage/deployment-strategies.md | 2 +- kustomize/README.md | 4 +- test/README.md | 1 - test/local/e2e-skipper.sh | 18 + test/skipper/kustomization.yaml | 2 +- test/skipper/patch.yaml | 2 +- 15 files changed, 429 insertions(+), 24 deletions(-) create mode 100644 docs/diagrams/flagger-skipper-overview.png create mode 100644 docs/gitbook/tutorials/skipper-progressive-delivery.md create mode 100755 test/local/e2e-skipper.sh diff --git a/.gitbook.yaml b/.gitbook.yaml index bdd2977aa..1d974eca0 100644 --- a/.gitbook.yaml +++ b/.gitbook.yaml @@ -10,4 +10,5 @@ redirects: usage/contour-progressive-delivery: tutorials/contour-progressive-delivery.md usage/gloo-progressive-delivery: tutorials/gloo-progressive-delivery.md usage/nginx-progressive-delivery: tutorials/nginx-progressive-delivery.md + usage/skipper-progressive-delivery: tutorials/skipper-progressive-delivery.md usage/crossover-progressive-delivery: tutorials/crossover-progressive-delivery.md diff --git a/README.md b/README.md index 4c1a237e3..3c4801ed7 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ by gradually shifting traffic to the new version while measuring metrics and run ![flagger-overview](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-canary-overview.png) Flagger implements several deployment strategies (Canary releases, A/B testing, Blue/Green mirroring) -using a service mesh (App Mesh, Istio, Linkerd) or an ingress controller (Contour, Gloo, NGINX) for traffic routing. +using a service mesh (App Mesh, Istio, Linkerd) or an ingress controller (Contour, Gloo, NGINX, Skipper) for traffic routing. For release analysis, Flagger can query Prometheus, Datadog or CloudWatch and for alerting it uses Slack, MS Teams, Discord and Rocket. @@ -37,6 +37,7 @@ Flagger documentation can be found at [docs.flagger.app](https://docs.flagger.ap * [Contour](https://docs.flagger.app/tutorials/contour-progressive-delivery) * [Gloo](https://docs.flagger.app/tutorials/gloo-progressive-delivery) * [NGINX Ingress](https://docs.flagger.app/tutorials/nginx-progressive-delivery) + * [Skipper](https://docs.flagger.app/tutorials/skipper-progressive-delivery) * [Kubernetes Blue/Green](https://docs.flagger.app/tutorials/kubernetes-blue-green) ### Who is using Flagger @@ -71,7 +72,7 @@ metadata: namespace: test spec: # service mesh provider (optional) - # can be: kubernetes, istio, linkerd, appmesh, nginx, contour, gloo, supergloo + # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, contour, gloo, supergloo provider: istio # deployment reference targetRef: @@ -180,17 +181,17 @@ For more details on how the canary analysis and promotion works please [read the ### Features -| Feature | Istio | Linkerd | App Mesh | NGINX | Gloo | Contour | CNI | -| -------------------------------------------- | ------------------ | ------------------ |------------------ |------------------ |------------------ |------------------ |------------------ | -| Canary deployments (weighted traffic) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | -| A/B testing (headers and cookies routing) | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | -| Blue/Green deployments (traffic switch) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Webhooks (acceptance/load testing) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Manual gating (approve/pause/resume) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Request success rate check (L7 metric) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | -| Request duration check (L7 metric) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | -| Custom metric checks | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Traffic policy, CORS, retries and timeouts | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | +| Feature | Istio | Linkerd | App Mesh | NGINX | Skipper | Gloo | Contour | CNI | +| ------------------------------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | +| Canary deployments (weighted traffic) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | +| A/B testing (headers and cookies routing) | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | +| Blue/Green deployments (traffic switch) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_check_mark: | +| Webhooks (acceptance/load testing) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Manual gating (approve/pause/resume) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Request success rate check (L7 metric) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | +| Request duration check (L7 metric) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_minus_sign: | +| Custom metric checks | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Traffic policy, CORS, retries and timeouts | :heavy_check_mark: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | :heavy_check_mark: | :heavy_minus_sign: | ### Roadmap diff --git a/charts/flagger/README.md b/charts/flagger/README.md index c2476ecae..fa5589aeb 100644 --- a/charts/flagger/README.md +++ b/charts/flagger/README.md @@ -7,7 +7,7 @@ Flagger can run automated application analysis, testing, promotion and rollback * A/B Testing (HTTP headers and cookies traffic routing) * Blue/Green (traffic switching and mirroring) -Flagger works with service mesh solutions (Istio, Linkerd, AWS App Mesh) and with Kubernetes ingress controllers (NGINX, Gloo, Contour). +Flagger works with service mesh solutions (Istio, Linkerd, AWS App Mesh) and with Kubernetes ingress controllers (NGINX, Skipper, Gloo, Contour). Flagger can be configured to send alerts to various chat platforms such as Slack, Microsoft Teams, Discord and Rocket. ## Prerequisites diff --git a/cmd/flagger/main.go b/cmd/flagger/main.go index 540179a80..0ce5c76ce 100644 --- a/cmd/flagger/main.go +++ b/cmd/flagger/main.go @@ -78,7 +78,7 @@ func init() { flag.BoolVar(&zapReplaceGlobals, "zap-replace-globals", false, "Whether to change the logging level of the global zap logger.") flag.StringVar(&zapEncoding, "zap-encoding", "json", "Zap logger encoding.") flag.StringVar(&namespace, "namespace", "", "Namespace that flagger would watch canary object.") - flag.StringVar(&meshProvider, "mesh-provider", "istio", "Service mesh provider, can be istio, linkerd, appmesh, contour, gloo or nginx.") + flag.StringVar(&meshProvider, "mesh-provider", "istio", "Service mesh provider, can be istio, linkerd, appmesh, contour, gloo, nginx or skipper.") flag.StringVar(&selectorLabels, "selector-labels", "app,name,app.kubernetes.io/name", "List of pod labels that Flagger uses to create pod selectors.") flag.StringVar(&ingressAnnotationsPrefix, "ingress-annotations-prefix", "nginx.ingress.kubernetes.io", "Annotations prefix for NGINX ingresses.") flag.StringVar(&ingressClass, "ingress-class", "", "Ingress class used for annotating HTTPProxy objects.") diff --git a/docs/diagrams/flagger-skipper-overview.png b/docs/diagrams/flagger-skipper-overview.png new file mode 100644 index 0000000000000000000000000000000000000000..e2f18aec403a461d2e8e2d29d753b25c0f0b8206 GIT binary patch literal 48083 zcmbTd1yGz_6DEoU26qSq8zi{9!!T%YcXxNUz~FAdAy{yS;DG?aodAL0A-EGfgdNED z{rhk2y<2-PRSeY2Io(go>G!k{rK~88jzWwA0|SFDD+5-AfdN2ZU=R=h@X#kb9|~W= zz+fKws%yKens`w-yE<9g*jrGz`#4)rSa{o5!oYYhRcG3HzT!`odNjjtMCgRq#=rvP z%nD}woQ$I`Nj`M#SQaiUp-#z^p&(m>$GGZ#Y~KjFDfjuMoEC0jm~@`0+n4!>Sh8nI~FU;k)vauC6akI=hE|2v6OkA_fLV zi!QF^*QRXw2j(hW3QsjHWQ#=j=k5n$7N4Nzmv;so>@*o7J(7IN#VT|s#$@2vlchQ5 zO}|DPIq*6YyvdgP+5Rhsp5_Hcn}1bWu)p5wAp1Zq>>a^Yg4f32?&wYIbj$kA<)^~m zSfhWEn*UrI6<_t;p5OldefjyPo7C++A>{X;rkv}OE~{m`+PUhbDC;1tuegW5*wF|b zL56wX1z0y)&J6PwwzxN=c25zORv5vv`^ZG%Hm{%ORwR?B z6SGr($GE~|@lFEKZQB0r*STcTo#ecoi5;ITL?w}^H*ThN{mk9|VL{hF^E-RH_JML_ z@yaqdlR*X3%7;1DytYKbgi z5>RcPt|*@8E|GnJ#BN)sr-$c0m47?O?q{9%lxfwM%NS0+Q@!GP;Lu{!_G6+$r15HEU#V7fNY~ej zSv2$fV2jf(2c42!f;u8)o1e<8?KKBW9xRH0-^8X&v*l#Y4%39ZTGJSH_Ri~^Eh4J0 zIaNpAfbHYjv4^70FrGgutLG;ighC#Vl97U~ zE=>o%y4=^9y~=WwaLf%ULzrqLqAZ?GG^FNsxRES&@044H-!T?xpd4Mp+jFK27R1G@VLq^iX=sJB6P0HAO|q9ez8ld1QJzBX zP+gPBORjP+1sA1lYRH1cohJR9qBaf-$ZW=$=VXK8bQspI*51L0y@g|oAsBQpY1Z5R zq}Ny(^3YefZ}+p-{UTedvw|v*gITbiFM3FC{$y39G^L)@T00q4MQA*OSvzf+7?T&)cd;6t_FRo zKLV-0`M|O8D=A1O5Ps1%_@H#df-z@84#FCqzFUq<>@QU#lpI*+A!yJ9U!bER} zc7iqCOn3-!qsln&X&%Ao3jtf^q*jhgP40|cylD_M3T~;1WrE#WUVDq6i%wE6 zyBe36fHD?iX9JV9P=_9|PC23xs!ZI+=rJ8nkyv*DQfh&YaYg5u&W@Yv>O)*4LOW6$ zgl#hEMuqFkeqFoyz%d>gG=99=o)@VZE#E$ticA%mKYE_o)3Pr3)w0HQ?E8EhzpaXO zA=Y>K>d23$QthJnHlE2aGQ72H?eOv;bqrfq8?-+r#>my1obS4LG}pPlrVA6#(r>d8 zuVu=NP7~|E+V8?4P!oID1~4|x>LAwDGOqKivoASPs2DWFzi2x61(Vi+xo^wlt2w&Y zVO?MBY_wK+Iduo@KI5TC0txY+D};S9KHM+YW1hUw5+mXGeL_R2Oy3_^RyNybms^z1 z(KP0%&bgJ%kH=5VA7azwzZg&LURQfEh$kY`4noOlIOo2yhRp#o55L87i?SJa= zc`G0O&C)b=9GBgmUYfquJG@9&TF#eUsCkvIK_DHncALke5CUbKK{7{DWaD2YDmg%f zP>BqWPjl0A`T$ni!vZj;)@B<2tPLry)YsVtmHvgvUH#Q6K<%_+gtI?CfIehQ8bMdJ) zI_6aQBm5j!Z30R>M7y?u%*Hyz{&ZzzJM&eA^X4cU3}vcOaB`9=kdt z$Gojte3&E>qu20$Dj_bRV zo#%Y(7QTBiA5H+d(#S_8`y@Dy9!`exiJ+E>tuq~csfY};mNx%FBQY+34O z#QED26_16UN=_U$IU2d%fdMsKX?0^3v@B$FFpgB8-Yn~S8QgMM>V5#`Kxqy`$?4l= zcokt2x5%CZZ!FWph}dbm;KQI&#FQb7KVh$u5`ew^DJrt4Q&6VelTYU6-3x&)exgdj zL1OlfjZ6-MUu73k(6^^EJAWeHsoBlJ64;BDvMoqe^dMK1B}?!ST+ zLl;z3Au52llU?Z@_r?dr*TftXTxezUE9_g528<=~o@C+ejXojz!M9OvxyGDR*~XwG zd&SjUI`6d~1;?4y%EUJ>PLVy`>yPh+)h+IYeCu#m&F~&$W#<97k}~67^y||L7nsCTVj|JTasFMo=APdSPNSFH$b^0>PRK{MOLS7d?+lCSCWl*TLJ9&AiZe zHRgmT6n3a_{7l+Dp)VW7Ro+e@rHaVl=3kgn_6Tae<+cvF419YkvbjOfyp% z+7o&Y6WQcv?f8{K0o`CZ3daI@>BW+pev!Y5+GyO`!MKeFZufGhB`1TJI0j|yd!G}g zU!Gy-E!CV9y2V>+1l8q!t#TIK;o`oqGv6`RHIaR?OZyV|FXLP6INJvbmnq6Y*7H)~ zJp*HGq_y}nmDJ^eikg8=IHS> zI4QDeA(O2MNvaq67$g0zw(LYfUfh{_g8$X=NfG;K~t`z|b_xdNCmurvpo}%+!Ri zjM{GHQN$Z6UdHQ`#2C$MUx7yXfh8al?|aN_)7TtksKTT!BBUux67fe9>mJv21V`Y=Vn__;wV+Pm=8yK7=R zud}-zm{SWta=vW(>pR5`BiZYM<SIh+BKV*IrNA5=J5$XD{Akn58(YmpQGk zdGD#UM5#;9%kFTq!oAnro~Un#7n%`YKtR0!NzhwAi3a=C_Y8QkuxLdsNOodeNsZHW zSON^2#P7hw@JtT%?-j9?+H2rnW=QAIY;CX=Cr*JlF)pMS(WbBsn|ppv4YK5E z9GQ5Y&{p0U5JqR;n0%0E%xowwYo>yuu*rwP|) zpLNQ%+#uYq5|u$N@ZMY6O>KALPtA*k6Bir42(nC?ABxtli(qdE^K=(bRejX z6qB7nPdp!OR-yH?r(5CF*4%}8unV;rmOKN|1%HX7frQ|U+2RlW@yI76;R3-jICS@z z6HIR2k8{d0xo#&bV!n}OFUno&yFX zXy9c!;`tLyZIvZu+EZqx!-|P8I6wJOIQF>(IZP{GAbG&bZ$&6hG}fC1(QlnvCEvN7 z>?QRZ;k#I~M21=Y;rN-*tv{)qm$ws{@cK{nP5kGK<|7gqxX<_AovhJ_Qlxnq#oGce z$Haz~&J{xTAW^G5Yj`ip*GmoeRO|}`>gYe81+dJ33+vfY#Hx=c*gU2<#U=1sPK*U! zpvt_-ci`#(qWE7Y5+Cr&qmT&Y1N63gn>ej=l?z*C`d>Cmr}CEw$Tg$N3WEo;l)Jyt z*^}O-mAtjaKSP&$dDYG#+j?zGi->{}ARnHHdt5X9kZs6ij;0nO5I8f zsqlx)IWS~%7OyVGrvjRkZlszmLJiYi7%&0| z3#aI$W#(3_51XcXsGr?fg_01&6NQ|2fs$Vl*iy>jzQL>fC?Bu>!c!pV2eUYbV~qK7 z44aT)#>3J>7w{DgI~Vg-fAJZ z*^#dJ&0f1fc&wpZazUsk-b8HiAR!v@+sNlYlxX*R&E;hFe1f=?k%V;YRS?bG?$4>a zbbS~Y*f1Lj31wLciGTBcXttjdkR&YACr0wcNUub)0>cvvdrXRi|VzZ>R*F;sbwCL;_>w#=h==*^wvDJTS?PPE3VH@0at7^oBFhPLcZ? z<$0Ml(Kq)L-t2TLk(fxz0!3)aICn$(6ZF#!0)OZ`f1Bi_k`mxnA^{ShI54%aGZHhL z;kl@*aF1MD>1*;ixoD1R%y-fTnedfXGr8q%Q{ZU#`ql z>~0x7jJH#M>Ar~}gYEj>^Tp#$%60H4>HA07bhP0lIIf3Vq0>OAwbU1Pj&EzYTUxe7 z6v>0RJkmO0F)-dH!CBP$bqao6{oZYr_3!{={oS=lYVMo?T90v3mRFa&xVX^M(?f{i z*aopPnr6n-&kj5<$Dx=2{-oG+t*uB zQyTI%h@-|$+H0Gm=VWH%X1|CkLy9gPB^TLk}CR_+I?* zIU6WzWM>&2Hy9XH+^26?n5>+a(1%FwvI>$&TL26I`KxasI%qI36fn?aQr&y$Fc&qY zP+;L>!K!!!DNY$>>Q6P>AN~)IK|iE%FvQQ$qJ0hgCgod7^K7&lkE@pLXtd#=^g4rs zonWCqDL~K<80@DhOlK8v$ znZ#ep|J&mK@BID?-2V@L{{`;Q4INb5>-7B=beojw;x7?@ zXKiZ{zjMKQ2mAC_>A!z1YaJ2rN&EmSFLU{zp>Y-EAx4LV(uny2s%jx5qJ1%Bjy|^; zrT2Xy%E4_Ba8Nn&-04+JKvLeO$Mots0}!||K0GLzQxf+~M5ciJT>oB53OwVF1yG#? z?-(;jo|=QPu~FE*D?@eJlTt%fPjS{sc^S#4g#04I;u!+}7LCu2c_1Y^c6cDT>{xkC>ZUn#`m>-hg{^F$}Qn2|kii*SEE3k1CQyRd{# z%CIX*#?kVBKAWUL8)TtqMEI0etPB-}?yo3h+;ChzwAxx<^No>j+^O) zbUs!s9ES^4Z@cGkL3HcLurRG@(y=h(wk;!qLAF!9wwd#+Ks^Ln^Vxk)s{bY`?2l?|Rm@{@vt<-WIVveDIJD)Xb)7 z+j%1dguvxt!36uY4FaY#)*f?A*VH$Mg~^YeH#lRz2)=Jy1Yq&{Sh=YOhz<#dEMF|< zVS!+k08o!2+mxabOYwS_{jk_+<~E5T(Szg%0=y6cKAHK3*fj!{Lc|1yj|V|H>QVi# zlu%Ytk3YMu$soEMw>I zb%77ut}MU)du)z~U6DJkx|R{^bp|>{4YJO-7{IT7CaKRz6fez#`U5Dzo5-17bQ%4I z)QAQU-pa(=7%U;^VK&g`g3HjyHkyw1QP^fr$O1#m4KF3auB*h@;W{Pg04d+}ekj^n z$lS?NA}9f1{0Rx;U|wHTX_;A&sa24#;hVBt``qgs(^hz`8wde80bzLnmk#GIv{C<) zx_o_`CE2z{=3q^bG$GJOw9S0=Q?!g*?pE&wiY7T@wb~jtR2hYZZQ?YluSdRrEq9zA zR=-TkP;Pw#`PS0@=GVjZP*?8U_u310F-Wo8=vAH}SL@4is*->&`(fvK!R4QHXI3Z= z`^MMa#}g+pP{lc2e%M5Y4L;dKA@AX)w;jDwjAH>M|H)D#l>C7=mFZSBqN@a% zgIAj!dv&W+?l|OcW}7#MxbXY^?dzQ4-gB0`L?TFU0e~Ijz4eW-Tr9WDyuy@=yYOY-Npx9ADs6LNioAB)@lQ>D>Sa`6$&rRRe0R*I9Sg`z_nc9L zwEiKkj(NRT{Q5_#D&e970R-~`G6uxMkd!g#C-zOiDJ4enQrnHediAno!b3+;FYXXfj>i_dCZ_Lya@wW!M+!gDw~*tjM)Up?)89zJTx2wN`>$Ze z=kC`ZV>aqm|5l=P`7l2^p?vl6NP##StcER1j49q+SFKf1p%8H>hxg*XzfInxA_z}9L==aIr(uP5q`)^Tay`htm6O|B-xn_f*`E)d}Xt> zFOyRE>VcXf()$4i=Q3F#{hKW|Wrt?=)Cb%-g(8_oddsNJC|Yxj0%vMa@#ru36P1~x zyy9kcnT~epjp2o5VbQ(YnD+73!no9BT=t3!@Xlpu;m6bl<0tmq`fPCD#u`qT4ZlZa zYRK{5HW<(ZHt+4!JmBvg=OJb`aJri7dUr56)F{{BBu51T*FNA)M`6`+ZAvfxkkIQFZbpo4>PuHNL8MKa zaO(Vm)N`*$L2}$d5dv^RDYaWc@7k9Z`BEHpeF_<)#8Zq)e0x2#@P0(Nf&dt3d~;dL zb-MazqLt}jM2eBo*UW~p)FP&)b*3NS27R-zxO@f}U&u~E%Yq#ESMzXns~JkXj=7yn zC-ZO9eGfNVf)4MgKO|~Keq}~!C{N`5+D3EWno&kRzm1X}|5atb&QFN@Cv-uEvbVY5 zYf}G&INFwxZZ674F5Je$?77y{uFa{*}k z0|TC4G83<0<@W*crSja|Ka3YDtGrNu));W|k>Ru7wQ_j8N86wAwfP|BgMgHVW%8X) zol!v1eo#BTXXC&>pVpkLz?lwozN95^N_P95y|9H;?e05!TxMUF>#8E5pc-;L(Digq z3g>Su;d4T$yC{zzl&?;}namHh?c#>{<&-snM@bN_eHi65Lpv;E{w8%Y0S}mF#_&QXX6zSqNXBZqqtM5)^udu){7WXsXz*I+pYB z+}E@tRq`9Dr){%r0q&w;4-3D&ze)hMDXtoU&0@TFOD!2q)ELGXt5)EYZp{E~4o zIc(Q;nMe=IjEbMy{u~`aiQ*xw=h2n!YD_ri3cE+-5Oq|RnMF7_a)pM8^30lUZ25Hv zG(U)_0TR|kX8)M0eYL)#jl-MEZG6-s(J#m=aN+&XL1X|yXkSQpHJ=IgXqo41zE8vI zpvJ(ov_k9^jFf5$ZS@=M4+^2Bp4z()gPM65CumjrQCM#ID*921hmv}zqX(eYtyd8f z?v{on3bs9Brv{nNcHhg;75i@MkU?*dn9lP6k6oxHD;OMv0V9PT-e z4?Cr5$qW(*I5(%qbxoZB)jtxS6+#`dDfhQj8-qwk%2|;} z#!8NX-AeUMm*`xlz_}5il0u^B?L^0i%<%|%zVC13VE5FxMa&L-+Up_dM5w-o*V(7= z`4X9sju|0CY4pT#nE?deAm_Q*RJNv;;d-op&IN+qq=Gk^D;1a>3<7xTB2VJ&*3fBd z&nD~q>ki=D@ zc-|WvDgN^ObHrBh16NuzGLhdK)UFzt1|%my;f=zw&@+hEfrRW+552+zJ<0lwd&_=X z2b0x+H)5x3Nou)W?Sk!s>CqUaZOTvx)%{MTz_|mEw0T+Z-XEER1Dd&HBwS&YkKi&F zZQ5@y>JJH3cIjO>b~51|YCgCvL-+AJA!I}VZtIk>@LS9u)u9(FP&GD`(d|;vMl5!Z zP#|xPkEgH*SIvKgVL~Rf4zHc>z2eQRc*uZ8;?FZo-USiG*4G2=+PKiF1efiEC6wkK=e;1;h5x|5N)+>|k@stPiTc+?w zrF$y2Hnrq%!I3ZpX?0w-lL>lwlkK zJXJM}F)XmuLJ6B0J=%nv5ME}WPpAIqxU8+57|ad`h~EFueTRM}QF}H<{QD4ha&#L) z@*yPwGi-6N7xG-kSx6UmZ2=#BpvdKh>+dM2+L-Tn6*Lk0M%7VFBRfT3j(Ebb!#nEL zS#w?@6(B4D<0)nBY)6~X#qOBszUTugRs}ui`UM#7*E|;7+BXW(&68IJ?v47F({2Gk z8$}XNwVPU|(4h}#n=CTpgQXD?{SP5`8;PSIK7VF0Kfr6&^WCfX^y3$5tk<6BPDurL zr-C0vqj+0gJ&o4J%_~4Hi#EzHRay3!JeNVeCZ#}&&HcrN`|lr`R>#ObrOMvd+E4Fy za+w@&i$oOW4!fb-(T(k`{pJZa$E1#HM=!lc#|$u={#&E?jyv=|<#I}{)QWPuh^Vqa z)Qfo}tgwQQyo=INLxJimMznZdN*?(HNVUqoQX$KJBQ4&bReHQtAp&SEr3b0d*CH{x z7@xWn6V0XE>Km$Y2bWojuV$CV`KNKs4$eu>>$q%h_iyjBn+hCkRRTAYBvTA#wu`1L zDw^z#C}P1U_^uaAHXSzP;byggJAc7n`~@Gu-=ug=sJ&uU8V7U9#K8V_rp}eNwC37_ zJ7A5qrdHEqa}ljNa3zz9ik7Uye$JvJFU`R43`a?_z#`X7ZchYfJXbP#=ZYrz4`Ufm z?u)`Z=U>p8@-?JWg|5?w30fiwR$>ax`P7ih1IJZvHI<~ThrYnm=RKI*#uKR!(0*^c zsiTnUt*!=Sl}zE0OY?Qe{=%$rJ#?>+Z_K;?}Bwe&rO=;QaVg6w4PEKH1d4r7Ice6abwB7JeR+CEPs(oZx zfI1FOCip9+mO+|u`N=^yD4@3LV#&(~v`Y7{qJPVrh)(E9?u<~3HcACw#P^G?m{?@@ zooTSp=kA5S6g_L&dtZ|@>X^AtOXjjmXHU?tON(?-)u|jh+wn6;-X=CTVtwuNM}?Z!k%P*$P==MbI!%VrOx9aRo|njNH71avdPa< zobDlKh%5`0Ld$5HyuP;T%kk>!zuI<@IB8C>r8U`&K6~MD$|Y@mxacozIlivtX@4hR2ofB4A^sOiJoO3 zQBw*zvjnEoZZU&4R?MJq{zdoPt z4DW&T{*_jDV5tOqs`p{9SK&%V%NYb((fa2I_|PSG4mB{j&c#x8{6u;@3%+6|TdUh}Q)R<=lbx5)Fri<|7qm+8uU9e67fXe_ zJkJ9}sd=avEUP274FH^HlB_YrNRK}?m1a4FZ`&%SdoQ;)qGsh+zXJkg-Mtx^JlR%8G+=CVFl4BXDzD?VQ}F5cNnZ%*e#;67w| zmitX*?Zp#hvYkP~<|VV=Ivz&S9Tr&0y5(g~B;X`Cd?yJqzxVS2ZIh#%kfA=6f-WQF zLSNDpG>qx<7moQShX;CWfyt5xKQv+LOVo7pTq&8gyjfPuEY&?2xc`B>R{BQh$mZ}8 z?s6bLvMIpVM3gBWM~PUGlX|O52-t}Ek593|pEJ3sQjW-D_eUqTjx|s!c^Hrqm7q0r z&H$zaaIPO{j-$>p9UYb#7f-(QN6}8M^foIWnO?G;4Y|QrsOPpdS&!Vb=X-ai<7iVe}}sN&q>J647F56JZr`(Dams zdZf1=8p;l!`B;2EBkrVoQF-1w?-|!ZoAQ$#M2ahV`|B2>qrMgv&5- ze{%D5aY4yObkmlq=RMUK!b?pKrD)Yu^awSUl*4s%@a)^dI4a z%l*Htrhh}DLmi)NmTN-E$|Y_T!WqxO64oW!+D*_#*B3?uoqE`Z%2U-UMroLA9Cw2;nGQTWVKQxQB{P0`;}n_uDHn;s;p zG~_R_G5&nIJGbuE=6GZ2FOBJJnL+Q~6krg@xde`yct|XpB3P3~@iGPHCws5v@cw#k zUO=zx`4W437}CVgm>cac!^<`grOCm_UJC=o)mA9$>-LHI0VMul%}8i;3~S| zwhqu{C3oLbx$Kn|3y-b;CrEbl_CFnm(|H7&C4Cpl?vr`PAp~J;4)x>KA9d}(TQ&Jl znpDmH#k3IR9$e_n(c36B7Y%3I;f(4OEZvRAK@A$94_&rLXcfM!yLnLlw}Wx|Q6sU8 zNLrJaCh2Ot%w#@0x*}e3$N=htwgrB7M75K`>`^;r!q1%*FrX*f7EADgiYW`ZT+_3^ zOI2n+CNY%w=s|5sx-wCV{^w!PaZvII?Z1ta;FkU}OimMduEybHL;8Ms>G6k#2tMc? ztG?o+g+j< zZPnn-9Lz8)3SEDuKZ+<0VHEwhg|lAiY38crlriy=QA)K|or4KPCQ#*gLk!326g9Nt z0^G^H*?R7ZB?7QBzh|@SaamlzS09m$Z$a;+sq}6v53C>1tW4x-@I(ZjYUERfn4Q(> ze3gSu2Z~`Y&Gv)E9U$~a(!0n?Wf2FFBRXK3g45~etEuPsUYoK5O}|Wh51JhF7>JH- zoKu>ya1gVy2tibB8#}ENlbrOaWoP|{cvVK-Ox2@t7@`8q9P`LP#{+$!3+2Oyke@a0 z`m?ym()l|-OUrDVT8+wGix63XO8yaUGZATf*1MSg2yeqG0??PKKZqQr^nAr_qU(5p z+h0zEo7~bkYUcGsP(F69;_2igdIzTc9{>RqtCVr|b=AfV=$ zi4bo6Y;M6BKU4niECAO1zWmp~y?rk!LYIH{NH9e3zi9%WZz2jSDVDz^ATosEH>y^*1s@eQh|b^fSsJC~32Vg;_G5SpEdH}$ zN}JE;*J0(fnJO|kDEY6RG{YwuxZm0Cf>|lZ9D&!!VU*&z?cz>aaQfm|!DdMtf9Sf{ zkA+=0?ozLCQPd?=NYEO*8dD*$q9j+bC=#OVllvu)um)o*$=(nuSx_Y&=&~M|{IQ z+lmM2MGAlF{35bkC&|yGr;FRV)4|i|yihXqPXH@JY$x7A4XyvAn)MO5;bOI=$p90Y zcMT&V+Z2tFMz{~E8uP>Hd!4l_klw-P-foR)Z{L2+?Y^$YBJIusq#GyqlOzRHd3aCC zYu%Q<)3AWvagCvF>-=S()7OFs0XlpUi51Lhao4vGZQwuUl4g0%+N98Vji*IJDHxUT z(CG^(M&GSe@#hx*%y7d~s*9--37x6Wd&p!s{c)^HV)d^4wKq-)Y zLB`xjjkxc_Dz?cxSPmc=2G@rnC>PO%LMKMHfHOjMKNG06Z2ZYgJmf$^FiiZ`*p=h)`KvdFzw+rC!WX zj;Gq%Ql6HSMREY3+>al6NAASlovlPJ^XcrN20KBXb>qrw*=vR+8atD$3h)O;KR-JU zMks&hawdaCdTIdpE8GgTN@~JuaeYaIATob+c^f1s0xHxt7n;b+vIbF%HP~n6Z3S*3 z11g$W-`H>F{N>m~$&yC^ z_d-M~_>5dmD=4iMg^U+}43ivFR z%b+6}E`v(!P_Gq(EGrR9-t7@15V>v`B)lNr!e;>Y-^Mi#WXxbdl@$S&!RZbOM!DMS z*Q69T1e3jM*){XiCJiBm`sX!HDeE+aWe+#Q76Q(j{ZV^h$pb^B|x4qL3*iWn3kLqpEo!;lr4IsqsQAuz*cdNL=Qc_c?M*7=C4 z43Qz{ZR)eMGM^sf{zhaF!RGcjVWp1I)I zq?ZU2l6x5s1c9xTB_Ycqbj5t9kiQy~qKu<_3&>=q@&?5M zY>FdhP*l#!Xd%z`7}yNUW{2h2iuUqHP>QrhN~CB> z;0FrfA_UES!Ai2LD#wKW_rr5Yq2kE?kkR+K9PKTK&@pm3M4ASqZrkC;hz+9Og6470 zE^Y3Me(vj@iX}O!A_Sz=0u{G4?NcdmHG+<>{()%73<{}y^oIHT>*|h_{PS$$j!lJx zAdDfM`cPLMRuWqYDbyBg%7CaJLNkzQx;(5RQ1VvLBgzh%%J?;Az*KMzboEGH@h&7{CluHt#?&F2#9TwOG-2*B*GE5KR!1>3Q7m zC?{C)5(>_Y08~g9X@zFeMDhjKbRQ!PFdY3=2CL+Jry`MWm>`CUsj#d{MEmQDOkNz| zT+3Lhc%(G+sC3p~oy+tc)mqRh16w$vX{oUuPl6s98{{jws;OoE=;J4A&J?K+U?wxz zh$uq4J!1_%(O5dJ&yiq&0Qflt1-O6R9lnN6xy3VZ3W-$Tdwi%JYp9ZUr3IbujH5=y z$aysxF-{WbaL|Dc&8+A_T+hdiqaC24a-PaC6eQAppa%wwPDTg;EiY)4%vHiouAmT5 zbJ5u8F1he28@}}3OM_!1-BlrD9=b#>0BB68mmE?RD!^*EJxN@-d_6Ctiq@v&&vy{P z0-_Siq2l^|JsFv#EP$Il-=@zMpwChrMP65e5xOWxr z+Lqp>LQ15#Hpmk?N=a#smp7H+S0(=E{^UBmzT9Xn(Yb@RSZ-`swC~ZP8iqZCW2ieQ zjgG!~nnI4|Rt+2py*W406@3C=b3_-jF}H`cQ6)qRO~mZ85);TiC$j5M%g-^l1?-q|*oS2K-GSMuzB62Z3 z-%CV4;(zo{6jFcyipX5C^Ra+&h-Z>AGSMj&i<2sGLe=|O}(r{4L2AiupH4zFriA!}BqL%24h6wK8qx7Xc|4@PNI zDMCs$P;VVd?Vo3LubH{gh7?PxeLn>cQO;iFWEWpG5qH%`9u~=qg9jB|m?$llDJ!Z( zY#ntoM9kkp>lawS3j$!2_gnhQd32(J?k?7iV}9UA_JOa+y}A&t?zEC}hF$OhV{Ca* zv0Enp1FjT@Q&=RlO@_D^l~{Ig%$!viVVzGnpO^ta$6C!9qS>0I` zc`7l9o_Y-K*&4A3pBi^UsfXGA_Ng15-VLdZNyTr#Da^0(+Z+}^Llq<_( z^E5F~qcvCj8vYFQf6iBLq=gQFz9m{yOJj4kfywr1g0GEOj~%$XBL+`ZG4r?M8J*4Dx!xpjJK5I z0&CckNn)@Tqp=(wfFC5ayhRo`csM70KkBI|XUakTQf;NA4(eU>=q`#(WYq#C1d5m3smYF%j0qnlN)@2OTQ0gg*nc5#-DnYD`AVcuj$-I>2)Axh& zbfBkcLrQaXY*l92*}>PrhkxN_sEUAx;sYcVqO1j+(ijUU=B&KX(R~MQOq5KC~d5Mk=>D z(v;z4JW)vM&(zW(NKKHZ7$ifqe+t_6#|9QUOgqd;k}O61T*<(i{bsh4@TAWhZ*0oI zTKiT~3&Gc#Du2e`y0_4R(}q9d0y(B7fiZt9V`s^>>oVyjWwx3(5IuXOe<0gPHFO*i zDnXhaT4y{)G6uOMhW1zW)r^NbY^*({h@b`bU?oD}<`Qz*s7q}5o)@{PS1m1gsBoTK zpyi%@m}hZ+AaNfJI3l2uHt#wjVICVo*B*5=fLiz){*a--q%`5SZ^ZVMEwQKBcRLeP z2HN&OT~6D%?2PEAVbT;ynNz>Z(|VU}h<^wDmWtMXH#j>vk|zsHd<0CPrjNz3`CVvJ z6GESKwfizHYp;4vtEM#TBW3^LLdKHR$zg^}roy{{X4}bl`U@_s?L_@j;juRFFclRW z9M8Xgo6!Z3J#m^6)>xIP6_vPt*JmbAzf}ppr>GQ}Sh6F>-3Y2M;uvdCr43u%Hp!q3 zTTAvUB=U;IiJ~{mNHLT1vsF;r-UUZyjxEY*%%w^1 zFED*c9e{S|oY*D1o-e|4+^LGX%6 zbTepK;2rus5SeJ#=A{_PwiWiy61Rv>u6mS>(W3B;4rF*b(lhD9XZei$f8rxMBk(L2 z8p48FcskM26az!Qf3hVDa0!j|Ee_zR1xI)?fL{+Js|38Z&>oX=?u__nn~LO6Zq;Ll z&#%E_6ZCV1(CY#~9 zG2x?Mr!l~8N-0PVFbd-;?^r}|AR5cYTv{d7LghE3+z<5nxQ2qv6-P!Y0i~VS;B&eW zOt1_C)kAML_FvP9K@biekF)zf{duT9eq5>k;rGd%c&|1pnKe!eF(Wyc+>uW%5I@c2I9 zZ9cPpTLF%&4jj@AmpPDUj^S|I+0(^Nrs8~#vs*TlU@6lOe&Aj(rn%dIu4^dT?T4Y^ zqC7O8eq0>DLJDKas~p{MUq)0a5J(APE-7+?o|*o5^fyR@v0bmL8rE|-=S~W5h0VbD zE4i=0L*-Ai7iZ7`w~*z-p43a0*v!0r1}e$z7%a|lgObRn!Qo&)W-}n_3wH;5p%&|{ z0lBxjpO+&RkYJK0MOv8XT>H;NiAUj*@XJQzB3!?Bv9zFAQEojZxv+n{L?|ii%r?xBEJd<)CDbL5X~e&PB}j&nq$RNAx7#NA$#u$M~u3plaNJSocSCtjx#C z$C?k`OmAbjSc&mfEhVjo1+Z~=ekOtuLPUuE;;IK={|~<2JRZt7`XBzZGD?}T%XUv= zU&e+pSfF28!o@wGUR8mAJC1w@5EJsqv90QVvn^g$C2RZx~;VDzgax zni80mJ`mB&T1qkPSe*3CJC17&h5Ze=JDoPoROz`dsgNC2iufm?1-0b`K#Ux8iXD3d zUb4hM#emP25k&H)Rc6TlsPSBr7|#~$xbyr`Rh5Xnb7N2a9XPWZYr?SBhX)+)o8{I) ztb@?uwRuH(Q=ybIV}PL0j5dWTRiTsnJiL%m16X|G;kL@}r?lA?&!(X21D%E_>J+PL z>J$W^LYRrk1Q$#!@~)VM048>dqGtEGX@Y;}jLz;C7 zsL=NuUxvY@V{cPO49hGom8uxr@)QVeKni;I7IvZ&*U5C zv=2JPH|}y_FzYR3Kn2f{)C3IfZraS!+)5IzqBqxSQz2CNt#~a`E|j-Wmd-L)EKLc1 zTu}&ljZviVuVy8LfyI*1ooQmd-C1}<^Xi>1D%*^tuJ`I6Pblbg3%1+4$ogFwnkexCew~wAO~`ty;o`+;b@xN<$aWGzyvkL(@?pvd zsCX^E*w6YB;CBOT{@BSHEUO8#8gl)HgkOhpz@&nY_}h5=rpe=j{pJH#R>BNb9kaDY zM)E@wlXto2|I(alWG3nN)crhPGjG)}8o>($my3J5I`Bdn-0je#^lc9iW7n9%xd?-O zs~=_m2GT62p$84Xcv69ko|@iFzAUspdXSBx_%xP~e8 zMv)bSl)JO>cinMsQNcyJ)OZb0$#4&<`^&0#=(K^3Re5x}xVZ*or<`PTe*b4PdU# z33MWnB(xdYq8}49M;2k~D{j|*lCj2Ug^*f#I$TPX{z&@$!J|CUr)3`nxKWq7J7uv} zJU2`Kq3mU-?~`p+)*lQa6z<;SOgBV{ zQJ92wS#$}h!qZ$Fqfqr93;ZtA=Z!`KqW&Xm1}}To(RoNG6EilwUt_ub)YI6X(^fzZ zD<6(3!$WO8tgd*iVy}uk#>)v_NL7$fOQfYwRkfGAKXa;$6mJi&^ z>U7_eY1$t4E547ctC6D#oV^!yywO+DvvpOh@(_YxYzjpscj(%gjQIxyG;*?`kS4# z+_d^Pp|M9RUBUEf2W5FDorOWVy(*44gwU8R=fXvnp4WKVHqbu0aHR2?4=l6{;4t7d zPZ!iGeJt`^Yaozd5KTAP8EIx}n`C;Zme7T8k>{`>NuCis_HM5t0M~ehvdT@m7{_G+ ztF+qNgq1`}4L0*!48Nn9hH&$Bdu09Q1V6|Fa@(eGhnqfN)i>J`dfU^;lP$N66B5y3 zxz-ZUO0zual0pfz(dzUH8f01}@{#GnM58k-Z&`Q2IKoevYQYdC9(7$1c?-6eG|hC1 zWWKEYh12>j-WL3$;+~@?XgCx|;10V+u3@g9{Cc#GIeEDKQWi_0-fJ^5DD>{c2Gv7B zYZudUhWsO?+??wf3+mYymw8#Uc5M76pp4fz!ld)UCjHx zenLo-V;TF&a_OCzDtm$s?oX*%>$$5K{KxGOh9QM@Mfr58FTA7o+@c`=!-DW+{k>;+`ns9*Q^Dw1p>BAv%nn$9!#q!hl+LXkU3Pwx0F#$$xCY}2< z*@3e7cA7hq)l6m&P?@Dz9QuuH&_E@dNEBt@e>n(+v^*-Hat}jX4ap$MF)noce7@4&}B@QKyoJi3I{;0wNAG#2Y z(cHB5>Wnyas)F*|r>&1pe!sen6r=4^cVflj@IejR-TC zN0ZFrqRC@4o>u$dnfwS$$L*VHoPM`W`tPql%KS znQ`TY$--#t$Thc&%z@C;^akWAqrW#q)@X^G+w{+ke^V(l)uNkxwG{@h;4IE^yxla5 zd?JgNU}3is#zrVl%vNdOqSxikF@8aXX7H)@(C^Du73n;$=nSV^0&(`;+^!dm!YfmK zi|p8WPMun99B<~ecOLE+7x+->hrO@ayd zA0E+q7l%h#@i2Nrt;m?r&tUY~-!yH}%mi;Bni@T^wZ9F(?jdKum~8Cq4nQ&v9dVYr-Fya3!L* zsf(W6G$gw>$xp@n?;UuGQg>)UZnOZ<$$RNvkF0`JznP~!489#qFvbw+KFAv)ko|!a zfj2-!C}VfsJdNL&16;UbSg9(cN$zt(>U1#SNqd<7bV`o3J$4x5+8UrpCTnN z)m|LvLrh`tq8?jV9B-ip4~EE9oIr_qyq|TP7NKVI9n=9ab#;!6P~s(nPlVT2to1#q zeyh3OyizWgbLQ=a6EO$XSi9^6vj#1RNk*{MCzw3K;PWH^33y@julhgk2~2M^E+1QP zJf0Ilvd4Oc!Cd9_BuqV-11vIk?{uZR_A7}Hg2NJxD zn9xCO(KPx~bkBt?Zl~RP+;^;DoHLzkf3_Z0wA1c7KD`^D1osqH7yUSDb@C%!6a_uo zYtk4F>`VG*3vFMM$e=0U6zXXdfS~L{<>&T}tyU!2R(;B(>c{t}{;{1CT0WU1djdD) za3;^TI08-xWk#va+CMY=LVa+v#Sa1e?sCssU+O4)e?nQ9-~s1Wju18tmgrk1E=O8b zNZ~Lk&!2JfrC((pL>lt<%0qCi!UCZ6(8X4cP- zfUc^N#uo8ID&n+ZH#5y0ZI>kcoG>DI*EFs)fQa_(h2S?D9?f>~PbOGYKNedf#J_fi0QdFe~ zu>a^k`qFTs1~Z0F04|1^2R^~?Vwqz&-UO7bEsRkWuqS2Zw-6ADVM1$CbBFj zsK@qYlun3bHgZ-Ky1ZGRG%Ld-Ym;fL1}MbS{MAfilTJbFjR72|;!)Bj&S%hl_aZ#` zk$gEajTOBksf6-DRu!crqfXS+9qV_#L!wOu%`#K5EgP8r5r-G;=AY`v)M`N&{uUnF zs7=Pv|L6x@|0( z&f^af130ERce}QpoQ@k!5%ZSuXzW*N2x+JBj;iXZf|;RF${dUl3_p9MB_-hUo&9e? z)6?ha&|Rj5ZFJ47EMYE4%!_%cq!X!&gGLqv@%LO8S5o+KUaM-}r%(T&RmyG{AqEg< z&cfE2=AigE|A6LSA<#Hlx3-UbQ39{ut??%c<=v(SXR~jTTl@Ud}mT~)H zKN29?_HA!AP@IlRxE$_*Q=x~;!Voj}t^ZNSaMi!(^oP7) zUvEpNP&wH#sr8l;nX9=kIb$5)hx`u!%urV1ZF16>ubpFbE$Ks z0%^PI6pb*d=i9EnCk(#!q5quMOMVefJ$Zgdva3R*_mDH1YJVAi_f)k3`_0WuAvdAs zp2c%;QL>r6AA!GLP+?MP55!JqY21POujKN$MEarV&(JsT*-$j+2Z{blqijk&8K8|!aJFhxsUx8 zpA#aXJ!W+7MBHbfJ7Ln3)jA99EbaQuISX%UNKUZ3=Td}uy& zF)Q9KR}3BbUt$i!KH8_dNR_2LYeQS8I-O__1!N%yh(?}yA|h$4=aNs15;VWMf^u(a zzI3yAS+~q??Dh0x(|i0Vp31xJ+n?{ZU*Jif+iLJc>IyCD7=PmQwV>nQ5pK)>%)3

-pCTK4o^8eJsnFmU{Db1>-{3~`U} zH}hAlYV+0t<>oclYlgq;Ee($`STJ>tk=Xa&OiS%|H&#i`tczzq6@kjf;An}uryau8 z6=OdNyWVgds{Sq7&-$w22b-D*M5n3Q-)V_)T64G`Na1EAF*AOPX06i59S%TBa?NA8 zygD1-%h7iPtYa>8-0+`6lYj6LzaM~W*w33-+hQr4xNv92_;-e`5r&i%9P{gu5^5Zf zsY-Qn)TMzHC(vuSjZ&@&#yaO-qfUIyIs5n9?~Sm8=wE^dp_h^8Cx&IQ^R8cJs*^2d zYkoX_<>8<|us9iCr7wd2uf(WTuB$=7j-ab8<5O0(jszinWj`NPM_7I&3wbLKQeU?h zYFxzeo>DPXRp*DJS`h@Uy>{k@fO_{NMEY5sKmL^ONf6?p@7kM&aLu zOfe62bk|;j#7p{(Pu)%h$s|yiT0M1s^Ky}#XT9lThe55w9&yt0_@3ECr9raA9`b`YKo!CAXIo$X9nCx4 zb@`VS(ip|XP|PENF==#2wt!zXu}CdP(k2#OK=5(b!Jgfz8cJR%(tHzd2oLOxb#9@6 zuUn@$&>+v>BQh$Th=LfrcwPOiEUnGiwa0B0sruklw9$BFt!oi!RY7P6`QgPg4n8!7 zkc|*SaOk^eJ9~e$991vkyfeex6?2)4zNuTS34Hzj^OFbqzyF&MrhQ9H0J`41z4+kj^vDpsa&%{oKVH)OVV=OU?3Ofx?Fpl=DYT!-Nyo`%S~hV-ZMCC zyeCY_hywuycZFvx;p@J~Do_<<$HC45wWRECB#DoF+=C(!1+lLcDOvTYGBur)UHgI_ z$uGr@aaE8reApJ=?iCJ$XftO`3zhzALK5@SJ|=meB_02RSO;R62gq=PD9u?EQY{yg-G5xP0!5xKC6)INvIg_lKGbA!puFoT9d1$mpn>9Qs5B#U z&x*h3hhg`(rS$@2nDFA*D$HuVy`n{oI%kyqasQX!Oo@cxCfsra^XzIvR&DyKp@qc~ zep10@k5uh`gs#7L^V zT7TPGl_-IzR}R+GB;Vmx#r}5VWEFw#z*s>^LR_44{vTZNN@!cw!O_8Pk717Co(TA? zs+J?IC{>b*jP%OMj2+jjOZ2xhc9u9c+LN?Ph@v!}iTy{KH;G^Z)nlturzB|o(%|L@G zd=gd;`aU4_JLrX)p2-IJJ#bPdctz%w)jPpZP8`y4sWPEOqb=O$GwX4eidftGCaRZ; zk_z zbb8fPuvnd0flUIFZOexl;Q&#IgnLEOa^!x06YGuUk`|=?Z{S6ELfFKDf8Xhl{P4+j=| z^4Jg~J=2COn`<}sbQl8(8F9@e zOEfii1UlEY^R+2VHllY^KT`#nG( z7&xg8FBG<8?O^Q+{O3AYw{>u}OaeY7aa)jks>xG7^@;aK(s2C^AE`F^5HhQ$pL`ku z37mh9&e~F(sG%3%yEx|??jZl}KMSGn_}?W+>GX=8X~MM1fdE1kbJsR1H`9p*XD_4_=49;;Tut|^S!uqh-!t}yQvaJG)hRs!?_!VX zX*KIRTz8hb?ULP8A=PSKvM!ZSACtX^0XF_Te8-MZmPKXp0G1iq&s5cy?UV-FVDMfu zbg%gM(jumDV_)gesiut1mKb5X%)SW)p5Uj3*S1-swyv?X*23(;pT%^!$zO z=+)Vl&H21|x;Itd>Pf_sGFJGqGjD{xX8jx@~Jwi6K!|IkOfx$?dAEm;Zg z%_N$!jTid|bcXi={3=u5GOOSJXVAsCxO^T;gsW!;M^i#)=b3yuhjm5!uau^OEj49s zwj7o^Tt8>}m$=t*l%-sk^VKA`g@};};n%zChApi29!2Kh%8RuGsu7jt6D&}spi%YvUSNRihQu*UfF2NJ|i|UMKEgL?M6d9w0TG`3oVw~ z^=$Qxz00mt^_bDt9+-`D2>2C)n7(gS2_N(@ax$k$PPK!@n(lZ)S z*{-T*sjP=C#vi(Q6G^RV4dzgaomubYPwuEO#78tTyKNQHJw|uz3UNY*-!>uqX*!?L znl_F+y>X^@m04W`_h+@bjtrW35$#sHR?>XR4AI3_Z3#q&JfdPWx>fAU%7?yi=ERtc znr=$8HmCRqQxVHGf?Kna1*7Bjhm!Rx}TteH)U4yG_z2X)-c_&h9z^VqK0 zsSsgsjVr-~R$9QBEp4oN-stExX=i|On>IK@H+&4wLjkY^tz~8ynxq-kByQuPd*FEK zyYq;9Gu)!V`1p{g_^dQSC6g_+ph0w3g~Wki?4MZv6*q=i`AH8G%p(=3zERkF(Gne_ z&eAN#obe1T`v-$(lIxp)=b?h_w0_qk{A(fa)>NC+-Yr$4Q}VM~((vUo_BB%9JU$IN_{YHW@S zUT7OOE_@@wR#g}BV~)4`-)Kui3t4<|Qg)nb{{5W*+(%dWn9LWUgDdop27YeVyKpU! z`0utp$WbOsAda1J`ED{Dybw$wRwfZ#Y$IPatQ!_lpP0??9P$X~f)h7!N_1ppK?LT* zXQ2z#ed>K91I!QmM`v2jIUM(Lsg&N(h^MxBj_4Z!t`jW2#_Se{CF8Gx6T@;Im0CkCtoB z8#V|{ta1}^5xR_aBk3eP@)D1$XnY##9)1kZluTC63TBY`?a5*@JSBT(C9I!5mT$mS zGx$lk=9NEM^wbi2^j%aHt0}x@{^KrN{W8sH>2=2?n1b`oRh}Ej^Ay0d>k53JxfgUs zP)h3);fq zZI&`u^c6P1>~>2N^s9^RQ5-0%w(lxjkn~@}$<}_mv?m}@Ji$i6&86;PPC1How$D=t z;slZxabh&y$;fqbju>MY*VUx)=IHfb=B`QyA|6D_2sw51#=q22HpUygG5(Fa%pMw5 z;wHp#= z&S^Y426y@3>0NZJJ;~&p)kXa31ip%@ z5}#doUcD46tXui@-VYBcLi&{m-PeEJcH#+*j5Fp$=z+9kidGq1ZKoSJB++fY zbsFkV7+|sye9z%29qyoif8IgGuH8fUI8%SkH5H@jB$MsFDjOC2+!U+CDlA5bYRYPT zhYx8U7d80h=GL!ZibdF(&Hb-S|MC-Z0Ukc9P;}!>&W4KLw4qm=duXHfh04)97Y+}x zqrJ%!_$PO$THeh;NMagtA;|sub-_~kTy*{hj`L{@q4ntBZILOfVR1*^PNLfG#itZ! z2nR}YXi=r@TWit2FV_qd@bdl`-biiExa1duC(La!nD6O+=NacePJhmvyFCpHRDGK6 z#NoR%8tXc3k^Hc1A!+)MMDy4Lies>URvXnVQvJZ2+H$p%1;fkZ^uIS&AK9>lhyGRU4{v4U-|n_ABPdAQ7~mC**TIVWe0yI zN6-$lhnN|OC%7%B-F<#Jo@v?~FLx3{M|UR@etr$N$m#VSXIAX9j55gmOPg-?=9@>E zajwTtukKHQr0%&Ks5u3KVvam-_BUl^x1{lHmgv@@1NiuQgJfZw{h$J;2bdmxl+Hc18(P-KZnCQf~C>(9i$ttDddE6O|Cv^P$6HoYT ztR}_iFlf$JNywENXj6x+? zkjKx@Z{GN|rwC!_Zy!8TT}I{dKUh#InxqQBKQ!1&42X-@>OS-t^afaMaE@XLX&+hG z5~i>@SN*c>c+=dyHl}9J7|+A((+Myclc2F^+l{`(UH`NYKLbfE7P~lk;j6nj!+Ouc zhICjC4+IJ*Vwyy5*fB#zDDbm*3b)AaM@_e>(MuNw%ASmAKaHw-TGT6Q9}@OoEx<}^ z(dhGOjty}eduwS|5nMJL7!6VJ!>4$v#oTiER-=>Vp&YSEyt&4J!uE4v@x!*T+IkoDr&3cXJe-|!I{M>D0&h>{!T zEZhBuvp0{iR8Cfa&e_hsc1dwLAS=@j_l#$-?W<5*h}ftEv-bjqq5i{p-BRq6`S)>M z{?rUsJm8XLh@B#k(Zlb7{uW4K%g8$Ft+Ze};T6Y`rVe!D>Zra~J#MBMHn>B~C^qqH zEQPx1vLXhqHtReRLYoaQw-HPI3pYicouqswUOmA+Q}^2!P4JjHTqrX->Qiw3oLnbi z8Vh2V2XDG(Xi&&{`ab@nFtD5-nYRK|+}Fyz-L;~geZaZB1VC^|RyKep4!qfEskA&u z$osAC#2#wN!?v`g)m*XCIa-)Y-Bjw?Q#u-^AnplO$>c$R3a|D=r(vQ`RSvqDbV@~U zQ})7>=Kb*;_Bwh$JGJ<gt*i4<{66y@-0V+<2M|r2i!jgpk4fNyLi-vhtSU zmOP$c_A&+y=x&|)tP-fej-yI&xILFaZ8Z}}Ks|0@lQ_e!H5o{#@{FujcI(&&Rk1~Y zpf~4!!ebHkh3x^C5`SV2PRNscS4}(GJ6Z>~?-XYJH14s;F_mA2$9Z49Ed(`k>lw1ru;lvbgts!cSp%g{QWxLkK}pl zoI@oG#pQQ53}92v53U4Kl+{MO8%t$?M=(?ArTA8S?{^2=V>MUF{Q`xEF7JI^7MtqA zYWb#h!HD(uZ~AEgM-x zB9JM&>ftK>7_4b7yXoC2F9>_ehpe23YU<$~D7p63n%#$L{g)D3+FV0jIH~=fz`6WT z4s)YRJlg?p)wPat%yKs#q(4|a14oPTL#|GY#kc=AWR_t1mDpP&(G()D5B@-1D3qpr zsCfdZ{S^D^gZ%LYnAH}U+~s3Vz8wEpILhqQ#Ha<1L=%>i1)PUzMZV)Iq41R%)kbN1 zm~QXa%NoAJsj?if>B>4=7)JVP=Y5ZJsGqd_RC`{qZq7lTq6l?dn_aEJU}9TaAVzq! zz&Tx{Nk%aSLVCQz`G!#!404IaF7C|*QWU`{%g23Iw{Sw-=2dFZON^hp;b zj3<7;Q7zvL@7soOaqXno*B|6V=*a9~{BH^s_s>$7rDJEy+ee$im8jydc#3G{`SoT- zQ8jI2ZIP?}v+vsA$R_H&@96URxTVb@k6TxqyC{)W^yVIFI6W)$AaToe9aqeUzV27& z6wpaySQe}a_xmL-VF+6z<8(NArkCg<4qVl~d-nbz)*-6#7hES3^Pw@Fjhv|7?)bp)20{{{ifk zDScLbH}mV<`{7XgrrE^bxZ+`fY{sQfd(9si*9H$&5(#z=3#7@vT@@9Ngy@#rtX-AS z9NfUN%j;fN86;{wwEi0|wI-FTL=@s;2C zs)68WClYGubj9064r~xxt!_5&jf_O5$s|$?-vTyf)z$g0$l}*kCJ!7Sgm6%f)bF7N z-1KT^$cU)l&!eZS4+f|jN^X&@&is`Zb9om2+Hc{JT?{l+xfs zm6gv*w_MFs13nw-CbsDHiyAKfwd;{~xRf>YT(5U!SvuOY-kA;a_Tc)|$6UNMgmPdS zc=>STX(Wt`-JDsHy7dnB7NGfLdrdRpl3jE^DD)g`<_Fd!#|_HZfO!d|qtvY!LS;=! z((GNG_Q&P~l)ipNFz$;Nrjv=LOV8Gwe#)h|qqVUyB;r6J)|Fr?$2Ry+StloIy{Jn5 zeGX2KyH*kw)hnI{bx?JGzW8FvwHX&V*+Zi0$I`vD;g~#t&UnmF)KPV=If5q1pI%un_jm%>ckMt;3m zj#tZCDd`_ueC%?|Ux_F|h8*F*VlV2RMV+^-V~KaxGc@$LXeJ(M{nq@NTk7~kE*dbL z?D16bODbbS)8AvGL^JB*C#=XKv>~t0-!)eXMedUVlxVu02Nx6sv-$a22^7)soE1;2Bxk!EZw{xo{<$1BXqUD64#u@t z7A8Ucv5X&wVNXg@B7So0{YQrtNBSAb3fvU%6$FN!EwHLQU1H^?DVPU|!xmuiWRIAN zpKGp9y}C`|eeM{7G-roHE33?;z3g4^p{du=*piR)BbtZTS7SHbtF!33{RrDFxIcfM z);{OHy(&&^<}gf$24t*R^CVdX?&JEw^d41u6n;o`W?#J?a>2<0d#`Og2<124Xy+?K~K zo3~iLOZkcHx+mOLG@k9Sn7PnhFw=Ilei?RUJurrVjQ1GNdTBv`xjU2CGqzY1to$%T z40i?Ej4LWGc+u^sxh(0q?3XLsq!9mpVruzIRKi*S-)b+sm1Z}e8Kmca1bR&(>CP?8 zwaeZ;dyi|ZJ|tA*jcuE06HKZ{W~CK3@)Uq-yo4wnI%dvX0oi8?Vrx07xY+8|X>!c% zrUsLL-W&UpDFEjwzK#a23)O#>mb^t7K`j$M`RHsYG)0;(smVuK`g_juENXqHpCN&j*Gy#TGuFfO zvWMM!m;!xUO@J;~PiBHrP!K~5!E1_%gq3nV2r<=qk)}(UB9&DTKCsr*M(LpSsEORj zEb;1v=vqXfD}nINo?xEEPm}WPdc>Xkyr?TuD>gyrLKj=>x9*+S412Mq_oa1zN9JaU zc9ydx+j|qd&gF9JR*~ywxstr`3@OD$*QegyrrvrHs`q8-t5${?1LX64aObOk6w1bFIuUX>dXIg(_~gZ`>3xTay?o`Bi@;L}DUoX_sHJ+|TKEyS1rG8D&n7 zKwMdTV_g$QKi27$IbnE>+&#N@=<#xupx0Q=pQIgW(DErI$d)ELb!(hpLwpWy_2hD4 zdENRG-}OI!y3;BGuX5>w3S8I{22JcN|mjGd|p`ER1u=|#C#vS6=M~$j?IL^ti9>3+4-+P~ijdXAE(&LWY zOx`!PPGK3-SW8*n5SAymS8E-;j}EJUqHkIvj;2wV!CQR4XIYDlbGH-rWj3~A&H^t8 z1Vw)d_-hTq=&Fxli?G&TRh79SmF+XkAvl{OyHC^Tn?6^?ugTCDwyBep>k(U&mziS1 zW32car9s6Jd&B0LN!Nztf@P)Osv$4ivoa z+4Ka^{Z4vIf$S`di^HrwI%H9&HcpS}ibDYf%3MhOj~0xJ8$cId$a?w8>p?03`kK`+ zZ&hsR<*DH*VKy9n%=aAD7om+&Qwb>Z5%bs1j}@@O*HaIzlB2`vgKftTj9kUX-%_|f z2WF8%q$0b-M&T}JEnJ{VIxDhNC*Olv)bkg~)tF}%c_q7$`n8Fq!fjrZ4bm8s4I|b& z@G$zH;VMkwF!iSVT02EN)#B^uC(y@D0e5u$7Vr2s*^rKJq&o{wK1TQhd)JYsHL9Ly z+6~8}GrKl0`ZE66XKX+~9!QjeZb~4Zh?j9@Oo_O*-*5aJ5n&0M7xO1G6t*g14^@xW zudRg(cW*aDUDigPQm@5pXTr^)|J4s8kM0;Cn!M z*uj`VNcKl0;EO^fh3&|H!|%{3Y;QqBtpDBAmCMH!GvZ8%8iEjJ?(sc+WP)`8@osYv!d!*mV5o5#2R$Ql#g^3<&ul4c)N12)g zXDpj}c??uD4_dwp}>z2Y^|gY z`wIG7fbko~z9`HhYik1m>WD&_Ux5|K(SpUvgkQR#+cwKvn3W>7e}V2f(|HmA>iWPE z84**LTtE8GDFW==fc0eN*e508dqw=1v|iFZ_VfP`2>K{wf- zt=(woQ5QB$EpKD*)`J6Nmf|sI6dQ;X+^^_~@+d+>8JW8{CHjK|cF-|OkMv}|)_ZuK z{dp8dRFBBnXb#5anE98GWF?w}IiIjpUyLK|)J^o};`5yepMSDuZ=HX{ zZcaQFv#B1a)Yhm5bLYNl38vM^>hpMWUkiKWcll&|2%hU%)0nfvaBx)-!c^hsUUMCI zk!ej{r|JCG`}A_YfMhE0gv?aL6!yhqXVaX)oV?MDRt6(jf!B>nKDt}-*GJhph*CWq z=I?#IgsJ^CP6>yW@S-cMJeL*L_d^k1;Ta)^zt9gd6LDDGarTnUfdgY(Jyw~Mp^Fe` zp-KC{60es(DdMe1mafLU(f@NOFuffbKE|{x9sB97Kcv{KzztTw;e)RhP1k+c+WoSt z-_!ph^?sL&l&a#XhVBsUUizw$ooW*gmbkM0Y-U*zFKjvZ+F+gC#Y_-DcX1Jqd}=HN zEZF=MPidTeN8ujeJG0lnsRO}r-S|wCOpugYVY+T+%QUlUxH=sjays65M9M|JABLlv zq&o+DmTVZ0)S+lT_w8u==U`-?^x?Lv=JDV5B@_97mkRyq9&wT%R$d;Q$1vDv^ZnOY zv?Q>bUQSD5g(ZcYmwz>SqEWzA6w9on-3O?&Fi4MXB>3(tGR~|nlaq)}v7RWM03QI}&Op`A=iyiZSHWym ze515?<`oSc&^*BRA>)6~yoJLCUGCv~xd5f6k=t6T;e-)sMc99X#N;5RK4g}`xO}p5 zeh&$OnVO*gKI<#JrL!^WkkikY#t&$gl7y>M$&*J~1ahvA%Yi3awr&oi|Li&{amC?> zi)H>hF(<^-kI&U%kIcct?aD~P@*lqD8P~XA?}71gen|0N`Y93@zKb;pxrD*QEX|w{ z=*PF%e+bzb6RFxL(SSA+DhEfjdN*5B3k5947UZoWQ6e467&}FQr7D@Y+t6|8*9W#& z2M7YrBnqgsR0-@8{Z<`GP0%J^&aE?HQ%vDs8HW?ZG=Sk)At&CKYYqd%{bgn;sT8J8q2c(osbU+3GL5jRzkV4JFMG7f(r=5ZXc5rs44wclhpktB|?u6w!`r0 ziQNM0@_~!8Hfa92eL6cOGGHmAgkxH$e#rh!P*Kz1&abIGvB-Bvdsj|H*M&fT($!Z! zvs*JXO+KpJ6z}=MC)Nl5v$azy0#^k9 zC~z*Obo1{tCO=g_Hst-)J4ThJh_D=j&mtn=ClWsobI-&5jq>6Ba6C%N(v1*Yy_Lx% zM2Z;WOgREULY-{{E8nMYNf{_mIh^8f)t!H;O&2iBZbiFs^RPjwuaH0?cC&K@cVaq% z-x3U{%}qvXFuPj@*MS({k=RhH8*QTpwis~1twa(3k&HIb3MHlFWgp~aWSMX+U^e4- zWvl=B9Y++x^xEKgJ=i}l-FI%n%2mwua-|;qTnL~*K3Irx6{MUpem!jf1_f;Dftde+(0`2owV)HS!GbN`^~KjNy=JbO^6 z#VdtX^U-lJgfD#xc!CTn?I&yDEUW5Uib`b9CM>)rK>@2yp}<2Cqx0BKV{H1+(wo zm%k5Ib@A_JnC&vw-%X;3c_FliBeGK2*L3|%VX$K+=VG3J@>Ee1+3=k(7p%mFLSF|? zk27VkXRY?muk4M05-D1d(kO7{Xx}q$wp$QYUHi(Sc zPs}jOcIq#Qi4DfN(N=yKZ|NVSD&DSdL1CipDRxi%k9WAp6m>Od?T5dY15{FF)Tmy< zD;lKVyQ2|5f8GqLu3-*LP>Bk-Kpkoa>n!EWL17r82q}n&GMK)6vL_#~ZUC;wjVQ3; zB%!t}oVYGH^8;C5lg?VAi0xKcpjqEoy?dy4uD?;sc1Vz1Uuk%&MhXAA&j7Ylc!w=5 zHgx_0jbI>dCW=t3jE^fd>v+Rr!Z#RBa#u)%&2`Iyyd@3y11dBj5Hc09oEKM^QV$m+ z31)kj`VyQ8#WW7a{acDMZ#Br~zvDi*<-Q{nITsDLcV7_Z4E{ekWFgGUDs*F=?U!nvzU<*^U;aK*2uKnXBTOV@cv^u|!Dl)uIJJ5o(^Pj4~|Esg_4r;3D8%2~7 z5DY;D6p%m&9i?|Lp@rU?H0jc7=;cvDM+m(a5fMUDs#FzF0*EM8Dbi88Qbh#s3GsR7 zyEEV1nfLP7VRLqWb$5Sl_h5dqGxI@@{N7pZX1KXH?0-Fi)J@Y@@X;^Sws9_1`hW{C z`PEajJMAcxCmi-Mq0viDW|m_jW3}ei?D~sOmJ>tUGo3s+9cCdld0UK&sla{^$N|zj z&j;POB!c4~uPMd?x!=c;BV-TtOIe z+5@C!(u?PhoUFl2-^tAzLzId!g@dE-_fyd#n6i!39bYH&B16z=dzLr-!gdwd&(?Uy z6tLy3u~sN_Xb4ljya#V9sn>~Z*8}xUr8dIsCGdzUCcO%`bXS|w(=z9OZD*ei{(wD0 z4ul-{12+{+0$dYEaos10Ox0)z`q{xu;UKeMfq%fG`Dss}xM>bYd*E zN)?&!bO-|V_zcX?g!GmdjtSNIVdVj{7eAhx!ENoGCkCgM_Q<__rns`^$k7)`6;5B9 zFw8~m$cZa1&$;x6z6crhj((f2!faFynM3qNE(U#2(GS>_Mzu;lV@>1|%Wa?d zFb7eI6oS+j)ng^R4znE%>gs)>QTREQ4Ha>BYlz&BxOO9yX_>B=pBnxEupOLHMa{H7 z?1!`nV)+7mVQ>CY+v$Xp{rh1i7_{D~73*cHxd3WY`FlQ!Iz)FgbaJ zK5zZyMI5kaylPX&e|Wo@WXIx5BQ>#pwF8oBsOv$lc*-0>etJQp30tU%%B1=su%4uj zH*Ra*N|3@=BF;F=r4cK}e>v3|A08pQm4UYV;h~6RUU!-u7`jVl=EvEy?fUjg)uvlD zzFH9AcP4D*wt`or>VcdbZ`}9p%HHBMO>sp>oC9ZI|>8ArpR{Xp|`St zd$`81*u;Eci0CQxKuVC#NMse@7XQwRU`{?(6;l#8CjD*-U%E$w#hxdQ4iRp|ykNhj z4`Q0Qnjr|i!`hG8s6Gerc_n;CwQvgtHP2LmNt|XQr}%i|$4AIcV>3C5^54#pn5y>s z$Gx(~Af{F$K}d;RD151^>Kp`_XZY_*+I^TDR1Vqsl=!Yor}QIG?t<`8qa3g$4xfxM z?W!*;$NWCt{^V&V&`B!~7+);4%&=OoJ@x-U$--2ni)eA$`|hHpYWqF?H{KIh)&?7m@FhHLjv%nG4q)e{0DcG<8PWw^6 zL_Y>=N~S_k-)_a%+UQ6>HNe9t0=9=EP8jp&HcKvOi!<||Fyl7iq(iwJtlQ|9T!+sK zYCJq3SLy^E|=&n&}+{Y1axT9jt9>;z>X@&SzG>iLG5&|G%{WDOjVq zhpzd&z!DLXxkwMUvq*T{(W*f2V}LwUIg(lq=;N$aT)m@n;#*+lEnjY7RSf|O0`Wko zY*-=ukNh*&vr)5Bu_;$=$M~0~ab+6=7WkqQMv9a@9=@cXj~PC^*ZGHl*_1kPNv{-~ z)khxZ`tj4#G3;Wv1$>PD9EHsMM@>qCg&F7$V)BGWQ({y>vdci5ENuvIMQ(Nmwpgsd zcJLAFn8bcgVxOM9Bterxn=ltjHokah&9hf~IzE?gK923)sI((Bb^)$Xs=@?zb!=W7 z$xxO2KxV~!_nZj*)CGfcBp20D!yPjbk2EPMTG<*b`R_U^y$hlwxvP&fKE=PS;EtU? zPrKXg473;{jqkg5VD6)mHC^ga%A)9%H$qicDM)S!Ku4-ZI(VcrxsbHJG%I$FDwE<* zz$7G#kR8Yj5-E)l{o#IzF1yhh$0bR9j^v#Np4v2)?*bp)otS*9_4=zw!o}U198f-| z6;5IGKuOf~)fB26U+0TVoFxA^!+P>U9@Q+d{E3eRsZj_TiPtz5ZTdF`&=fcK$ zl5B0Hai`N@gJ3kuh3nC6$`w;ayQr#%0HXlH>#If^kx)vK1LhPX{I#4oklO+q3CV~C ze(x%~+^@(z4!fydYPdk;PjO2?aU8MO47&=7JGHaPsu9>c)h}p6C3!S28Qt?n_H-(e zTM3w|Y3IcXURXwO-UlEO_?XQ$lvM@ASEmQ)e+vu-wjH)aOVuf^8FX6wjqK?he=q!L zArjUz6e|CRo$a-H3W|&*TML=`q_wc?wiT_y-c5Fh>^2AFwLy_*bn-xji`?$fG&WI` z=40{lH7ntfr zT+oWxi}V*=OY<-EIX6L8^YJ%u5*~&34F}KeD>XSvP)6Raa5<@YH?8!faKZbXRlL`^byWiJOIcWq ztW$1(G+v*5)w;Wi=Xm*M&CuA~lcZ0=zkcMUn&Do!i6~QZo3S66AxTY)_BmFE?ktN(z|euM&y{Y3s_Z z8PB9JC&p|aMB@rDj0ASU3(S832r-^JlMwJfyqkgDbm?Xi0DukpPvpCUO1rb+=GaCS zi396ioSUEkz}?m3m%EA(AojM0XUejW0iZ}|ADnf4#%*KP^X(hlFYIRl~TTQbKcP)=;`3j!``@_hnoJj3!Ghd0)h`3%$hJj^}w4lfpL zp@OxffL@T2*EX_F+!3HXqm*PZ%<4LUt{3ljfRB6tKPNBxX1qDWBfA%2dTuzO=Py!@ z_ooF3FGx}ndE^A9oZsc0R93j2)g4{y_7))i1;5q&RPLN zzXW#sD=`RCqN>PkG&%m_kgIDcQ&rSiZf$qa06hvgR`w+}l zOTW-cmB$WC~Fd0QsVz*UdVa1zo?yKwtrM! z7WF+D4Dk2op5nvE_KOei#CB^xAjswGyksNCW*qkM3Gb*Yv~zBs094-dmE{v%PTCz8 z;6mHm$gVEpo2@{eI1ph)@w5S~3fwn!o-kembpbckNk9FCOIC?pNWloI-)CTM{Vw4{ zRUcfcb%fRwr^o|x`RgkE^shUEDf>6_{H$&I5uAy}Y_S*o&~5L@JT5pS?BI))^#;Uq4;kRn&VGdXWGC z@#1Ltq52;U_VYTUbKK_u@!n7h3iEZw9|ix}LVm;?F%lLNJ1@gcs;^`l7Kbj}&Cbx@ z8W#wdM33uE?MjW_{0iM?Vj|+9^V&J%*b=rxc4=6>g>_emz=N3iiAuH_+aGTR^xqA9 z*P$bD0F2yW^IU;em68(%T6(b}77n*D=2NZtZCYh96|#J3B4o4Z=5g#y#v2|ofR;VT zEs(+7RF|H=y`^ADsO-=A&o%UuJthF{Ho7y1&<9uq+UM2p1WZq+;qU`4uOJqBI*{oA zfen!^;6E-4n-17pLV|)DLxq8xlUo_Xy#4`cD0e zxLG${0gfRgqZZwypeGgKbwhF+U3WKKccyEGd@@~#M7o}IVD5o($jQe%CCZzOlZK!o zW^Y=VCBG2VJ%@yRY+JnCpFJttncdNz(6XRxt9#-R>B7|et}v(O?wfcC!n%2}yZ9Fi z#n|vyBQe2b+U*+vD8^{S{xJ3MA6k44PP!6=T7+IsIH!IpAqN@j5ZT%C!P}dN!*h_dv<8t z+zk0x%0rB%l6}1<10WE)Tjk;1h{h|oBE{+A0|*JRcdySdYtJ5O;m9~^=(r6q#zVK- z^n>UOqTcQc3?NJBkm_|C4eq@8cUx`ryM@?8N&-us}T zjz}r`E=dvs05JP&`QBL{H&?Tg20fN`h0DeDJ5yCV?wRsc%D{abI|$yvZDiS8rzT2_ zZnrYQK!_(Y`dtxdm8!I`Aj214e3o&;2DNa|F94{t<;FTY$0{jWvC|K?a63i>C4C_i z(d;`zrbjlCVl3)GmH$&KGBvTK+v4`8nz7RX#?s+}I(6ID)dR1I?Do!Y6D-nJy}BfQ zy{q)ybPm>IK$0uz+o=46V9|Ww8PYxck>q2_S9&IC46vGt{o*(a{0bh!90E5Vc9Jp? zn0on)=x}Qe{e#$NBu^EG5l3W$uh3T&&Qk8E4T0gm$xt$<*awovPapiAbTg^6)Di1JD3%RjzD<>~ zChr5em#4AC{zjVj3W+($w7p9>-}|2qw0hhGZ+bVEjEXL8sWC~!mrP!W3^)?qK?m%) zO<4{X|8hLSJ>~*#=L!d+rW;nhg`Ez6^OP5dWy;@gAimtAuG`GOmgXJ%=SKz3&d!dZ z#acrTSk@>iEv*B=73raUh(-}Xu+O`!o+ZdaX@J2|(VjLZL38mvdo(x$3U7aj$p?Gd zy`xGF=)*)!MWjB(YI#6*D!6S|rqds8Kik2(V!Fqx@#*UTI$2cUEJcQAmORPQ3<^k9XSz&czXj@2Ss91XQ zp4eTZEig!JYd;pVCyk#nM3(ho{A%87U3=2+o1QCDBhV+5_6IMp$6t3lV5` z=+t0643^W_B63Av9c4@bstU-$ItxP!WZuF=ZfYwc1zXv76>_jd{U6=Ch)YYD@j$tb zB7l?#QbirrjVRS$POhq3x(A2ye(zfGs8U5-?m6%rgUU+&r&Gn)0@6) z#<$eO8?SRh%~(n;^46{8c?1(%@?emXjqS^|qZh6?HGeu%jNIP-M3vSC8+zXKV1sVG zu8Upyl%)Bm{Oni&?ZoGffv<;;w+{kB<1}N}M&nAp=^an#g$|ognf=5NbI6Gw<;u0A z@y)gsPrE(xH0w>LX6DCNTH~s!R8Xijwso9BtQB$tJ%7>r^i6U5@)RFu&#@q958umt z^H|TU=AJq@6v2bciMAiwHqp6J8AmbJk%Qd|Rb9(Jw!QD6E-$uN6&&1tv*U7C-q||% zjn!~A5wpZ+h09g{L)+%ey%Y{|mO;f}U}P6>CPGBOQ9hv&s*f15HkBXrtNFZ+l}(B5 zm1bGzO1sIR(O1aP8oCvrk>SE4%kbU_JZ8hw&AeGbW&$$Y zcH43O32|;RJ`T|>2t}LM+UGa0;IFymg$;`5{dyX}Wk3(YtAkU}=18PjHl|1eDSjy} zonLQ||16)0B<_QD^ijBCg?6PG;3^$i#WRdMBh|1ix5LP=#-1<+BrL9g zM@iQ?+S)83W0rR(D6{=VioCTR$lG;R7@z+bF4eg`;7lLw;VUmGKET^$iazjUT^r$j9EF)C(C6J_a!0y|F47^;5(D zUr7PLaLOFfxzp*IP3g|qO~E6-tPD-@r`_W?Gt?c5=l;nUq(11mk^k!ePyUbY;ZjF` zOqV`YWR z(4RNqv!N0OnFRpF4hpYojgTAT6S9>J*oNxZ{6O8A0#Hk%_{!Qh6NoLH7I9^4@T0|P zG?qK#p)=a>kh^A!pT^P4ONJ9omD)~+(a3h>m0{}eluzX#%qR+V;BaUI0=Z;h8&!~k zI_&XNkF)wP(+nWzUzEE-gn&3GC$k2Dwxt_KcR#nCb7Q%d#&0xOdZ)$JGJvL~-qNh` zzGdsqcpHQgsA}P;{}5AUGlK=^2=2Jc7gu3=;+z^fGfzl7CXMXBy%$>%fzH$mHUEL` zp<>(Sj(~Dkf}Qr*Rkxstw{1(Zslx|rT^*MvN0puiB1@!P)c+j&yet7_gnFkY3BB3sGte|clZB=e98cif2@#!`A$nH?huj&R9XG{nxr9F zdY!kKB~m;FcRi}?vd>pme>A9XybW{oM6f!}{&>aMeagVn^s7p7|HI`}agNoKV@}x2 zMR>o!w*}v!d_-?&Z{GH%_mt{XS!>k&A&@|&9o%)W#WONo3X3tC2J&`{X=vQ?=;fRVbrxi!-wbDbb=;t6)& zup9WFH38_u0s7Ixj^En2*oLyh9}gbMoPLL&0~CP=K=@9~r_z)p19zsHMn3r6rWp5A ziJ)>nTFJo{KPq;D0-m568?~7A5)tU5n5S|CqHOuOYw zW@)e(0awV-$||q_7M-AvK`>^uom*B0*HT`qRmNR4o6QnUr;jq5`^kQ-U!%UuYG-k& zX5PViZvZ|0oIzzd*yAAvX5j75cwxS^Q{Zow^|nH}wgzi3@crZj@5b7VgHpQ8%wEZa z4DezORzCS>%a8o8U({nGYBBg{rl|Bxz7oH2UjFTrbdCjmQ_a7R^vxM{qxSyK32q4t`^Hfw*3OX0p zY&q@UYvQZ-g*u|J^N>^^4O^d+S~8{Hxzw^jYT`=E5H?}LwH%BcP%^Eq1-T3v*Cg@4 z-RlHf94I+!;{uH*G6x#p`uo)FTmgi3%T2dHyU~I|S|8N1X5q*}8zWnOhx&eLSYM4q z(P#cU$V4Y(4Qz@3uy^+;R3aLxUYFHCEjO^zf z|2#4N1SdUKriJn_yzIa;N9Z=kW(fIJ;$!fm|u-LzPcD9NbRK7@YuUKcs z2|Bui%ud)Z3j?`)tp}#ZJxZOOhC^mvoj-ejy!fLwq0G|jgmk%_ptGUR+5YRds#Qw) z!A6BURk|9=jscl+^I44vQnvC(`~G+%!tuth)$DC_dD%^CLi`1Aqkb6!^Zavu-A-=} z95()_0bAw$`6d#Y<_OdQB-rxv9LhZbxBN*lP7(8Gr7W9d@Ae%i^0r)2cznm<@vRsa zily9J_K?(R@YkWN6=R1=2*lVx#@}D#$L0u`M5laq>-+Q1?&mgy5&|n1uN!h%OMc^A z(q+VpCu8#0WTwofEVrO$?)JOiSpDsh%lR{IEaq`^fSv0EvRMk)%y_* z)CVlsO#U|c$Kb&3u)jOwYAgmwgxgHC;~eA$X$QGxwrE*$u!E_J(6=H`=?Ls$Avl*) z{38cM-w3%7`~+4Mvzmexg|WMuc4S~h*Cty-w2;?8^s7$Q>f~-7#2QVzZvgXAs7|Aq zD{UjSgEo~f3kgDYhWA`+Mq8e@{5pycQ|DANq`ouE%4YQv!#%@_ZdFGWg3PQVj&m_T zH=PW=JkzK2gb<=ENQrW7j|nAYlcnO<>J9EA*MnDWzL#WxvoZrFGY^3}2D!#2=N!fc z>&-!Rl&QwOpFuaVtRQFEBGcN(HR>p_dIP~u?}>HWxEkv(JO#ylonDqXL?>$rK(lgu z3!OK(YPh9i@{+d6dcEWg>dk@Iq}w$SnZC)HH_^z8nYFE{71kXZzO^3@WUi0Gm;5<< zYG)pOyEM!JHJ+}rdm+IKwLu$vysDK^{rNU+KYJ9keGjAD9 zGa8ku8}6I;<8`^7_ts$3B`VEAr>Z@?PHvC`%G;{j_D_F#^w&)5AA&_;N^m7-YNoFz zx_e=>%H@UnpuVfmdLHGKA?wXjWLuCcXYe#P z+1q^J*3`o{-ME`ka<7x^p)^Z0}a$smM3MHG$OTpS%FF- zH)PqjbE$GhW0zr{-6il`Hfz;Ncnsj12w%@dperGDQf|#b6m&5NXCV3(ICv^}HwWAzF~{~1u*4sy1;=1aak?bXY7Y=k0xi| z)3Zd!uYuH_x)0k~xuhi~u183_P7O`)Xht;xkeCrb4>f`@3RB^_# z9&B46%IC*bko04!duCF;w#LcCAvN$CNC*fjWhVzc120r?byD(D%1vY`ZVQG@P|viI z@ywcZ=*+f<>|8|b9&;)@U?4wjSmpx)Q+Hn#O9SQO#q_aNd(SJIf8#?r*Nu$V)Ev2T z!=2)aBuCUx@=I4(=*ew9M)~5@V~;drIU9F{zCOBlL)J??np2CAE?bOT^N2(#vb|~0 z=tOTlI+|Fjw>%Nig4&mS&bBXbOufK;jBGHVF5ylK)rKogw4AK-7a;DnJqcItvaX9H z#571+Fw(yCM7Y zx~oh^RDvL}G`5GCC8XES6t7}jmog@!-H1bFlJ@YE+(Y2EMV&X+Z{pS)lWW-SPF z$HAdFwxg3CYrN3cPQXdL3TzC_{_a`%93f>$KDL_G)H)`R7h1ENu2YqtyUU;Vd;Pt( z31weXQO?>z%C_M`xQT`m0~YjA02`!)%(Mbd2@>pWDZtFCEcxQ?4n4}vHWYV}8Fk>Z z^>2HJ*t=9Piijtlb>8+Y0Cs)1oFlayuom!5XOPs*PVm2mt6Y|bdy{B0_^BCXp9b{k z6#c7FtSv9{r;`N8d-s*9&<%ridPw|!K#ti-sb(x-#%pU0w4A(L9}`Mpz&mIV{o%xq zV&z+)r>D4s>Z!)2-ocJCC!2SE*S`fT(}SB`X2QpW#CQ|nH`0Le*38!}d|weBci;90Ljhpce`yJn@e+-a#M zet9C)c-J4ADbGaQ1=1u>OfR1?=g*E>c_xl)jXjA zjjlRec2~FmmZhuC7Ps~y#aE}}frF%eGI&fBc#JB-zIsYVJnzplP1H_8>z&F^T=NEl z5#wgo6d(qLztAFqfZ(xoxM^SefQR`m*r{#Gz3t$Afn<8F7$|Nhj)9J0;BG4nc3P#0 zVz+r@jBGv4__oegr~@Sivsb>c7zV@`Tyl=Hua{yGT=BMPmdO{-^E=wA={AF-v5xND zH^*PUvjFZnqfcd)UZ%+ctG2DP-2cm|G7}nM>K4H$H{d47r_RQ2JcK9GB+_WDD;-)| z>`MpGPMO$MVW^sbk{#4ZHG($35e;S_o@R+v^SFqscj;51*BCn_Ra>!a$_tWt0uOAY zvD@im3OHTO20B_^^%<3)wQ7_6x09I%4Q@oHv61~VwaH7c#LS$>Q`hIxt7r~q2&9>c zh*&r$iSao!oXtQ@tQ%n0|9Rv&p4 z0Ur9)rv|l$4_cbQgZ7DF(!V%*dwfPXLSrgjRI@M}f`{^r+j7q%OSO=OAkNw`2 z=3r^5k0vGls7ZzlmZ7^i(ukqr#c5VU>rKNf;1X!*3P*?3w;O|M+S_b(lUK@KT>H8! zGy{P|SioT?9g*uiIlfwofZZr^g#$UhLa5t>^~jzlA2a)N&}s^tHU`d?C5@?GFF=X_&s_mVKy>3Tq9rpD*u)5`|;^2F57+>^@h0q}n zA4 zn_?0B-!)O4#uAJr(68T0*h&$^orkHLd~9NV6p`9$h3J+vo!v zmaVnfFE=PtRv+IT*F-&m0v~Mua(meQR5pwEZ@}wK%i>PU6j(j%r6wwa##`|wU5al9 zNvgZpMv%>`RAQ7wb6^gE=H-_`R(NKEDl!y*v(eG%1ePrAIDfMx&YYaW*O6=O5y#{d zLBKKIK}A9K1qy~MeO@zc->;Apv5{hwFMscUznL}hMK^;&Jk^;s%epO|E=&J^G}2c=URc9P?Lok#D3USB+C-n z*-=-ZDQo^cV&99#`-N_&2jT21us82eO>a^$w7ob{sIjaq0-YlQqK;gXU^X;Y`gl1}*R+s5;loa9{$23QMIFrI9IYQpdu9(eJvfSS`Z&4fsO(CRx0O=BP zYwQO>2(BDtf+;hQ;*3R50J%({@8oN($fXlPiuo~+a2r50>ZG-R;!T=V1+Ng=YQbmN z^G!Kk8Hs`|@mML`K!Z0x!*cOtJy|VI z%~ob^5O@s>vf}(p?LQ3T_R*>>?IHw|MwyVSyiSX&&Pe`@l-AY$M#mTKAIf#WtOg|rY4xt|NnxZ5m)X?iX#3zo z43(nBM^?fQaR8~n4@~y#kg3duqreT0rcfEH>g+f|;>-saZMAsPyJM`sDeXMISMkP= zemcQ|$#XzB5SWq|apwqu!Rl*W#kmMELg52Y6#|s00Du4cBZTxnFZ|b!C?NU_FoZC| zfBkrd4YAvQ{rLZ)=YOa2f3*JBR1%^6|55orn8Tm&hhpNDyWQ{=p=ko!)ReWAYLIsy F{2xzZH0%HX literal 0 HcmV?d00001 diff --git a/docs/gitbook/README.md b/docs/gitbook/README.md index e0361dd04..fae6f42f1 100644 --- a/docs/gitbook/README.md +++ b/docs/gitbook/README.md @@ -5,7 +5,7 @@ description: Flagger is a progressive delivery Kubernetes operator # Introduction [Flagger](https://github.com/weaveworks/flagger) is a **Kubernetes** operator that automates the promotion of -canary deployments using **Istio**, **Linkerd**, **App Mesh**, **NGINX**, **Contour** or **Gloo** routing for +canary deployments using **Istio**, **Linkerd**, **App Mesh**, **NGINX**, **Skipper**, **Contour** or **Gloo** routing for traffic shifting and **Prometheus** metrics for canary analysis. The canary analysis can be extended with webhooks for running system integration/acceptance tests, load tests, or any other custom validation. @@ -39,6 +39,7 @@ After install Flagger, you can follow one of the tutorials: * [Contour](tutorials/contour-progressive-delivery.md) * [Gloo](tutorials/gloo-progressive-delivery.md) * [NGINX Ingress](tutorials/nginx-progressive-delivery.md) +* [Skipper Ingress](tutorials/skipper-progressive-delivery.md) **Hands-on GitOps workshops** diff --git a/docs/gitbook/SUMMARY.md b/docs/gitbook/SUMMARY.md index 9f565064f..d39be4b2f 100644 --- a/docs/gitbook/SUMMARY.md +++ b/docs/gitbook/SUMMARY.md @@ -25,6 +25,7 @@ * [Linkerd Canary Deployments](tutorials/linkerd-progressive-delivery.md) * [App Mesh Canary Deployments](tutorials/appmesh-progressive-delivery.md) * [NGINX Canary Deployments](tutorials/nginx-progressive-delivery.md) +* [Skipper Canary Deployments](tutorials/skipper-progressive-delivery.md) * [Gloo Canary Deployments](tutorials/gloo-progressive-delivery.md) * [Contour Canary Deployments](tutorials/contour-progressive-delivery.md) * [Blue/Green Deployments](tutorials/kubernetes-blue-green.md) diff --git a/docs/gitbook/install/flagger-install-on-kubernetes.md b/docs/gitbook/install/flagger-install-on-kubernetes.md index 3f45eba6f..07b040d11 100644 --- a/docs/gitbook/install/flagger-install-on-kubernetes.md +++ b/docs/gitbook/install/flagger-install-on-kubernetes.md @@ -77,6 +77,7 @@ For ingress controllers, the install instructions are: * [Contour](https://docs.flagger.app/tutorials/contour-progressive-delivery) * [Gloo](https://docs.flagger.app/tutorials/gloo-progressive-delivery) * [NGINX](https://docs.flagger.app/tutorials/nginx-progressive-delivery) +* [Skipper](https://docs.flagger.app/tutorials/skipper-progressive-delivery) Enable **Slack** notifications: @@ -198,7 +199,7 @@ kustomize build https://github.com/weaveworks/flagger/kustomize/linkerd?ref=v1.0 **Generic installer** -Install Flagger and Prometheus for Contour, Gloo or NGINX ingress: +Install Flagger and Prometheus for Contour, Gloo, NGINX or Skipper ingress: ```bash kustomize build https://github.com/weaveworks/flagger/kustomize/kubernetes | kubectl apply -f - @@ -219,7 +220,7 @@ metadata: name: app namespace: test spec: - # can be: kubernetes, istio, linkerd, appmesh, nginx, gloo + # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, gloo # use the kubernetes provider for Blue/Green style deployments provider: nginx ``` diff --git a/docs/gitbook/tutorials/skipper-progressive-delivery.md b/docs/gitbook/tutorials/skipper-progressive-delivery.md new file mode 100644 index 000000000..c78686686 --- /dev/null +++ b/docs/gitbook/tutorials/skipper-progressive-delivery.md @@ -0,0 +1,383 @@ +# Skipper Canary Deployments + +This guide shows you how to use the [Skipper ingress controller](https://opensource.zalando.com/skipper/kubernetes/ingress-controller/) and Flagger to automate canary deployments. + +![Flagger Skipper Ingress Controller](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-skipper-overview.png) + +## Prerequisites + +Flagger requires a Kubernetes cluster **v1.14** or newer and Skipper ingress **0.11.40** or newer. + +Install Skipper ingress-controller using [upstream definition](https://opensource.zalando.com/skipper/kubernetes/ingress-controller/#install-skipper-as-ingress-controller). + +Certain arguments are relevant: + +```yaml +- -enable-connection-metrics +- -histogram-metric-buckets=.01,1,10,100 +- -kubernetes +- -kubernetes-in-cluster +- -kubernetes-path-mode=path-prefix +- -metrics-exp-decay-sample +- -metrics-flavour=prometheus +- -route-backend-metrics +- -route-backend-error-counters +- -route-response-metrics +- -serve-host-metrics +- -serve-route-metrics +- -whitelisted-healthcheck-cidr=0.0.0.0/0 # permit Kind source health checks +``` + +Install Flagger using kustomize: + +```bash +kustomize build https://github.com/weaveworks/flagger/kustomize/kubernetes | kubectl apply -f - +``` + +## Bootstrap + +Flagger takes a Kubernetes deployment and optionally a horizontal pod autoscaler (HPA), +then creates a series of objects (Kubernetes deployments, ClusterIP services and canary ingress). +These objects expose the application outside the cluster and drive the canary analysis and promotion. + +Create a test namespace: + +```bash +kubectl create ns test +``` + +Create a deployment and a horizontal pod autoscaler: + +```bash +kubectl apply -k github.com/weaveworks/flagger//kustomize/podinfo +``` + +Deploy the load testing service to generate traffic during the canary analysis: + +```bash +helm upgrade -i flagger-loadtester flagger/loadtester \ +--namespace=test +``` + +Create an ingress definition \(replace `app.example.com` with your own domain\): + +```yaml +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: podinfo + namespace: test + labels: + app: podinfo + annotations: + kubernetes.io/ingress.class: "skipper" +spec: + rules: + - host: app.example.com + http: + paths: + - backend: + serviceName: podinfo + servicePort: 80 +``` + +Save the above resource as podinfo-ingress.yaml and then apply it: + +```bash +kubectl apply -f ./podinfo-ingress.yaml +``` + +Create a canary custom resource \(replace `app.example.com` with your own domain\): + +```yaml +apiVersion: flagger.app/v1beta1 +kind: Canary +metadata: + name: podinfo + namespace: test +spec: + provider: skipper + # deployment reference + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: podinfo + # ingress reference + ingressRef: + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + name: podinfo + # HPA reference (optional) + autoscalerRef: + apiVersion: autoscaling/v2beta1 + kind: HorizontalPodAutoscaler + name: podinfo + # the maximum time in seconds for the canary deployment + # to make progress before it is rollback (default 600s) + progressDeadlineSeconds: 60 + service: + # ClusterIP port number + port: 80 + # container port number or name + targetPort: 9898 + analysis: + # schedule interval (default 60s) + interval: 10s + # max number of failed metric checks before rollback + threshold: 10 + # max traffic percentage routed to canary + # percentage (0-100) + maxWeight: 50 + # canary increment step + # percentage (0-100) + stepWeight: 5 + # Skipper Prometheus checks + metrics: + - name: request-success-rate + interval: 1m + # minimum req success rate (non 5xx responses) + # percentage (0-100) + thresholdRange: + min: 99 + - name: request-duration + interval: 1m + # maximum req duration P99 + # milliseconds + thresholdRange: + max: 500 + webhooks: + - name: gate + type: confirm-rollout + url: http://flagger-loadtester.test/gate/approve + - name: acceptance-test + type: pre-rollout + url: http://flagger-loadtester.test/ + timeout: 10s + metadata: + type: bash + cmd: "curl -sd 'test' http://podinfo-canary/token | grep token" + - name: load-test + type: rollout + url: http://flagger-loadtester.test/ + timeout: 5s + metadata: + type: cmd + cmd: "hey -z 10m -q 10 -c 2 -host app.example.com http://skipper-ingress.kube-system" + logCmdOutput: "true" +``` + +Save the above resource as podinfo-canary.yaml and then apply it: + +```bash +kubectl apply -f ./podinfo-canary.yaml +``` + +After a couple of seconds Flagger will create the canary objects: + +```bash +# applied +deployment.apps/podinfo +horizontalpodautoscaler.autoscaling/podinfo +ingress.networking.k8s.io/podinfo-ingress +canary.flagger.app/podinfo + +# generated +deployment.apps/podinfo-primary +horizontalpodautoscaler.autoscaling/podinfo-primary +service/podinfo +service/podinfo-canary +service/podinfo-primary +ingress.networking.k8s.io/podinfo-canary +``` + +## Automated canary promotion + +Flagger implements a control loop that gradually shifts traffic to the canary while measuring +key performance indicators like HTTP requests success rate, requests average duration and pod health. +Based on analysis of the KPIs a canary is promoted or aborted, and the analysis result is published to Slack or MS Teams. + +![Flagger Canary Stages](https://raw.githubusercontent.com/weaveworks/flagger/master/docs/diagrams/flagger-canary-steps.png) + +Trigger a canary deployment by updating the container image: + +```bash +kubectl -n test set image deployment/podinfo \ +podinfod=stefanprodan/podinfo:4.0.6 +``` + +Flagger detects that the deployment revision changed and starts a new rollout: + +```text +kubectl -n test describe canary/podinfo + +Status: + Canary Weight: 0 + Failed Checks: 0 + Phase: Succeeded +Events: + New revision detected! Scaling up podinfo.test + Waiting for podinfo.test rollout to finish: 0 of 1 updated replicas are available + Pre-rollout check acceptance-test passed + Advance podinfo.test canary weight 5 + Advance podinfo.test canary weight 10 + Advance podinfo.test canary weight 15 + Advance podinfo.test canary weight 20 + Advance podinfo.test canary weight 25 + Advance podinfo.test canary weight 30 + Advance podinfo.test canary weight 35 + Advance podinfo.test canary weight 40 + Advance podinfo.test canary weight 45 + Advance podinfo.test canary weight 50 + Copying podinfo.test template spec to podinfo-primary.test + Waiting for podinfo-primary.test rollout to finish: 1 of 2 updated replicas are available + Routing all traffic to primary + Promotion completed! Scaling down podinfo.test +``` + +**Note** that if you apply new changes to the deployment during the canary analysis, Flagger will restart the analysis. + +You can monitor all canaries with: + +```bash +watch kubectl get canaries --all-namespaces + +NAMESPACE NAME STATUS WEIGHT LASTTRANSITIONTIME +test podinfo-2 Progressing 30 2020-08-14T12:32:12Z +test podinfo Succeeded 0 2020-08-14T11:23:88Z +``` + +## Automated rollback + +During the canary analysis you can generate HTTP 500 errors to test if Flagger pauses and rolls back the faulted version. + +Trigger another canary deployment: + +```bash +kubectl -n test set image deployment/podinfo \ +podinfod=stefanprodan/podinfo:4.0.6 +``` + +Exec into the load tester pod with: + +```bash +kubectl -n test exec -it deploy/flagger-loadtester bash +``` + +Generate HTTP 500 errors: + +```bash +hey -z 1m -c 5 -q 5 http://app.example.com/status/500 +``` + +Generate latency: + +```bash +watch -n 1 curl http://app.example.com/delay/1 +``` + +When the number of failed checks reaches the canary analysis threshold, the traffic is routed back to the primary, +the canary is scaled to zero and the rollout is marked as failed. + +```text +kubectl -n flagger-system logs deploy/flagger -f | jq .msg + +"New revision detected! Scaling up podinfo.test" +"canary deployment podinfo.test not ready: waiting for rollout to finish: 0 of 1 updated replicas are available" +"Starting canary analysis for podinfo.test" +"Pre-rollout check acceptance-test passed" +"primaryWeight: 95, canaryWeight: 5" +"Advance podinfo.test canary weight 5" +"primaryWeight: 90, canaryWeight: 10" +"Advance podinfo.test canary weight 10" +"primaryWeight: 85, canaryWeight: 15" +"Advance podinfo.test canary weight 15" +"primaryWeight: 80, canaryWeight: 20" +"Advance podinfo.test canary weight 20" +"Halt podinfo.test advancement success rate 53.42% < 99%" +"Halt podinfo.test advancement success rate 53.19% < 99%" +"Halt podinfo.test advancement success rate 48.05% < 99%" +"Rolling back podinfo.test failed checks threshold reached 3" +"primaryWeight: 100, canaryWeight: 0" +"Canary failed! Scaling down podinfo.test" +``` + +## Custom metrics + +The canary analysis can be extended with Prometheus queries. + +The demo app is instrumented with Prometheus so you can create a custom check that will use the +HTTP request duration histogram to validate the canary. + +Create a metric template and apply it on the cluster: + +```yaml +apiVersion: flagger.app/v1beta1 +kind: MetricTemplate +metadata: + name: latency + namespace: test +spec: + provider: + type: prometheus + address: http://flagger-prometheus.flagger-system:9090 + query: | + histogram_quantile(0.99, + sum( + rate( + skipper_serve_route_duration_seconds_bucket{ + route=~"{{ printf "kube(ew)?_%s__%s_canary__.*__%s_canary(_[0-9]+)?" namespace ingress service }}", + le="+Inf" + }[1m] + ) + ) by (le) + ) +``` + +Edit the canary analysis and add the latency check: + +```yaml + analysis: + metrics: + - name: "latency" + templateRef: + name: latency + thresholdRange: + max: 0.5 + interval: 1m +``` + +The threshold is set to 500ms so if the average request duration in the last minute goes over half a second +then the analysis will fail and the canary will not be promoted. + +Trigger a canary deployment by updating the container image: + +```bash +kubectl -n test set image deployment/podinfo \ +podinfod=stefanprodan/podinfo:4.0.6 +``` + +Generate high response latency: + +```bash +watch curl http://app.exmaple.com/delay/2 +``` + +Watch Flagger logs: + +```text +kubectl -n flagger-system logs deployment/flagger -f | jq .msg + +Starting canary deployment for podinfo.test +Advance podinfo.test canary weight 5 +Advance podinfo.test canary weight 10 +Advance podinfo.test canary weight 15 +Halt podinfo.test advancement latency 1.20 > 0.5 +Halt podinfo.test advancement latency 1.45 > 0.5 +Halt podinfo.test advancement latency 1.60 > 0.5 +Halt podinfo.test advancement latency 1.69 > 0.5 +Halt podinfo.test advancement latency 1.70 > 0.5 +Rolling back podinfo.test failed checks threshold reached 5 +Canary failed! Scaling down podinfo.test +``` + +If you have alerting configured, Flagger will send a notification with the reason why the canary failed. diff --git a/docs/gitbook/usage/deployment-strategies.md b/docs/gitbook/usage/deployment-strategies.md index 4033d3cdb..80af73486 100644 --- a/docs/gitbook/usage/deployment-strategies.md +++ b/docs/gitbook/usage/deployment-strategies.md @@ -2,7 +2,7 @@ Flagger can run automated application analysis, promotion and rollback for the following deployment strategies: * **Canary Release** (progressive traffic shifting) - * Istio, Linkerd, App Mesh, NGINX, Contour, Gloo + * Istio, Linkerd, App Mesh, NGINX, Skipper, Contour, Gloo * **A/B Testing** (HTTP headers and cookies traffic routing) * Istio, App Mesh, NGINX, Contour * **Blue/Green** (traffic switching) diff --git a/kustomize/README.md b/kustomize/README.md index a1298dffe..b50b9007b 100644 --- a/kustomize/README.md +++ b/kustomize/README.md @@ -67,12 +67,12 @@ metadata: name: app namespace: test spec: - # can be: kubernetes, istio, linkerd, appmesh, nginx, gloo + # can be: kubernetes, istio, linkerd, appmesh, nginx, skipper, gloo # use the kubernetes provider for Blue/Green style deployments provider: nginx ``` -You'll need Prometheus when using Flagger with AWS App Mesh, Gloo or NGINX ingress controller. +You'll need Prometheus when using Flagger with AWS App Mesh, Gloo, NGINX or Skipper ingress controller. The Prometheus instance has a two hours data retention and is configured to scrape all pods in your cluster that have the `prometheus.io/scrape: "true"` annotation. diff --git a/test/README.md b/test/README.md index 2ac3292a9..cff6cd0ff 100644 --- a/test/README.md +++ b/test/README.md @@ -68,5 +68,4 @@ The e2e testing infrastructure is powered by CircleCI and [Kubernetes Kind](http * deploy the demo workload (podinfo) and ingress in the test namespace [e2e-skipper-tests.sh](e2e-skipper-tests.sh) * test the canary initialization [e2e-skipper-tests.sh](e2e-skipper-tests.sh) * test the canary analysis and promotion using weighted traffic and the load testing webhook [e2e-skipper-tests.sh]e2e-skipper-tests.sh) -* test the A/B testing analysis and promotion using header filters and pre/post rollout webhooks [e2e-skipper-tests.sh]e2e-skipper-tests.sh) * cleanup test environment [e2e-skipper-cleanup.sh](e2e-skipper-cleanup.sh) diff --git a/test/local/e2e-skipper.sh b/test/local/e2e-skipper.sh new file mode 100755 index 000000000..0e98d6d0b --- /dev/null +++ b/test/local/e2e-skipper.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env bash + +# This script is intended for local workstation development convenience. +# It will run the e2e tests for Skipper and leave a working setup to play with + +REPO_ROOT=$(git rev-parse --show-toplevel) +cd $REPO_ROOT + +make test +make build +docker tag weaveworks/flagger:latest test/flagger:latest +make loadtester-build +(kind get clusters && kubectl delete ns/test --force) || kind create cluster --wait 5m --image kindest/node:v1.16.9 +./test/e2e-skipper.sh +# port forward prometheus UI to localhost:9090 +kubectl port-forward $(kubectl get pods -l=app=flagger-prometheus -o name -n flagger-system | head -n 1) 9090:9090 -n flagger-system & + +./test/e2e-skipper-tests.sh diff --git a/test/skipper/kustomization.yaml b/test/skipper/kustomization.yaml index 2417e7f7c..9fb1e64da 100644 --- a/test/skipper/kustomization.yaml +++ b/test/skipper/kustomization.yaml @@ -32,7 +32,7 @@ patches: $patch: delete containers: - name: skipper-ingress - image: registry.opensource.zalan.do/pathfinder/skipper:latest + image: registry.opensource.zalan.do/pathfinder/skipper:v0.11.141 ports: - name: metrics-port containerPort: 9911 diff --git a/test/skipper/patch.yaml b/test/skipper/patch.yaml index fa89e85a7..7bb6bbc59 100644 --- a/test/skipper/patch.yaml +++ b/test/skipper/patch.yaml @@ -9,5 +9,5 @@ spec: - name: flagger args: - -log-level=debug - - -mesh-provider=kubernetes + - -mesh-provider=skipper - -metrics-server=http://flagger-prometheus:9090