diff --git a/chart/flux/README.md b/chart/flux/README.md index 9e3a97070..63150a398 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -37,11 +37,13 @@ until it can find one. ## Installation We put together a simple [Get Started -tutorial](https://docs.fluxcd.io/en/latest/tutorials/get-started-helm.html) which takes about 5-10 minutes to follow. +tutorial](https://docs.fluxcd.io/en/stable/tutorials/get-started-helm.html) which takes about 5-10 minutes to follow. You will have a fully working Flux installation deploying workloads to your cluster. ## Installing Flux using Helm +The [configuration](#configuration) section lists all the parameters that can be configured during installation. + ### Installing the Chart Add the Flux repo: @@ -50,28 +52,37 @@ Add the Flux repo: helm repo add fluxcd https://charts.fluxcd.io ``` -#### To install the chart with the release name `flux` +#### Install the chart with the release name `flux` -Replace `fluxcd/flux-get-started` with your own git repository and run helm install: +1. Replace `fluxcd/flux-get-started` with your own git repository and run helm install: -```sh -$ helm install --name flux \ ---set git.url=git@github.com:fluxcd/flux-get-started \ ---namespace flux \ -fluxcd/flux -``` + ```sh + helm install --name flux \ + --set git.url=git@github.com:fluxcd/flux-get-started \ + --namespace flux \ + fluxcd/flux + ``` -#### To connect Flux to a Weave Cloud instance: +1. Setup Git deploy -```sh -helm install --name flux \ ---set git.url=git@github.com:fluxcd/flux-get-started \ ---set token=YOUR_WEAVE_CLOUD_SERVICE_TOKEN \ ---namespace flux \ -fluxcd/flux -``` + > **Note:** this not required when [using git over HTTPS](#flux-with-git-over-https). + + At startup Flux generates a SSH key and logs the public key. Find the + SSH public key by installing [fluxctl](https://docs.fluxcd.io/en/stable/references/fluxctl.html) + and running: -#### To install Flux with the Helm operator: + ```sh + fluxctl identity --k8s-fwd-ns flux + ``` + + In order to sync your cluster state with GitHub you need to copy the + public key and create a deploy key with access on your GitHub + repository. Go to _Settings > Deploy keys_ click on _Add deploy key_, + paste the Flux public key and click _Add key_. If you want Flux to + have write access to your repo, check _Allow write access_; if you + have set `git.readonly=true`, you can leave this box unchecked. + +#### Install Flux with the Helm operator Apply the Helm Release CRD: @@ -82,7 +93,7 @@ kubectl apply -f https://raw.githubusercontent.com/fluxcd/flux/helm-0.10.1/deplo Install Flux with Helm: ```sh -$ helm install --name flux \ +helm install --name flux \ --set git.url=git@github.com:fluxcd/flux-get-started \ --set helmOperator.create=true \ --set helmOperator.createCRD=false \ @@ -90,7 +101,39 @@ $ helm install --name flux \ fluxcd/flux ``` -#### To install Flux with a private git host: +#### Flux with git over HTTPS + +By setting the `env.secretName`, all key/value pairs in this secret will +be defined in the Flux container as environment variables. This can be +utilized in combination with Kubernetes feature of [using environment +variables inside of your config](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config) +to securely provide the HTTPS credentials which then can be used in the +`git.url`. + +1. Create a personal access token to be used as the `GIT_AUTHKEY`: + + - [GitHub](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) + - [GitLab](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#creating-a-personal-access-token) + - [BitBucket](https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html) + +1. Create a secret with your `GIT_AUTHUSER` (the username the token belongs + to) and the `GIT_AUTHKEY` you created in the first step: + + ```sh + kubectl create secret generic flux-git-auth --from-literal=GIT_AUTHUSER= --from-literal=GIT_AUTHKEY= + ``` + +1. Install Flux: + + ```sh + helm install --name flux \ + --set git.url='https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com:fluxcd/flux-get-started.git' \ + --set env.secretName=flux-git-auth \ + --namespace flux \ + fluxcd/flux + ``` + +#### Flux with a private git host When using a private git host, setting the `ssh.known_hosts` variable is required for enabling successful key matches because `StrictHostKeyChecking` @@ -100,73 +143,61 @@ By setting the `ssh.known_hosts` variable, a configmap will be created called `flux-ssh-config` which in turn will be mounted into a volume named `sshdir` at `/root/.ssh/known_hosts`. -* Get the `ssh.known_hosts` keys by running the following command: +1. Get the `ssh.known_hosts` keys by running the following command: -```sh -ssh-keyscan -``` + ```sh + ssh-keyscan + ``` -To prevent a potential man-in-the-middle attack, one should -verify the ssh keys acquired through the `ssh-keyscan` match expectations -using an alternate mechanism. - -* Start Flux and Flux helm operator: - - - Using a string for setting `known_hosts` - - ```sh - YOUR_GIT_HOST=your_git_host.example.com - YOUR_GIT_USER=your_git_user - KNOWN_HOSTS='domain ssh-rsa line1 - domain ecdsa-sha2-line2 - domain ssh-ed25519 line3' - - helm install \ - --name flux \ - --set helmOperator.create=true \ - --set helmOperator.createCRD=false \ - --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \ - --set-string ssh.known_hosts="${KNOWN_HOSTS}" \ - --namespace flux \ - chart/flux - ``` - - - Using a file for setting `known_hosts` - - Copy known_hosts keys into a temporary file `/tmp/flux_known_hosts` - - ```sh - YOUR_GIT_HOST=your_git_host.example.com - YOUR_GIT_USER=your_git_user - - helm install \ - --name flux \ - --set helmOperator.create=true \ - --set helmOperator.createCRD=false \ - --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \ - --set-file ssh.known_hosts=/tmp/flux_known_hosts \ - --namespace flux \ - chart/flux - ``` + To prevent a potential man-in-the-middle attack, one should + verify the ssh keys acquired through the `ssh-keyscan` match expectations + using an alternate mechanism. -The [configuration](#configuration) section lists all the parameters that can be configured during installation. +1. Install Flux: + + - Using a string for setting `known_hosts` -#### Setup Git deploy + ```sh + YOUR_GIT_HOST=your_git_host.example.com + YOUR_GIT_USER=your_git_user + KNOWN_HOSTS='domain ssh-rsa line1 + domain ecdsa-sha2-line2 + domain ssh-ed25519 line3' -At startup Flux generates a SSH key and logs the public key. -Find the SSH public key by installing [fluxctl](https://docs.fluxcd.io/en/latest/references/fluxctl.html) and -running: + helm install \ + --name flux \ + --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \ + --set-string ssh.known_hosts="${KNOWN_HOSTS}" \ + --namespace flux \ + chart/flux + ``` + + - Using a file for setting `known_hosts` + + Copy `known_hosts` keys into a temporary file `/tmp/flux_known_hosts` + + ```sh + YOUR_GIT_HOST=your_git_host.example.com + YOUR_GIT_USER=your_git_user + + helm install \ + --name flux \ + --set git.url="git@${YOUR_GIT_HOST}:${YOUR_GIT_USER}/flux-get-started" \ + --set-file ssh.known_hosts=/tmp/flux_known_hosts \ + --namespace flux \ + chart/flux + ``` + +#### Connect Flux to a Weave Cloud instance ```sh -fluxctl identity --k8s-fwd-ns flux +helm install --name flux \ +--set git.url=git@github.com:fluxcd/flux-get-started \ +--set token=YOUR_WEAVE_CLOUD_SERVICE_TOKEN \ +--namespace flux \ +fluxcd/flux ``` -In order to sync your cluster state with GitHub you need to copy the -public key and create a deploy key with access on your GitHub -repository. Go to _Settings > Deploy keys_ click on _Add deploy key_, -paste the Flux public key and click _Add key_. If you want Flux to -have write access to your repo, check _Allow write access_; if you -have set `git.readonly=true`, you can leave this box unchecked. ### Uninstalling the Chart @@ -203,6 +234,7 @@ The following tables lists the configurable parameters of the Flux chart and the | `dnsConfig` | `` | Pod DNS config | `token` | `None` | Weave Cloud service token | `extraEnvs` | `[]` | Extra environment variables for the Flux pod(s) +| `env.secretName` | `` | Name of the secret that contains environment variables which should be defined in the Flux container (using `envFrom`) | `rbac.create` | `true` | If `true`, create and use RBAC resources | `rbac.pspEnabled` | `false` | If `true`, create and use a restricted pod security policy for Flux pod(s) | `serviceAccount.create` | `true` | If `true`, create a new service account @@ -304,7 +336,7 @@ The following tables lists the configurable parameters of the Flux chart and the Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example: ```sh -$ helm upgrade --install --wait flux \ +helm upgrade --install --wait flux \ --set git.url=git@github.com:stefanprodan/k8s-podinfo \ --set git.path="deploy/auto-scaling\,deploy/local-storage" \ --namespace flux \ diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml index 9320fd8e6..df9b25fcf 100644 --- a/chart/flux/templates/deployment.yaml +++ b/chart/flux/templates/deployment.yaml @@ -168,6 +168,11 @@ spec: {{- if .Values.extraEnvs }} {{ toYaml .Values.extraEnvs | indent 10 }} {{- end }} + {{- if .Values.env.secretName }} + envFrom: + - secretRef: + name: {{ .Values.env.secretName }} + {{- end }} args: {{- if not .Values.clusterRole.create }} - --k8s-allow-namespace={{ .Release.Namespace }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 58d5b48d3..ddc268f74 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -176,11 +176,13 @@ git: pollInterval: "5m" # Duration after which git operations time out timeout: "20s" - # generate a SSH key named identity: ssh-keygen -q -N "" -f ./identity - # create a Kubernetes secret: kubectl -n flux create secret generic flux-ssh --from-file=./identity - # delete the private key: rm ./identity - # add ./identity.pub as a deployment key with write access in your Git repo - # set the secret name (flux-ssh) below + # The secret name can be used to supply your own SSH key, instead of + # relying on Flux to generate one for you: + # 1. Generate a SSH key named identity: ssh-keygen -q -N "" -f ./identity + # 2. Create a Kubernetes secret: kubectl -n flux create secret generic flux-ssh --from-file=./identity + # 3. Delete the private key: rm ./identity + # 4. Add ./identity.pub as a deployment key with write access in your Git repo + # 5. Set the secret name (flux-ssh) below secretName: "" # Global Git configuration See https://git-scm.com/docs/git-config for more details. config: @@ -275,6 +277,12 @@ kube: # additionalArgs: # - --connect=ws://fluxcloud +# The contents of the secret will be defined as environment variables +# in the Flux container. Once defined, you can use the variables in your +# `git.url`: `https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/fluxcd/flux-get-started.git` +env: + secretName: "" + # Additional environment variables to set extraEnvs: [] # extraEnvs: diff --git a/cmd/fluxd/main.go b/cmd/fluxd/main.go index 9fdea0e30..564b6a92f 100644 --- a/cmd/fluxd/main.go +++ b/cmd/fluxd/main.go @@ -6,6 +6,7 @@ import ( "io/ioutil" "net/http" _ "net/http/pprof" + "net/url" "os" "os/exec" "os/signal" @@ -319,7 +320,13 @@ func main() { } } - if *sshKeygenDir == "" { + // Used to determine if we need to generate a SSH key and setup a keyring + var httpGitURL bool + if pURL, err := url.Parse(*gitURL); err == nil { + httpGitURL = pURL.Scheme == "http" || pURL.Scheme == "https" + } + + if *sshKeygenDir == "" && !httpGitURL { logger.Log("info", fmt.Sprintf("SSH keygen dir (--ssh-keygen-dir) not provided, so using the deploy key volume (--k8s-secret-volume-mount-path=%s); this may cause problems if the deploy key volume is mounted read-only", *k8sSecretVolumeMountPath)) *sshKeygenDir = *k8sSecretVolumeMountPath } @@ -430,7 +437,7 @@ func main() { } clusterVersion = "kubernetes-" + serverVersion.GitVersion - if *k8sInCluster { + if *k8sInCluster && !httpGitURL { namespace, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace") if err != nil { logger.Log("err", err) @@ -621,7 +628,7 @@ func main() { } logger.Log( - "url", *gitURL, + "url", gitRemote.SafeURL(), "user", *gitUser, "email", *gitEmail, "signing-key", *gitSigningKey, diff --git a/deploy/flux-deployment.yaml b/deploy/flux-deployment.yaml index dfb01ab07..f9a0fe478 100644 --- a/deploy/flux-deployment.yaml +++ b/deploy/flux-deployment.yaml @@ -115,6 +115,13 @@ spec: # mountPath: /root/gpg-import # readOnly: true + # Include this if you want to supply HTTP basic auth credentials for git + # via the `GIT_AUTHUSER` and `GIT_AUTHKEY` environment variables using a + # secret. + # envFrom: + # - secretRef: + # name: flux-git-auth + args: # If you deployed memcached in a different namespace to flux, @@ -131,9 +138,11 @@ spec: - --ssh-keygen-dir=/var/fluxd/keygen # Replace the following URL to change the Git repository used by Flux. + # HTTP basic auth credentials can be supplied using environment variables: + # https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/user/repository.git - --git-url=git@github.com:fluxcd/flux-get-started - --git-branch=master - # include this if you want to restrict the manifests considered by flux + # Include this if you want to restrict the manifests considered by flux # to those under the following relative paths in the git repository # - --git-path=subdir1,subdir2 diff --git a/docs/guides/index.rst b/docs/guides/index.rst index 00f15501d..b2eb4b454 100644 --- a/docs/guides/index.rst +++ b/docs/guides/index.rst @@ -8,5 +8,6 @@ Guides :maxdepth: 1 provide-own-ssh-key + use-git-over-https use-private-git-host upgrading-to-1.0 diff --git a/docs/guides/use-git-https.md b/docs/guides/use-git-https.md new file mode 100644 index 000000000..1d09af4e9 --- /dev/null +++ b/docs/guides/use-git-https.md @@ -0,0 +1,61 @@ +# Using Git over HTTPS + +Instead of making use of Flux' capabilities to generate an SSH private +key, or [supplying your own](provide-own-ssh-key.md), it is possible to +set environment variables and use these in your `--git-url` argument to +provide your HTTPS basic auth credentials without having to expose them +as a plain value in your workload. + +> **Note:** setting an HTTP(S) URL as `--git-url` will disable the +> generation of a private key and prevent the setup of the SSH keyring. + +> **Note:** the variables _must be escaped with `$()`_ for Kubernetes +> to pass the values to the Flux container, e.g. `$(GIT_AUTHKEY)`. +> [Read more about this Kubernetes feature](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/#using-environment-variables-inside-of-your-config). + +1. Create a personal access token to be used as the `GIT_AUTHKEY`: + + - [GitHub](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) + - [GitLab](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#creating-a-personal-access-token) + - [BitBucket](https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html) + +1. Create a Kubernetes secret with two environment variables and their + respective values (replace `` and ``): + + ```sh + kubectl create secret generic flux-git-auth --from-literal=GIT_AUTHUSER= --from-literal=GIT_AUTHKEY= + ``` + + this will result in a secret that has the structure: + + ```yaml + apiVersion: v1 + data: + GIT_AUTHKEY: + GIT_AUTHUSER: + kind: Secret + type: Opaque + metadata: + ... + ``` + +1. Mount the Kubernetes secret as environment variables using `envFrom` + and use them in your `--git-url` argument: + + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: flux + ... + spec: + containers: + - name: flux + envFrom: + - secretRef: + name: flux-git-auth + args: + # Replace `github.com/...` with your git repository + - --git-url=https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/fluxcd/flux-get-started.git + ... + ``` diff --git a/go.mod b/go.mod index e124f91d1..b54eed5d8 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,6 @@ require ( github.com/imdario/mergo v0.3.7 github.com/instrumenta/kubeval v0.0.0-20190804145309-805845b47dfc github.com/justinbarrick/go-k8s-portforward v1.0.4-0.20190722134107-d79fe1b9d79d - github.com/modern-go/reflect2 v1.0.1 // indirect github.com/opencontainers/go-digest v1.0.0-rc1 github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9 // indirect github.com/pkg/errors v0.8.1 diff --git a/pkg/daemon/daemon.go b/pkg/daemon/daemon.go index d05a8ca32..5a385fac3 100644 --- a/pkg/daemon/daemon.go +++ b/pkg/daemon/daemon.go @@ -542,7 +542,7 @@ func (d *Daemon) NotifyChange(ctx context.Context, change v9.Change) error { switch change.Kind { case v9.GitChange: gitUpdate := change.Source.(v9.GitUpdate) - if gitUpdate.URL != d.Repo.Origin().URL && gitUpdate.Branch != d.GitConfig.Branch { + if d.Repo.Origin().Equivalent(gitUpdate.URL) && gitUpdate.Branch != d.GitConfig.Branch { // It isn't strictly an _error_ to be notified about a repo/branch pair // that isn't ours, but it's worth logging anyway for debugging. d.Logger.Log("msg", "notified about unrelated change", diff --git a/pkg/daemon/loop.go b/pkg/daemon/loop.go index 3a6dfe692..b936b8904 100644 --- a/pkg/daemon/loop.go +++ b/pkg/daemon/loop.go @@ -116,14 +116,14 @@ func (d *Daemon) Loop(stop chan struct{}, wg *sync.WaitGroup, logger log.Logger) cancel() if err != nil { - logger.Log("url", d.Repo.Origin().URL, "err", err) + logger.Log("url", d.Repo.Origin().SafeURL(), "err", err) continue } if invalidCommit.Revision != "" { logger.Log("err", "found invalid GPG signature for commit", "revision", invalidCommit.Revision, "key", invalidCommit.Signature.Key) } - logger.Log("event", "refreshed", "url", d.Repo.Origin().URL, "branch", d.GitConfig.Branch, "HEAD", newSyncHead) + logger.Log("event", "refreshed", "url", d.Repo.Origin().SafeURL(), "branch", d.GitConfig.Branch, "HEAD", newSyncHead) if newSyncHead != syncHead { syncHead = newSyncHead d.AskForSync() diff --git a/pkg/git/url.go b/pkg/git/url.go index d59cafd4f..01b503bfc 100644 --- a/pkg/git/url.go +++ b/pkg/git/url.go @@ -3,6 +3,7 @@ package git import ( "fmt" "net/url" + "strings" "github.com/whilp/git-urls" ) @@ -22,3 +23,20 @@ func (r Remote) SafeURL() string { } return u.String() } + +// Equivalent compares the given URL with the remote URL without taking +// protocols or `.git` suffixes into account. +func (r Remote) Equivalent(u string) bool { + lu, err := giturls.Parse(r.URL) + if err != nil { + return false + } + ru, err := giturls.Parse(u) + if err != nil { + return false + } + trimPath := func(p string) string { + return strings.TrimSuffix(strings.TrimPrefix(p, "/"), ".git") + } + return lu.Host == ru.Host && trimPath(lu.Path) == trimPath(ru.Path) +} diff --git a/pkg/git/url_test.go b/pkg/git/url_test.go index 24510d65c..a2fb2ccb0 100644 --- a/pkg/git/url_test.go +++ b/pkg/git/url_test.go @@ -1,6 +1,7 @@ package git import ( + "github.com/stretchr/testify/assert" "strings" "testing" ) @@ -18,3 +19,21 @@ func TestSafeURL(t *testing.T) { } } } + +func TestEquivalent(t *testing.T) { + urls := []struct { + remote string + equivalent string + equal bool + }{ + {"git@github.com:fluxcd/flux", "ssh://git@github.com/fluxcd/flux.git", true}, + {"https://git@github.com/fluxcd/flux.git", "ssh://git@github.com/fluxcd/flux.git", true}, + {"https://github.com/fluxcd/flux.git", "git@github.com:fluxcd/flux.git", true}, + {"https://github.com/fluxcd/flux.git", "https://github.com/fluxcd/helm-operator.git", false}, + } + + for _, u := range urls { + r := Remote{u.remote} + assert.Equal(t, u.equal, r.Equivalent(u.equivalent)) + } +} diff --git a/pkg/install/generated_templates.gogen.go b/pkg/install/generated_templates.gogen.go index 5020d4a53..2fdc44f3f 100644 --- a/pkg/install/generated_templates.gogen.go +++ b/pkg/install/generated_templates.gogen.go @@ -31,9 +31,9 @@ var templates = func() http.FileSystem { "/flux-deployment.yaml.tmpl": &vfsgen۰CompressedFileInfo{ name: "flux-deployment.yaml.tmpl", modTime: time.Date(1970, 1, 1, 0, 0, 0, 0, time.UTC), - uncompressedSize: 6452, + uncompressedSize: 6872, - compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x58\x5f\x6f\x1b\xb9\x11\x7f\xf7\xa7\x18\x28\x0f\x49\x00\x69\x65\xc7\xb9\x43\xb1\x57\x1f\x90\x4b\x2e\x6e\x9a\x8b\x63\xc4\x4d\x8b\x3e\x35\x14\x77\xa4\x25\xc4\x25\xb7\x1c\x52\x3a\xc1\xb8\xef\x5e\x0c\xb9\x7f\xb8\x96\x9c\x1c\xf2\xd6\x3c\xc4\x36\x77\xfe\x0f\xf9\x9b\x1f\xb9\x58\x2c\xce\x44\xab\xfe\x89\x8e\x94\x35\x25\x88\xb6\xa5\xe5\xee\xe2\x6c\xab\x4c\x55\xc2\x1b\x6c\xb5\x3d\x34\x68\xfc\x59\x83\x5e\x54\xc2\x8b\xf2\x0c\xc0\x88\x06\x4b\x58\xeb\xf0\xfb\xfd\x3d\xa8\x35\x14\x37\xa2\x41\x6a\x85\x44\xf8\xe3\x8f\xee\x7b\xfc\xb3\x84\xfb\xfb\xe9\xd7\xfb\x7b\x40\x53\xb1\x18\xb5\x28\xd9\x98\xc3\x56\x2b\x29\xa8\x84\x8b\x33\x00\x42\x8d\xd2\x5b\xc7\x5f\x00\x1a\xe1\x65\xfd\x9b\x58\xa1\xa6\xb4\x90\xfb\x66\x69\xef\x84\xc7\xcd\x21\x7d\xf4\x87\x16\x4b\xf8\x84\xd2\xa1\xf0\x78\x06\xe0\xb1\x69\xb5\xf0\xd8\x19\xcb\x32\xe0\x7f\xc2\x18\xeb\x85\x57\xd6\x0c\xc6\x01\x5a\x67\x1b\xf4\x35\x06\x2a\x94\x5d\xb6\xd6\xf9\x12\x66\x97\xe7\x97\x17\x33\x78\x02\x1e\xb5\xce\x24\xc0\x5b\x20\xe9\x44\x8b\xb0\x6c\xd0\x3b\x25\x89\x93\x6b\xad\x32\xfe\x29\x01\x2b\x17\x9d\x61\x3d\xc9\xe1\x41\x16\x00\x7d\x2d\xe2\xef\xe8\x76\x4a\xe2\x2b\x29\x6d\x30\xfe\x66\x2a\x08\xb0\xb3\x3a\x34\x38\x98\x5a\x74\xa6\x36\xca\x2f\xb6\x78\x18\x1c\x10\x57\xc1\x8f\x0e\xfb\x95\xd1\xde\x82\x55\xaa\xd8\xe0\x4c\xaa\xc2\xb5\x08\xda\x7f\xb0\x15\x96\x70\xfe\xf2\xfc\x1c\x9e\xc0\xbe\x46\x03\x0d\x47\x83\x15\x38\x14\xd5\xc2\x1a\x7d\x98\xc3\x1e\x61\x6f\xcd\x53\x0f\x2b\x04\xb1\xd2\xc8\xf5\x90\x75\x63\xab\xb3\xce\xe0\x13\xf8\x47\xad\x08\x14\x81\x00\xdf\xb4\x6b\x82\x40\x58\xc1\xda\x3a\xd8\xa0\x41\x27\xbc\x32\x1b\xb8\xbb\xfb\x1b\x6c\xf1\x40\x05\xbc\x33\xf0\xfe\x2f\x04\x3f\x5f\xc1\x45\x71\x71\x3e\x1f\xac\xf4\xbe\x53\x0a\x04\xc2\x61\x1e\x07\x59\x0e\xc5\x20\x56\x20\x80\xb0\x15\xbc\x29\xba\x42\xc1\x1e\x07\x33\x52\x18\xd8\x3b\xe5\x39\xd0\xe2\x74\xfd\x36\x68\x86\x62\x60\xd3\xfa\xc3\x1b\xe5\xf2\x22\x36\x58\xa9\xd0\x94\xf0\x01\x1b\xeb\x0e\x79\x9e\x08\x6b\xab\xb5\xdd\x73\x46\x9d\x6b\x45\x31\xd5\x40\xbc\x26\x40\x06\xf2\xb6\x51\x5c\x81\xad\xb1\x7b\xf3\x9f\xda\x92\xa7\xc1\xc4\x5a\x69\x9c\xc3\xbe\x56\xb2\x86\x83\x0d\xb0\x57\x5a\xa7\xa4\xbc\x85\xca\xf2\x39\xe3\x65\x56\xe2\x5f\x1c\xd8\xbd\xe1\xb0\x07\x03\x0e\x5b\x0b\x4e\xf8\x1a\x1d\xf8\x5a\x98\xce\xf1\x46\xf9\x3a\xac\xc0\xf2\x22\x82\x56\x5b\x2c\xe0\xdf\x36\x3c\xd5\x1a\x84\x26\xdb\xbb\x98\x16\x1b\x94\x07\x65\xbc\x8d\x3a\xd2\x1a\x2f\x94\x41\x37\x87\x15\x6a\xbb\x2f\xe0\x0e\xc7\xaa\xd6\xde\xb7\x54\x2e\x97\x95\x95\x54\xf0\xc6\x92\x15\x1f\x1d\x34\x4b\x3e\x7a\xe4\x97\x9b\xa0\x2a\xa4\x65\x20\x5c\xb4\x4e\xed\x84\xc7\xb8\xf5\x38\x91\xa2\xf6\x8d\x1e\x2c\xf5\xbd\x20\xaa\x17\xd2\x9a\xb5\xda\x0c\x9f\x00\xd2\xc2\x07\xd1\x96\xd9\x62\x7e\x90\x16\x99\xda\xf7\xf6\xa5\xd8\x86\x15\x2e\x93\x91\x71\xfb\x7d\xb3\x27\x7b\x45\x35\xaf\xd4\x62\x87\x20\xa0\x52\xeb\x35\x3a\x06\xcd\xde\x42\x77\xaa\x46\x60\x8c\x2d\x48\xe6\xf2\x26\x30\xb8\xec\x54\x85\x7d\xd9\xd7\x6a\xd3\x88\x76\x0c\x44\xf9\x1a\x84\x01\x34\xde\x1d\x62\x0e\x5f\x92\xd0\x97\x39\x08\x53\x41\x30\xd2\x36\x8c\xd6\x51\x3f\x65\xfb\x21\xb6\x53\x98\x6a\xb0\x82\x66\x17\x2d\x28\xa4\xae\x9f\x47\x1d\xe0\x32\x7c\x47\x07\x32\xb5\x6f\x76\x20\x22\x81\xb7\xa0\x1a\xc6\x49\xb8\xbe\xbd\x8e\x20\x00\xcf\x38\x2d\x52\x1b\xa3\xcc\xe8\x9c\x93\xdb\xa1\x53\x6b\x25\x23\x60\x43\x1b\x5c\x6b\x09\xe9\xf9\x9f\x28\xe4\x60\x25\xc1\x47\xaa\x22\x17\x88\xfd\xfd\x89\xc2\x81\x70\x9b\xf1\x98\x3e\x52\xb1\x4d\xbb\x61\xfc\xa0\xac\x34\x53\x08\x7e\xf2\x08\x08\x1f\xeb\x9d\x00\xe1\xbe\x9c\xc3\x49\x3c\xc2\xff\x6c\x42\x74\x55\x77\x18\x71\xd2\x58\x98\x95\xe9\x24\xce\x40\x35\x62\x83\x69\xf7\xb3\x42\x01\x6f\x95\xa9\x62\xce\x0d\xc3\x8a\x43\x39\xee\xda\x04\x29\x1a\x05\x21\x83\x47\x54\xe5\x26\x30\x4f\x00\xe1\x87\x73\x5f\x87\x55\x51\x59\xb9\x45\x57\x48\xdb\x2c\xdd\x32\x61\x40\xfc\xb1\xf4\x62\x28\x5d\xdf\x47\x9e\xf7\xcc\x05\xd8\xab\x17\x1b\xe0\x48\x8b\x41\x26\xba\x29\xa1\x33\xa8\x6c\x6e\xad\xbc\x28\x2e\x5e\x16\x2f\xa6\xb2\xb7\x41\xeb\x5b\xab\x95\x3c\x94\xf0\x6e\x7d\x63\xfd\xad\x43\xca\xb3\x70\x48\x36\x38\x89\x94\xe3\xb8\xc3\xff\x06\x24\x3f\x59\x03\x90\x6d\x28\xe1\x87\xf3\x66\xb2\xd8\x44\xa8\x2f\xe1\xc7\x97\x1f\xd4\x48\x13\xac\xcb\x95\x17\x63\x67\x6e\x23\x65\xb8\x3c\xbf\xe4\xc9\xa9\xcc\xda\xba\x26\x6e\x59\xa1\x07\x69\xad\x76\x68\x90\xe8\xd6\xd9\x15\xe6\x11\x70\x49\xaf\xa7\x53\x3b\xb9\x4a\x06\xa7\xcb\xc2\xd7\x25\x2c\x45\xab\x52\xa5\x77\x3f\x2e\x55\x85\xc6\x2b\x7f\x28\xda\xb0\xca\x64\x95\x51\x5e\x09\xfd\x06\xb5\x38\xdc\xf1\xf9\xac\xa8\x84\x1f\x32\x01\xaf\x1a\xb4\xc1\x9f\xf8\xc6\x43\x56\xfd\x7f\x84\x9a\x1d\xda\x49\x63\x4e\xd3\x23\x48\x63\xee\x36\x45\x86\x5e\xc6\xc8\xaa\x25\x51\xcd\x3c\xcf\x26\xe6\x09\xda\x76\x78\xb3\xe1\x96\x81\x32\x69\xcf\x3d\xa5\xa4\x43\x54\x2f\x27\x30\xd9\xd7\xec\xa3\xd1\x87\x12\xbc\x0b\xc8\xd6\x98\x03\x45\x84\x5a\x75\xc0\xce\x47\xaa\x45\xb7\xb6\x4e\x22\x1b\x4d\xa4\x87\x39\xcf\x63\x81\xe7\xbc\x64\x1a\xfb\x4e\xb8\x2e\xf6\x24\xf6\x7d\xe1\x67\x67\xf4\x9d\x91\x3a\x44\xe4\x64\xea\x96\x06\x5c\x8f\xaa\x89\x1b\x7c\x83\xca\xf4\x64\xe6\x27\x56\x7d\x40\x33\x06\x74\x85\x0a\xa5\x16\x8e\x29\xdb\xca\xee\x32\x00\xf8\x0a\x0d\x48\xf0\x98\x27\xef\xac\xf5\xcb\x82\xa8\x7e\x34\x01\x61\x26\x5e\x67\xe3\x88\x9a\x25\xcf\xf3\x5e\x24\xb3\x80\x66\xa7\x9c\x35\x71\x20\xa4\x59\x3b\x7b\xff\xf9\x97\x5f\x5f\x7f\xbc\x79\xfb\xee\x7a\x96\x46\xc0\x9c\xeb\x61\x77\xe8\xdc\x74\x5e\x67\x66\xe2\x88\x5b\x1d\xd2\x34\xf5\xfa\x54\x8e\x47\x83\xf6\x38\xc7\x71\x73\xb2\xf0\xa3\x89\xf2\xcc\xe3\x8b\x47\xef\x8d\x21\x3a\xa3\x22\x5d\x74\xb1\x27\x99\x89\x87\x84\x26\x6f\x7a\x64\x33\x3d\xf5\x16\x06\x84\xf6\xe8\x0c\x53\xeb\xa3\x88\xd7\xce\x36\xbc\x2d\x7a\xc6\x32\x07\x41\xbc\xdd\xba\xa9\xca\x65\xd0\x56\x6e\xe9\xb8\xd9\x68\x76\xe5\x89\xba\x8c\xe5\x9e\xd4\x65\x27\x74\xc0\xa3\x9a\x7c\x6b\x13\x3f\xdc\x03\xfd\xcc\xfd\xca\x0e\xe0\x91\x3f\x1d\xf5\x5f\x19\xf6\x8f\xec\x4b\x96\x4a\xec\x66\x22\x37\xc5\x87\x31\x68\x76\x59\x4e\x72\x48\x6d\x48\x57\x34\xac\x78\x10\x49\x21\x6b\xac\xb8\xb2\x79\x6b\x07\x56\xc9\x4d\xe4\xb2\xcc\x33\x2b\xd6\x75\xb4\x31\x53\xe8\xae\x98\x51\x71\x1e\x9d\xf0\xd5\x88\x42\xdb\xea\x03\x17\x82\xf2\x52\x8c\xe4\xcd\xef\x2d\x47\x19\xb8\xa5\x71\xc3\xc5\xfb\x70\xec\x03\xd4\x76\x1f\xaf\x7f\xd6\x18\x94\x3e\x12\x3b\x3f\x2d\xdd\x62\x31\x24\x10\xb9\x3f\x3b\xbf\x1a\x96\x8a\x8e\xf3\x14\xb4\x93\x85\xd4\x81\x3c\xba\x82\xf1\x4b\xe7\x25\xf9\x4c\xe9\xa8\x8d\xa5\x78\x9d\x44\xdf\xdd\x4e\x92\xe2\x53\x47\xe8\xe3\xf5\x72\xda\xd8\x31\x86\x5e\x9e\x2f\xf1\xde\xb1\x64\xbc\xf0\x65\x08\x9c\x47\xdc\x49\x5f\x9d\x4d\x48\x96\x22\x68\x02\xc5\x0b\x70\xac\x9e\xc2\x2a\xed\xa6\x55\xc4\xf5\x48\x71\xe2\xbd\xf7\x59\x7f\x99\x7c\x9e\xc7\xd2\x9f\xad\xb4\x0b\x99\x95\x65\xd7\xdf\x49\x20\x8c\x85\x09\xdf\x17\x95\x72\x57\x47\xa8\x9f\x87\xf5\x29\x23\x58\x63\xf3\x3e\x7f\xfa\x2d\xdd\xcf\x85\xd9\xa4\x6f\xd7\xca\xc7\x3b\x23\x29\x6f\xdd\x61\x40\xab\xb7\x4c\x0c\x27\xce\x79\x06\x05\xa7\xaf\xee\xef\xa1\xb8\x56\x9e\x2d\xc5\x67\x9e\xa9\xc4\xca\x09\x23\xeb\x5e\xe8\x97\xf8\x57\x7a\xf0\x51\xeb\xb8\xc4\x67\x83\x4e\x69\x32\x3f\x60\xbd\xbb\xd8\x06\xfa\xbb\x55\x26\x53\x98\xcd\x67\xdd\xbb\x91\x26\xcc\xd5\x99\x5e\x1d\x8f\xaa\xbd\x30\x71\xfb\x39\xe4\xae\xca\xc4\xe8\x1b\x61\xd4\x9a\xf9\x1e\x6f\x50\x52\x15\xba\x94\xeb\x03\xd6\x1c\xef\xbb\x96\x10\x82\xa9\xd0\x3d\x28\xa0\x43\x2d\xbc\xda\x61\xa4\x33\xd4\xb7\x77\x33\x29\xe2\x83\x0d\x3f\x24\x47\x61\x55\x29\x77\x31\x4f\x3f\x5f\x0c\x8f\x60\x63\x71\xe2\x23\xd7\xa9\xe2\xc4\x97\xa3\xbe\xaa\xbd\xd4\x09\x03\x9f\x09\xdd\x29\xfd\x40\xe8\x86\xce\xb1\x0c\x9c\xd6\xff\xb5\x11\xea\x64\x00\xc8\x1f\x7a\x0b\xbd\xd4\xf8\x8c\x77\x12\x74\x91\xcf\xe9\xde\x72\x41\xd1\xc4\xa7\x21\xae\x13\x4f\x03\xe5\x1f\x5c\xee\xf2\x5a\x75\xb8\xda\xa1\xe6\xd5\x57\x60\xb4\xd7\xe8\x6c\xb1\xd6\xd5\x5f\xb7\x78\x00\x55\xfd\x3c\x88\x7d\x65\x54\x66\x51\xb1\x09\xe1\x83\xc3\xc9\x0d\xf3\x84\xaf\xf8\xf9\xb0\x18\xe4\x69\x82\x05\x3d\x14\x82\xf2\x50\x0b\x8a\x30\x6f\x8d\x3e\x80\x90\x12\x29\xc1\x65\x8d\xe9\x91\xe6\x59\xff\x1e\xf0\x65\x2d\x34\xe1\x97\xe7\x27\xbc\xf5\xfa\xd3\x02\x93\x77\x41\xfa\xe4\x68\x1f\xef\x78\x3c\xf7\x83\x07\x3a\x18\x09\x2b\x6b\xb7\x5b\xc4\x96\xb7\xeb\xe0\x63\xb6\x51\x7e\x36\x87\x06\x05\x57\x8a\x8f\x39\x88\x78\xf1\xea\x76\x70\x68\xc9\x3b\x14\xcd\xb0\x95\x1f\x46\xc3\xa6\x17\xe4\x85\xc7\xab\x8d\xf2\x8f\x37\xdc\xe0\xef\xbe\xef\x7a\x36\x07\x84\x81\x59\xef\x63\xd6\xa3\x74\x66\xe4\x19\x16\x9b\x62\x0e\xff\x42\xa6\x1b\xaf\xb5\x0d\xd5\xf3\x22\xbe\x1a\x78\xbb\x65\xd2\x4a\xd0\x0a\xe7\x95\x0c\x5a\xb8\xbe\x8a\x9d\x95\x87\x03\xa6\xf3\x7a\xb5\x27\xbe\x98\x4a\xb6\x55\xec\xd9\x6e\xb1\xb7\x6e\x4b\xc3\x0d\xe4\x81\x5a\x74\x74\x25\x56\xf2\xe2\xc5\xe5\xf1\xff\x79\xc2\x77\xe8\x76\x27\x1e\x7b\x99\x6b\x8d\xd3\x95\xb7\xea\x4f\x39\xcc\x8b\x2d\x8f\x87\xd4\x2b\x42\x9f\xbd\x20\x3f\xcd\x1e\xa1\xb3\xd7\x64\x4e\x31\xbe\x8a\x44\xbe\x33\x05\x63\xad\xc8\xa3\x59\x74\x21\x5c\x95\x97\xe7\x97\x17\x67\xdd\x31\x7e\x55\x55\x2a\xdd\x35\x19\xc4\x5f\x31\x87\x99\xe0\xe5\xf8\x7d\x9c\xe3\xf7\xf7\xe0\xe2\x48\xf8\x86\xf6\x22\x3e\xe5\x4f\x8e\xfe\xf8\x5b\xef\xe0\x63\xdb\x99\x7f\x73\x73\xd7\x0f\x60\x9a\x77\xbc\x30\xb8\x6e\x1c\x83\xa9\xac\x27\xb0\x51\x18\x1a\x71\x88\x77\x74\xbd\x1b\x5f\x6a\x0c\x69\x6b\xb7\xa1\x05\x45\x14\x90\xc0\x1a\x20\xdb\x20\xbc\x0f\x2b\x74\x06\x3d\x12\x5b\x0f\x2d\x8d\x0f\x31\x95\xa1\xfe\x19\x60\x76\x63\x0d\xce\xf2\x2f\xaf\x63\x00\xf9\x53\x4c\x72\x4e\xd3\xd7\x99\x9e\xdf\xc5\xf8\x26\x5f\x06\xea\x39\xbb\x98\x9d\xfd\x2f\x00\x00\xff\xff\x52\x89\xd6\x57\x34\x19\x00\x00"), + compressedContent: []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xd4\x59\xdd\x6f\x1b\x37\x12\x7f\xf7\x5f\x31\x50\x0e\x48\x0c\x48\x2b\xbb\x6e\x8b\xc3\xf6\x5c\x5c\x9a\x0f\xd7\x97\xc6\x31\xe2\xf8\x0e\x79\xaa\x29\xee\x48\x4b\x88\x4b\xee\x71\xb8\x52\x05\xa3\xff\xfb\x61\xc8\xfd\xe0\xca\xb2\x5d\xe4\xed\xfa\xd0\xd8\xdc\xe1\x7c\x7f\xfc\x38\x9e\xcd\x66\x47\xa2\x56\xff\x46\x47\xca\x9a\x1c\x44\x5d\xd3\x7c\x73\x7a\xb4\x56\xa6\xc8\xe1\x2d\xd6\xda\xee\x2a\x34\xfe\xa8\x42\x2f\x0a\xe1\x45\x7e\x04\x60\x44\x85\x39\x2c\x75\xf3\xc7\xfd\x3d\xa8\x25\x64\x57\xa2\x42\xaa\x85\x44\xf8\xf3\xcf\xf6\x7b\xf8\x35\x87\xfb\xfb\xf1\xd7\xfb\x7b\x40\x53\x30\x19\xd5\x28\x99\x99\xc3\x5a\x2b\x29\x28\x87\xd3\x23\x00\x42\x8d\xd2\x5b\xc7\x5f\x00\x2a\xe1\x65\xf9\x9b\x58\xa0\xa6\x78\x90\xca\x66\x6a\xef\x84\xc7\xd5\x2e\x7e\xf4\xbb\x1a\x73\xf8\x8c\xd2\xa1\xf0\x78\x04\xe0\xb1\xaa\xb5\xf0\xd8\x32\x4b\x2c\xe0\xff\x84\x31\xd6\x0b\xaf\xac\xe9\x99\x03\xd4\xce\x56\xe8\x4b\x6c\x28\x53\x76\x5e\x5b\xe7\x73\x98\x9c\x9d\x9c\x9d\x4e\xe0\x05\x78\xd4\x3a\xa1\x00\x6f\x81\xa4\x13\x35\xc2\xbc\x42\xef\x94\x24\x36\xae\xb6\xca\xf8\x97\x04\x7c\x39\x6b\x19\xeb\x91\x0d\x7b\x56\x00\x74\xbe\x08\x3f\xa3\xdb\x28\x89\xaf\xa5\xb4\x8d\xf1\x57\x63\x42\x80\x8d\xd5\x4d\x85\x3d\xab\x59\xcb\x6a\xa5\xfc\x6c\x8d\xbb\x5e\x00\xb1\x17\xfc\x20\xb0\x3b\x19\xf8\xcd\xf8\x4a\x11\x02\x9c\x50\x15\xb8\x14\x8d\xf6\x1f\x6d\x81\x39\x9c\x7c\x7f\x72\x02\x2f\x60\x5b\xa2\x81\x8a\xb5\xc1\x02\x1c\x8a\x62\x66\x8d\xde\x4d\x61\x8b\xb0\xb5\xe6\xa5\x87\x05\x82\x58\x68\x64\x7f\xc8\xb2\xb2\xc5\x51\xcb\xf0\x05\x7c\x29\x15\x81\x22\x10\xe0\xab\x7a\x49\xd0\x10\x16\xb0\xb4\x0e\x56\x68\xd0\x09\xaf\xcc\x0a\x6e\x6e\x7e\x85\x35\xee\x28\x83\x4b\x03\x1f\xfe\x4e\xf0\xf3\x39\x9c\x66\xa7\x27\xd3\x9e\x4b\x27\x3b\x9a\x40\x20\x1c\xa6\x7a\x90\x65\x55\x0c\x62\x01\x02\x08\x6b\xc1\x49\xd1\x3a\x0a\xb6\xd8\xb3\x91\xc2\xc0\xd6\x29\xcf\x8a\x66\x87\xfd\xb7\x42\xd3\x3b\x03\xab\xda\xef\xde\x2a\x97\x3a\xb1\xc2\x42\x35\x55\x0e\x1f\xb1\xb2\x6e\x97\xda\x89\xb0\xb4\x5a\xdb\x2d\x5b\xd4\x8a\x56\x14\x4c\x6d\x88\xcf\x04\xc8\x86\xbc\xad\x14\x7b\x60\x6d\xec\xd6\xfc\x5e\x5a\xf2\xd4\xb3\x58\x2a\x8d\x53\xd8\x96\x4a\x96\xb0\xb3\x0d\x6c\x95\xd6\xd1\x28\x6f\xa1\xb0\x5c\x67\x7c\xcc\x97\xf8\x07\x07\x76\x6b\x58\xed\x9e\x81\xc3\xda\x82\x13\xbe\x44\x07\xbe\x14\xa6\x15\xbc\x52\xbe\x6c\x16\x60\xf9\x10\x41\xab\x35\x66\xf0\xd5\x36\x2f\xb5\x06\xa1\xc9\x76\x22\xc6\xce\x06\xe5\x41\x19\x6f\xc3\x1d\x69\x8d\x17\xca\xa0\x9b\xc2\x02\xb5\xdd\x66\x70\x83\x83\x57\x4b\xef\x6b\xca\xe7\xf3\xc2\x4a\xca\x38\xb1\x64\xc1\xa5\x83\x66\xce\xa5\x47\x7e\xbe\x6a\x54\x81\x34\x6f\x08\x67\xb5\x53\x1b\xe1\x31\xa4\x1e\x1b\x92\x95\xbe\xd2\x3d\xa7\x2e\x16\x44\xe5\x4c\x5a\xb3\x54\xab\xfe\x13\x40\x3c\xf8\x28\xea\x3c\x39\x4c\x0b\x69\x96\x5c\xfb\xd6\xb8\x64\xeb\x66\x81\xf3\xc8\x64\x48\xbf\x67\x63\xb2\x55\x54\xf2\x49\x29\x36\x08\x02\x0a\xb5\x5c\xa2\xe3\xa6\xd9\x71\x68\xab\x6a\x68\x8c\x21\x04\x91\x5d\x1a\x04\x6e\x2e\x1b\x55\x60\xe7\xf6\xa5\x5a\x55\xa2\x1e\x14\x51\xbe\x04\x61\x00\x8d\x77\xbb\x60\xc3\x5d\x24\xba\x9b\x82\x30\x05\x34\x46\xda\x8a\xbb\x75\xb8\x1f\xad\xfd\x18\xc2\x29\x4c\xd1\x73\x41\xb3\x09\x1c\x14\x52\x1b\xcf\x07\x11\x60\x37\x7c\x43\x04\x92\x6b\xcf\x46\x20\x74\x02\x6f\x41\x55\xdc\x27\xe1\xe2\xfa\x22\x34\x01\x78\xc5\x66\x91\x5a\x19\x65\x06\xe1\x6c\xdc\x06\x9d\x5a\x2a\x19\x1a\x36\xd4\x8d\xab\x2d\x21\x1d\xff\x05\x47\xf6\x5c\x62\xfb\x88\x5e\x64\x07\xb1\xbc\xbf\xe0\x38\x10\x6e\x35\x94\xe9\x23\x1e\x5b\xd5\x2b\xee\x1f\x94\xb8\x66\xdc\x82\x5f\x3c\xd2\x84\x1f\xde\x3b\xd0\x84\x3b\x77\xf6\x95\xf8\xa0\xff\x27\x13\xa2\xf5\xba\xc3\xd0\x27\x8d\x85\x49\x1e\x2b\x71\x02\xaa\x12\x2b\x8c\xd9\xcf\x17\x32\x78\xaf\x4c\x11\x6c\xae\xb8\xad\x38\x94\x43\xd6\xc6\x96\xa2\x51\x10\x72\xf3\x08\x57\x39\x08\x8c\x13\x40\xf8\xbe\xee\xcb\x66\x91\x15\x56\xae\xd1\x65\xd2\x56\x73\x37\x8f\x3d\x20\xfc\x33\xf7\xa2\x77\x5d\x17\x47\x9e\xf7\x8c\x05\x58\xaa\x17\x2b\x60\x4d\xb3\x9e\x26\x88\xc9\xa1\x65\xa8\x6c\xca\x2d\x3f\xcd\x4e\xbf\xcf\xbe\x1b\xd3\x5e\x37\x5a\x5f\x5b\xad\xe4\x2e\x87\xcb\xe5\x95\xf5\xd7\x0e\x29\xb5\xc2\x21\xd9\xc6\x49\xa4\xb4\x8f\x3b\xfc\x6f\x83\xe4\x47\x67\x00\xb2\x6e\x72\xf8\xe1\xa4\x1a\x1d\x56\xa1\xd5\xe7\xf0\xe3\xf7\x1f\xd5\x00\x13\xac\x4b\x2f\xcf\x86\xc8\x5c\x07\xc8\x70\x76\x72\xc6\x93\x53\x99\xa5\x75\x55\x48\x59\xa1\x7b\x6a\xad\x36\x68\x90\xe8\xda\xd9\x05\xa6\x1a\xb0\x4b\x2f\xc6\x53\x3b\x8a\x8a\x0c\xc7\xc7\xc2\x97\x39\xcc\x45\xad\xa2\xa7\x37\x3f\xce\x55\x81\xc6\x2b\xbf\xcb\xea\x66\x91\xd0\x2a\xa3\xbc\x12\xfa\x2d\x6a\xb1\xbb\xe1\xfa\x2c\x28\x87\x1f\x12\x02\xaf\x2a\xb4\x8d\x3f\xf0\x8d\x87\xac\xfa\xff\x50\x35\x29\xda\x51\x60\x0e\xc3\x23\x88\x63\xee\x3a\x6a\x86\x5e\x06\xcd\x8a\x39\x51\xc9\x38\xcf\x46\xe4\x09\xda\xb6\xfd\x66\xc5\x21\x03\x65\x62\xce\xbd\xa4\x78\x87\xa8\x9c\x8f\xda\x64\xe7\xb3\x4f\x46\xef\x72\xf0\xae\x41\xe6\xc6\x18\x28\x74\xa8\x45\xdb\xd8\xb9\xa4\x6a\x74\x4b\xeb\x24\x32\xd3\x08\x7a\x18\xf3\x3c\xa6\x78\x8a\x4b\xc6\xba\x6f\x84\x6b\x75\x8f\x64\xdf\xa6\x7e\x52\xa3\x97\x46\xea\x26\x74\x4e\x86\x6e\x71\xc0\x75\x5d\x35\x62\x83\x67\xa0\x4c\x07\x66\x7e\xe2\xab\x7b\x30\xa3\xef\xae\x50\xa0\xd4\xc2\x31\x64\x5b\xd8\x4d\xd2\x00\x9e\x80\x01\xb1\x3d\xa6\xc6\x3b\x6b\xfd\x3c\x23\x2a\x1f\x35\x40\x98\x91\xd4\xc9\x30\xa2\x26\x51\xf2\xb4\x23\x49\x38\xa0\xd9\x28\x67\x4d\x18\x08\x71\xd6\x4e\x3e\xdc\xfe\xf2\xee\xcd\xa7\xab\xf7\x97\x17\x93\x38\x02\xa6\xec\x0f\xbb\x41\xe7\xc6\xf3\x3a\x61\x13\x46\xdc\x62\x17\xa7\xa9\xd7\x87\x6c\x7c\x30\x68\x1f\xda\x38\x24\x27\x13\x3f\x6a\x28\xcf\x3c\x7e\x78\x74\xd2\xb8\x45\x27\x50\xa4\xd5\x2e\xc4\x24\x61\xb1\x0f\x68\xd2\xa0\x07\x34\xd3\x41\x6f\x61\x40\x68\x8f\xce\x30\xb4\x7e\xa0\xf1\xd2\xd9\x8a\xd3\xa2\x43\x2c\x53\x10\xc4\xe9\xd6\x4e\x55\x76\x83\xb6\x72\x4d\x0f\x83\x8d\x66\x93\x1f\xf0\xcb\xe0\xee\x91\x5f\x36\x42\x37\xf8\xc0\x27\xcf\x25\xf1\x7e\x0e\x74\x33\xf7\x89\x0c\xe0\x91\x3f\x1e\xf5\x4f\x0c\xfb\x47\xf2\x92\xa9\x22\xba\x19\xd1\x8d\xfb\xc3\x73\x95\xb7\x15\x0c\x4a\x2c\x50\x53\xd7\x7a\x07\xbf\x7e\xf9\x72\x0d\x0b\x41\x4a\x82\x68\x7c\x09\xd2\x61\xe8\xa4\x42\xc7\xa9\x3e\xbc\x07\x98\xe1\x46\x89\x60\xf8\xdd\xc5\xe5\x97\xdf\x5f\xdf\x7e\xf9\xf5\xf6\xe6\xdd\xe7\xbb\x60\x6e\x7f\xf4\xe1\xdd\xd7\xbb\x51\xc2\x6f\x84\x53\xfc\x9a\xa3\x0e\x20\x27\x0c\x23\x7c\xd9\x8b\xdf\x7b\x67\xab\x71\x0c\x23\xd9\x67\x5c\xe6\x23\xcb\x47\x58\x91\x1b\x1b\x9b\x30\x38\x80\x7d\x9e\x8f\xfc\x11\x5d\x10\xdf\xa8\x58\xf0\x24\x96\x42\x96\x58\x70\x6a\xa5\xb9\xdd\xc3\x6a\xf6\x14\x73\x9f\x26\x5c\xac\x6b\x71\x73\x72\xa1\x7d\x63\x87\x8b\xd3\x20\x84\xdf\x86\xad\x8f\x7d\x89\x94\xe6\xc2\x80\x5e\xfd\xd6\xb2\x96\x0d\xfb\x29\x54\x5c\x58\x08\x84\x44\x84\xd2\x6e\xc3\xfb\xd7\x1a\x83\x32\x84\x4c\xf9\x71\xee\xcc\x66\xbd\x01\xe1\xf1\xc3\xc2\xcf\xfb\xa3\xac\x05\x7d\x19\x6d\x64\x26\x75\x43\x1e\x5d\xc6\x0d\x5c\xa7\x2e\xb9\xa5\xd8\x6b\x06\x57\xbc\x89\xa4\x97\xd7\x23\xa3\xb8\xed\x10\xfa\xf0\xbe\x1e\x67\xf6\xa0\x43\x47\xcf\xd9\xe5\x1d\x53\x86\x17\x6f\x32\x82\x52\x8d\x5b\xea\xf3\xa3\x11\xca\x54\x04\x55\x43\x61\x03\x10\xbc\xa7\xb0\x88\xe5\xb4\x08\x83\x2d\x60\xbc\xf0\xf0\x7f\xd5\xbd\xa6\x8f\x53\x5d\xba\xe6\x12\xcb\x90\x13\x38\x79\xff\x8f\x14\xe1\x61\x10\x07\xdc\xac\x50\xee\xfc\xc1\xd8\x4b\xd5\xfa\x9c\x20\xcc\x21\x78\xb7\x9f\x7f\x8b\x0b\x0a\x61\x56\xf1\xdb\x85\xf2\xe1\xd1\x4c\xca\x5b\xb7\xeb\xdb\xf5\x7b\x46\xc6\x09\xbb\xa7\x6a\x8e\xd3\x26\xb1\xbd\x2d\x99\x83\xe5\x94\xd6\x42\x87\x9d\xff\xf6\x2a\xad\xcc\xe3\x7c\xf8\xfd\xc3\xbb\xaf\xc7\xff\x8c\x4f\xf7\x00\xab\x1b\x42\x37\x1f\x94\xcd\xd2\x42\x67\xff\x70\x39\x35\x4e\x9f\xdf\xdf\x43\x76\xa1\x3c\x1b\x1b\x56\x71\x63\x8a\x85\x13\x46\x96\x1d\xd1\x2f\xe1\xb7\xb8\x94\x53\xcb\x70\xc4\xfd\x8b\x0e\xdd\x64\x0c\xc7\xf7\x6e\x42\xa6\xd0\xbf\xac\x32\xc9\x85\xc9\x74\xd2\xee\xf6\x34\x61\x7a\xfd\xe9\xa6\xe6\x90\x13\x4f\xc6\x57\x57\x25\x8c\x5a\x32\x26\xe7\x1a\x22\x55\xa0\x8b\xe1\xd8\x7b\xd9\x84\x9d\x84\x25\x84\xc6\x14\xe8\xf6\x62\xec\x50\x0b\xaf\x36\x18\x20\x27\x75\x19\xb8\x1a\xc5\x79\xaf\x26\x7b\xe3\xa8\x59\x14\xca\x9d\x4e\xe3\xbf\xdf\xf5\x8b\xca\xc1\x39\x61\x11\x79\xc8\x39\x61\xbb\xd7\x79\xb5\xa3\x3a\xc0\xe0\x96\xd0\x1d\xba\xcf\xc1\xed\x23\xc7\x34\x70\xf8\xfe\xbb\x4a\xa8\x83\x0a\x20\x7f\xe8\x38\x74\x54\xc3\xaa\xf5\x60\x38\x90\x5b\xc9\xd6\xb2\x43\xd1\x84\xf5\x1d\xfb\x89\x27\xb6\xf2\x7b\x0f\xf0\xd4\x57\xed\xec\x6b\x27\xdb\xf9\x13\xa3\xae\xbb\xd1\xf2\xe2\x5b\xe7\xff\x58\xe3\x0e\x54\xf1\x73\x4f\xf6\x04\x9c\x49\xb4\x62\x16\xc2\x37\x0e\x47\x5b\x80\x03\xb2\xc2\xe7\xdd\xac\xa7\xa7\x51\xbb\xea\xba\x35\x28\x0f\xa5\xa0\x30\x8a\xad\xd1\x3b\x10\x52\x22\xc5\x8e\x5e\x62\x5c\xa4\xbd\xea\x76\x36\x77\x4b\xa1\x09\xef\x8e\x0f\x48\xeb\xee\x8f\x1d\x4c\xde\x35\xd2\x47\x41\xdb\xf0\x0e\x67\x6c\xd6\x78\xa0\x9d\x91\xb0\xb0\x76\xbd\x46\xac\x39\x5d\x7b\x19\x93\x95\xf2\x93\x29\x54\x28\xd8\x53\xdc\x89\x40\x84\xc7\x71\x9b\xc1\x4d\x4d\xde\xa1\xa8\xfa\x54\xde\xd7\x86\x59\xcf\xc8\x0b\x8f\xe7\xdc\x19\x1e\x0d\xb8\xc1\x3f\x7c\x17\xf5\x64\x54\x09\x03\x93\x4e\xc6\xa4\x1b\x24\x09\x93\x57\x98\xad\xb2\x29\xfc\x07\x19\x12\xbe\xd1\xb6\x29\x8e\xb3\xb0\xd9\xf1\x76\xcd\x0f\x0b\x82\x5a\x38\xaf\x64\xa3\x85\xeb\xbc\xd8\x72\xd9\x9f\x81\xad\xd4\xf3\x2d\x71\x03\x94\xcc\x2b\xdb\x32\xdf\x6c\x6b\xdd\x9a\xfa\x57\xe2\xde\xb5\x20\xe8\x5c\x2c\xe4\xe9\x77\x67\x0f\xff\x9f\x1a\x7c\x83\x6e\x73\x60\x21\xcf\x78\x78\x00\x00\x9c\xaa\x3f\xa5\x93\x48\xac\xb9\x8b\xc7\x58\x11\xfa\x64\xcb\xff\x32\xf9\x43\x41\xb2\xf1\x67\x13\xc3\xe6\x2a\x60\xd2\x6c\x54\x92\x5a\x91\x47\x33\x6b\x55\x38\xcf\xcf\x4e\xce\x4e\x8f\xda\x32\x7e\x5d\x14\x2a\xee\x03\x78\xce\xbc\x66\x9c\x39\xea\x97\xc3\xf7\x01\x6a\xdc\xdf\x83\x0b\x53\xeb\x99\xdb\xb3\xf0\xe7\x96\x51\xe9\x0f\x3f\x75\x02\x3e\xd5\x2d\xfb\xb7\x57\x37\x1d\x46\xa0\x69\x8b\xdd\x1b\xd7\x22\x06\x30\x85\xf5\x04\x36\x10\x43\x25\x76\x61\x8f\xa2\x37\xc3\x36\xcd\x90\xb6\x76\xdd\xd4\xa0\x88\x1a\x24\xb0\x06\xc8\x56\x08\x1f\x9a\x05\x3a\x83\x1e\x89\xb9\x37\x35\x0d\xcb\xb2\xc2\x50\xb7\xaa\x99\x5c\x59\x83\x93\xf4\xcb\x9b\xa0\x40\xba\x2e\x8b\xc2\x69\xbc\x41\xeb\x30\x78\xd0\x6f\xf4\xa5\x7f\x1e\x4c\x4e\x27\x47\xff\x0b\x00\x00\xff\xff\x19\x66\xdf\x16\xd8\x1a\x00\x00"), }, "/flux-secret.yaml.tmpl": &vfsgen۰CompressedFileInfo{ name: "flux-secret.yaml.tmpl", diff --git a/pkg/install/templates/flux-deployment.yaml.tmpl b/pkg/install/templates/flux-deployment.yaml.tmpl index 46994c1ae..40a740720 100644 --- a/pkg/install/templates/flux-deployment.yaml.tmpl +++ b/pkg/install/templates/flux-deployment.yaml.tmpl @@ -115,6 +115,13 @@ spec: # mountPath: /root/gpg-import # readOnly: true + # Include this if you want to supply HTTP basic auth credentials for git + # via the `GIT_AUTHUSER` and `GIT_AUTHKEY` environment variables using a + # secret. + # envFrom: + # - secretRef: + # name: flux-git-auth + args: # If you deployed memcached in a different namespace to flux, @@ -131,10 +138,12 @@ spec: - --ssh-keygen-dir=/var/fluxd/keygen # Replace the following URL to change the Git repository used by Flux. + # HTTP basic auth credentials can be supplied using environment variables: + # https://$(GIT_AUTHUSER):$(GIT_AUTHKEY)@github.com/user/repository.git - --git-url={{ .GitURL }} - --git-branch={{ .GitBranch }}{{ if .GitPaths }} - --git-path={{ StringsJoin .GitPaths "," }}{{ else }} - # include this if you want to restrict the manifests considered by flux + # Include this if you want to restrict the manifests considered by flux # to those under the following relative paths in the git repository # - --git-path=subdir1,subdir2{{ end }}{{ if .GitLabel }} - --git-label={{ .GitLabel }}{{ end }}{{ if .GitUser }}