Last active
January 9, 2023 00:08
-
-
Save mlbiam/ff7e6ca658c97b7ea7cdedeebd09e09f to your computer and use it in GitHub Desktop.
blog-k8s-auth-compare
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: argocd-server-http-ingress | |
namespace: argocd | |
annotations: | |
kubernetes.io/ingress.class: "nginx" | |
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | |
nginx.ingress.kubernetes.io/backend-protocol: "HTTP" | |
spec: | |
rules: | |
- http: | |
paths: | |
- backend: | |
service: | |
name: argo-cd-argocd-server | |
port: | |
name: http | |
path: "/" | |
pathType: Prefix | |
host: argocd.blog.tremolo.dev | |
tls: | |
- hosts: | |
- argocd.blog.tremolo.dev | |
secretName: argocd-web-tls-none | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: argocd-server-grpc-ingress | |
namespace: argocd | |
annotations: | |
kubernetes.io/ingress.class: "nginx" | |
nginx.ingress.kubernetes.io/backend-protocol: "GRPC" | |
spec: | |
rules: | |
- http: | |
paths: | |
- backend: | |
service: | |
name: argo-cd-argocd-server | |
port: | |
name: https | |
path: "/" | |
pathType: Prefix | |
host: grpc-argocd.blog.tremolo.dev | |
tls: | |
- hosts: | |
- grpc-argocd.blog.tremolo.dev | |
secretName: argocd-grpc-tls-none | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZtZ0F3SUJBZ0lVYmtiS2ZRN29ldXJuVHpyeWdIL0dDS0kzNkUwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05aVzUwWlhKd2NtbHpaUzFqWVRBZUZ3MHlNakV4TURjeE5EUTFNakphRncwegpNakV4TURReE5EUTFNakphTUJneEZqQVVCZ05WQkFNTURXVnVkR1Z5Y0hKcGMyVXRZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNucVZ3eVFvMjJyRzZuVVpjU2UvR21WZnI5MEt6Z3V4MDkKNDY4cFNTUWRwRHE5UlRRVU92ZkFUUEJXODF3QlJmUDEvcnlFaHNocnVBS2E5LzVoKzVCL3g4bmN4VFhwbThCNwp2RDdldHY4V3VyeUtQc0lMdWlkT0QwR1FTRVRvNzdBWE03RmZpUk9yMDFqN3c2UVB3dVB2QkpTcDNpa2lDL0RjCnZFNjZsdklFWE43ZFNnRGRkdnV2R1FORFdPWWxHWmhmNUZIVy81ZHJQSHVPOXp1eVVHK01NaTFpUCtSQk1QUmcKSWU2djhCcE9ncnNnZHRtWExhNFZNc1BNKzBYZkQwSDhjU2YvMkg2V1M0LzdEOEF1bG5QSW9LY1krRkxKUEFtMwpJVFI3L2w2UTBJUXVNU3c2QkxLYWZCRm5CVmNUUVNIN3lKZEFKNWdINFZZRHIyamtVWkwzQWdNQkFBR2pVekJSCk1CMEdBMVVkRGdRV0JCU2Y5RDVGS3dISUY3eFdxRi80OG4rci9SVFEzakFmQmdOVkhTTUVHREFXZ0JTZjlENUYKS3dISUY3eFdxRi80OG4rci9SVFEzakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFCN1BsMjkrclJ2eHArVHhLT3RCZGRLeEhhRTJVRUxuYmlkaFUvMTZRbW51VmlCQVhidUVSSEF2Y0phCm5hb1plY0JVQVJ0aUxYT2poOTFBNkFvNVpET2RETllOUkNnTGI2czdDVVhSKzNLenZWRmNJVFRSdGtTTkxKMTUKZzRoallyQUtEWTFIM09zd1EvU3JoTG9GQndneGJJQ1F5eFNLaXQ0OURrK2V4c3puMUJFNzE2aWlJVmdZT0daTwp5SWF5ekJZdW1Gc3M0MGprbWhsbms1ZW5hYjhJTDRUcXBDZS9xYnZtNXdOaktaVVozamJsM2QxVWVtcVlOdVlWCmNFY1o0UXltQUJZS3k0VkUzVFJZUmJJZGV0NFY2dVlIRjVZUHlFRWlZMFRVZStYVVJaVkFtaU9jcmtqblVIT3gKMWJqelJxSlpMNVR3b0ZDZzVlZUR6dVk0WlRjYwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ25xVnd5UW8yMnJHNm4KVVpjU2UvR21WZnI5MEt6Z3V4MDk0NjhwU1NRZHBEcTlSVFFVT3ZmQVRQQlc4MXdCUmZQMS9yeUVoc2hydUFLYQo5LzVoKzVCL3g4bmN4VFhwbThCN3ZEN2V0djhXdXJ5S1BzSUx1aWRPRDBHUVNFVG83N0FYTTdGZmlST3IwMWo3Cnc2UVB3dVB2QkpTcDNpa2lDL0RjdkU2Nmx2SUVYTjdkU2dEZGR2dXZHUU5EV09ZbEdaaGY1RkhXLzVkclBIdU8KOXp1eVVHK01NaTFpUCtSQk1QUmdJZTZ2OEJwT2dyc2dkdG1YTGE0Vk1zUE0rMFhmRDBIOGNTZi8ySDZXUzQvNwpEOEF1bG5QSW9LY1krRkxKUEFtM0lUUjcvbDZRMElRdU1TdzZCTEthZkJGbkJWY1RRU0g3eUpkQUo1Z0g0VllECnIyamtVWkwzQWdNQkFBRUNnZ0VBRlcwb0RTYnRqcm9tbDFkdW83d1hPOEgzMjRGVU5wRnpGbyt4dU9oUi9KVWEKWDBuU3lBQnBNbUxOYkM5RVEzSzV6MmJkN0xSL2lkU2E4S0cweEF6WmdKcjdDZGhpSUJmNWdnRk5WT1VLQ3lZKwpKZzlkem1YY2ZyWDdFNnllQnk2LzBFSHVSRjZlUVowMjNWQ09vajBEMHNOQkdjYjhkcm9UN3F4YUJnVWkvMlRjClkvL1o1WGl3ZDFIb0pmaWxrMXI0SEZnNmJlQ3NtWnJDREJQcGdqK29vbGdFYzdxdkY4T3ErNDlZUjlJc1FLTTAKUGx5ZVdkdjlPZkg0MHRwVVZXQi8zd01kd3JFT0E2Z1MrZ3BCWEcrblQyUXNjTkZrSnRueWM0SFB5SlBQSkJtcQpYeXVhQjlIelJZQmI4d2w2cTFxUllKNVFDZVhibDhoTGZ2TCtHRzkwd1FLQmdRQzZaQXFMelRLMWs4c1c1TU5XCmYzQWthd3Ryd21LbERQY1JSUkRsTXFTTkwwY0tUelh4YVBMcXRZMDRZbmNiK2tvS3dJeXpXaTVrdzRJR1dnQXMKUXdVZ2Q5RnFFRnBEZHV6UDBxU2UvM3RBTWR6UEY2Q3dTeDk1UnpGNnBwQ01aV2ZKQ2dvWU5PZGppMU1tTS9rRwpyMFFDczJNZ0YrNzdzSW80NXBCN0FmTm9FUUtCZ1FEbVJyUnRHS29rVWlEWU9GVUZDbWs0T3kzbzJUMmJiaCs2ClUxWHZ4WmRMNnRPVHIrT1N5dlFXQ2VBaUpQZ1ZuYWhQS3Zmc1NuODQvN2QySDY4WTRvbzVxT0xDZHhRL1Z0clUKT2QxU2FqQ1Z4b3VSR2tvTjM2SmlBNXBKQTFuN2FuNHh1MStXcC9odTdQcGZsN1dFQllYRk9EbnJZZjV5OTBQSApBSVE3emR5U2h3S0JnUUNxZlZ1UUtPL2JXd2FIT0ZUY3g5Q2gzekFoTHpyZjBnNGtROUtDYzJKRXFod0crQkZWCmNqUFFNS1N1RUpMMmltZ3prWkNoZFRtK2ZYNXZwTjlIblQ0UlJzZk1ob3lwN1J3THRKZFR3RWpTblVsbVBDeUYKVlJIQzh6WDFCR3B2b1VuZmdFbGZmdlN2L3Y3ZGtPaVdEcmJjNlkwZ0RBUlRRRllPV2dlS0hHeXlvUUtCZ1FDZgozWkpBOHhDYnFwQzJ5MVRxN1BGalltSmE5d1o0TTVtL1J6K3YrQ016UjFHZmhFcWZqRnFzT2lycVNYUVp2Wnd0CmFnMDRjL2VpNEpURFl2ZXlkUU8xUi9RMVFXcERGczlRNnVNbDVpYll0RUFNZW8zUzErRHAzc3ByeWZIY1EzQmMKb2xLWVN3Q0VNZTBZRkVDbDZSZVhkWk53UUZYZ0JwMTlPSFNVK0RRYlhRS0JnRmRsZHFWcmJ5N1crVEF4dGdMZApQZzJTemo3NHUyMjlmTkZldktRZ0RXUHIzMUJOSitrTEFFRzVKRXlncXJSWDF0OHdCajhMUlh3ZnBPSXhUa2RnCmxEMkd2a3BFM0V0cDJKSDlKbEQ3OVVQc1htN0hDT2E0bjRrWmtINW1qWUY5YzhMSjh1MFJRdDNEQVRoaXJQaVkKWlZpMEhtWWNuVmp5L0RxNWRwc0tHU0FoCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | |
kind: Secret | |
metadata: | |
name: root-ca | |
namespace: cert-manager | |
type: kubernetes.io/tls | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
annotations: | |
force: update | |
name: enterprise-ca | |
spec: | |
ca: | |
secretName: root-ca | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: wildcard | |
namespace: ingress-nginx | |
spec: | |
secretName: wildcard-tls | |
secretTemplate: | |
labels: {} | |
commonName: "*.blog.tremolo.dev" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "*.blog.tremolo.dev" | |
- blog.tremolo.dev | |
issuerRef: | |
name: enterprise-ca | |
kind: ClusterIssuer | |
group: cert-manager.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: dex | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lVUTFyTnZkMEJCK3ZuVEVWZDFEQVV0QW03dTNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF3d0tZMngxYzNSbGNpMWpZVEFlRncweU1qRXhNRGN5TVRVMU5UbGFGdzB6TWpFeApNRFF5TVRVMU5UbGFNQlV4RXpBUkJnTlZCQU1NQ21Oc2RYTjBaWEl0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdnM5emFhNkxGdExWQlRpWG9Fb21xM0Y3SjJiVWljU0VpOWRJbFRPTWsKd3luM0MvTWJncGpQYXlwRVJFTHpUQXYxRERJTzhCWmhvT1J5cVhQSHlNQTV6SURWblY3aE9NYUFXY3diSkVwRApmRlF1ZUVVYTVVL3J3ajU5YzR4cW1sa2VUN2paR3Nyc21QaXY1UGpQVGRNbDdUSFhQOGJjNm1kR05odkpabUZtCm9QVERvRktiMi8xQm9JVVBXbGpmVXhEM1QxaXNvQ3JPVDF6UDNpcHBKcFVUKzJzV2V6cHVDRlhLaTl5cXlQcEwKdVErZ3UvL3NSRHlFMjc0c0ljSVVKaDQ0RkNFM3FmSWNpVGtaMU1Vc2ZtSU1jM2EwNUs3R2R2bTFQK2Y1Z1VWMQpPUERBYVEvNWxKd2x2eWNXZjllRGVUWmJibERTeDJNWVFHOFJvWU9BMm1EcEFnTUJBQUdqVXpCUk1CMEdBMVVkCkRnUVdCQlMrOFR3eE50UzBjUy9tTDdTaitrWEhnY1RoM2pBZkJnTlZIU01FR0RBV2dCUys4VHd4TnRTMGNTL20KTDdTaitrWEhnY1RoM2pBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBMApHaGRZQk55UG5pWTR2a3ZsenhLYkMxQ29zU2tPdkhqT0pNYlgvR3BqeDd3djFEUlZGbXd3OXRhb2FtVVFBa1gyClQ1WEg4MGFwUlk1R1RRVE9BQUlpTXZZTFhCRkErS1RJYzQrdWZhWTVETTFDWEllLzFzeDRHQlkzbW4rZXNROHAKV2tkejhNNUJtN3RBN09LQzIvUFFtSlhMNWhwQytvdkNoQUtOVEdPVHd1N3BoTmJ6dUhHTkYzUlJTNmx1ZURaTQpHaGYwRm9OeFRBL2JmZFowWWhkS2pqanRRV1RsVXhUL05Nditrc3orNkhtTENMUmNvNXYxdkpDREJtcUYwaG4xCkp4TU9xR2oxQ3M3bW5OTDRYNldhQ0E4VU1jRXZyRTMxR0w1S1JTSDh0RlBPQTY4ZEV4cnNNY3RHekhtU25YYWMKZ1E5Y3FlcWpIbmRhckFJSmRYcGsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | |
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHZzOXphYTZMRnRMVkIKVGlYb0VvbXEzRjdKMmJVaWNTRWk5ZElsVE9Na3d5bjNDL01iZ3BqUGF5cEVSRUx6VEF2MURESU84Qlpob09SeQpxWFBIeU1BNXpJRFZuVjdoT01hQVdjd2JKRXBEZkZRdWVFVWE1VS9yd2o1OWM0eHFtbGtlVDdqWkdzcnNtUGl2CjVQalBUZE1sN1RIWFA4YmM2bWRHTmh2SlptRm1vUFREb0ZLYjIvMUJvSVVQV2xqZlV4RDNUMWlzb0NyT1QxelAKM2lwcEpwVVQrMnNXZXpwdUNGWEtpOXlxeVBwTHVRK2d1Ly9zUkR5RTI3NHNJY0lVSmg0NEZDRTNxZkljaVRrWgoxTVVzZm1JTWMzYTA1SzdHZHZtMVArZjVnVVYxT1BEQWFRLzVsSndsdnljV2Y5ZURlVFpiYmxEU3gyTVlRRzhSCm9ZT0EybURwQWdNQkFBRUNnZ0VBRVpNblU2UHQ3NjlCMVdlU2o2OFJSVFBxWnNRVnUvQmR3THVUbEh6TVVERVgKaWZlb005bUoxUFpyWjAwMmQvSjQwM2NaRWYrUU1va0tpdTRwOFNsaXo3SVM5YWFYMHUxWDM0Z0Y5eXo4WFhHWApsZjhuT1BNOGZvR1QxWnlqM0ZxVUEyME90V3RabXNxVi9FYU9hQnV4aWkrM2xtdkVpOFRMZk9wQmRBMHp3Y09SCnl2TVViMlExdUVNREk3cHpwSGZrOGc1ajBlUHlDUjlwSklPWFZ1Y1hCZW13WFhGOTVIZHNtV25VN2ZUVEc2K20KSTgzR2pGOTRTQTByWWRUNFR4WlA0cUt1eGdPK1JJelNxckE0NGNOdHZyalBvSVRsWThwcjRnaVJDeVBiTVNWawpiYXBaeHRuUE5iOE1ndG1xeHFSZnVndWVmaFkrcmlzVlcrdVhKK29ORVFLQmdRRHdPRnZEc09ocnpsVmFucmVqCk9HdndNVGtOR0JlUC9iNVFSZXVFRi9NMFlDZjBZRWN1OWFBVThhSVdOWnpsUElFVEpqOVB0Q1EyU1MrWnc3SVoKTkU0NHJTZ2REZUI2TTE1elBRUndYeUxPc1JJSTVPTHYrSWtMTm5meGplWkJuNE1ZK1RiaVRFc1F0ZmpaVjJKVQoyQzVPa2EyL1I4U3l3ZUc0VURrRFp1YlBjUUtCZ1FEL2NzejhST3ZGUTJLKzhTSXVMSmtmWUw1N2RmY21rWXNkClQ4Y0prbENmc2U0WnQ2RWhZNkE1THlVUkpJRTRwQkRwRzd1VkdhdURpM244YVJ3cFMxSjNuYno4RXgzeGNnWFYKaUNuV3J5eGlzMnh3UjJsVGhiZHllNzg5dWZ5NE9OcHlUYW9LU21VYTk1RzB4TUoraEYyOUxZcGlaVXhRNGtsWgpQRE1saWE1YytRS0JnSCt5RmVYQzV1cFg5cnVEWDY4ZVVSS1B0L29qOG5LU3VsWkZ0TnExT0kyQkIvdzZLZHptCnFVQTQ2cWJQdlNXR3NqNlJ1Rm9RTXFmQTQ5TGpXb3RYYUxWc0pzUzdHYmNjRTN0QzFsYzkyMnp3Wjl2ZWdGeDgKUzYxd09QWnBMaHQ0UmVKQ3FGQkhxaWVwOUN6azdOcVpTSlJ2a0dMOExhMndydUtoa28waWFGT2hBb0dCQU1ZTwp2NHAwOFl5LzQ0Y0NOU3N4M3dNcUltWmRIMlJqQWthV3ZVN1poL05acEsrQjVjZWFrL2JpYTgzdnpOVWF1QlhWCkw4cTUzWGFmcE5Ra3R2WDVkWlpTMGQxc0FSSmNBdFA5djlxNWRTT04wK3oySVY3bDFVZEpWUXpKOEh6eGI4V2kKRzgzZ3dxVjNBQnoxVll0OG02VjY4c201bXNNM3dBRVZJTjdnOGpVWkFvR0JBS2NKQ0NUczJRSUl4SGFmQVNLMQpZWG1XRG9aZVdod0JtTThlSVNvNzZtU2pYK2Q2cDRadWNUTXZITkRJNEVSQ0RIeVc4OWprRVF1NUxkR2NpbW1pCnNlTEo2WENEOTVkTEVBWWdMTU96UC9IMjFPQUR6ZjMvQk04SHVoaWxjbzZkRTRKalV4bkdnOGY5QXJhTlkwMC8KREJJRlhJcHpNbEFQUkVEd1JaUjFhcWRpCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | |
kind: Secret | |
metadata: | |
name: cluster-ca | |
namespace: cert-manager | |
type: kubernetes.io/tls | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
annotations: | |
force: update | |
name: cluster-ca | |
spec: | |
ca: | |
secretName: cluster-ca | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: dex-internal | |
namespace: dex | |
spec: | |
secretName: dex-tls | |
secretTemplate: | |
labels: {} | |
commonName: "dex.dex.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "dex.dex.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: dex-config | |
namespace: dex | |
type: Opaque | |
stringData: | |
config.yaml: | | |
issuer: https://dex.blog.tremolo.dev/dex | |
storage: | |
type: kubernetes | |
config: | |
inCluster: true | |
web: | |
https: 0.0.0.0:5554 | |
TLSCert: /certs/tls.crt | |
TLSKey: /certs/tls.key | |
oauth2: | |
responseTypes: [ "code" ] | |
skipApprovalScreen: true | |
alwaysShowLoginScreen: false | |
connectors: | |
- type: oidc | |
id: okta | |
name: okta | |
config: | |
issuer: https://XXXXX.okta.com | |
clientID: XXXXX | |
clientSecret: XXXXXX | |
redirectURI: https://dex.blog.tremolo.dev/dex/callback | |
insecureSkipEmailVerified: true | |
getUserInfo: true | |
insecureEnableGroups: true | |
scopes: | |
- profile | |
- groups | |
- offline_access | |
expiry: | |
idTokens: 1m | |
refreshTokens: | |
absoluteLifetime: 20m | |
staticClients: | |
- id: kube-login | |
redirectURIs: | |
- 'http://localhost:8000' | |
name: 'Kubernetes CLI' | |
public: true | |
- id: oauth2-proxy | |
redirectURIs: | |
- 'https://k8sdb.blog.tremolo.dev/oauth2/callback' | |
name: 'Kubernetes Dashboard' | |
secret: XXXXXX | |
logger: | |
level: "debug" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: "true" | |
name: dex | |
namespace: dex | |
spec: | |
rules: | |
- host: dex.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: dex | |
port: | |
number: 5554 | |
path: / | |
pathType: ImplementationSpecific | |
tls: | |
- hosts: | |
- dex.blog.tremolo.dev | |
secretName: tls-dex-doesnotexist |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: k8sdb-proxy | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
namespace: "k8sdb-proxy" | |
tls.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDETCCAfmgAwIBAgIUbkbKfQ7oeurnTzrygH/GCKI36E0wDQYJKoZIhvcNAQEL | |
BQAwGDEWMBQGA1UEAwwNZW50ZXJwcmlzZS1jYTAeFw0yMjExMDcxNDQ1MjJaFw0z | |
MjExMDQxNDQ1MjJaMBgxFjAUBgNVBAMMDWVudGVycHJpc2UtY2EwggEiMA0GCSqG | |
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnqVwyQo22rG6nUZcSe/GmVfr90Kzgux09 | |
468pSSQdpDq9RTQUOvfATPBW81wBRfP1/ryEhshruAKa9/5h+5B/x8ncxTXpm8B7 | |
vD7etv8WuryKPsILuidOD0GQSETo77AXM7FfiROr01j7w6QPwuPvBJSp3ikiC/Dc | |
vE66lvIEXN7dSgDddvuvGQNDWOYlGZhf5FHW/5drPHuO9zuyUG+MMi1iP+RBMPRg | |
Ie6v8BpOgrsgdtmXLa4VMsPM+0XfD0H8cSf/2H6WS4/7D8AulnPIoKcY+FLJPAm3 | |
ITR7/l6Q0IQuMSw6BLKafBFnBVcTQSH7yJdAJ5gH4VYDr2jkUZL3AgMBAAGjUzBR | |
MB0GA1UdDgQWBBSf9D5FKwHIF7xWqF/48n+r/RTQ3jAfBgNVHSMEGDAWgBSf9D5F | |
KwHIF7xWqF/48n+r/RTQ3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA | |
A4IBAQB7Pl29+rRvxp+TxKOtBddKxHaE2UELnbidhU/16QmnuViBAXbuERHAvcJa | |
naoZecBUARtiLXOjh91A6Ao5ZDOdDNYNRCgLb6s7CUXR+3KzvVFcITTRtkSNLJ15 | |
g4hjYrAKDY1H3OswQ/SrhLoFBwgxbICQyxSKit49Dk+exszn1BE716iiIVgYOGZO | |
yIayzBYumFss40jkmhlnk5enab8IL4TqpCe/qbvm5wNjKZUZ3jbl3d1UemqYNuYV | |
cEcZ4QymABYKy4VE3TRYRbIdet4V6uYHF5YPyEEiY0TUe+XURZVAmiOcrkjnUHOx | |
1bjzRqJZL5TwoFCg5eeDzuY4ZTcc | |
-----END CERTIFICATE----- | |
ca.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDCzCCAfOgAwIBAgIUQ1rNvd0BB+vnTEVd1DAUtAm7u3kwDQYJKoZIhvcNAQEL | |
BQAwFTETMBEGA1UEAwwKY2x1c3Rlci1jYTAeFw0yMjExMDcyMTU1NTlaFw0zMjEx | |
MDQyMTU1NTlaMBUxEzARBgNVBAMMCmNsdXN0ZXItY2EwggEiMA0GCSqGSIb3DQEB | |
AQUAA4IBDwAwggEKAoIBAQDvs9zaa6LFtLVBTiXoEomq3F7J2bUicSEi9dIlTOMk | |
wyn3C/MbgpjPaypERELzTAv1DDIO8BZhoORyqXPHyMA5zIDVnV7hOMaAWcwbJEpD | |
fFQueEUa5U/rwj59c4xqmlkeT7jZGsrsmPiv5PjPTdMl7THXP8bc6mdGNhvJZmFm | |
oPTDoFKb2/1BoIUPWljfUxD3T1isoCrOT1zP3ippJpUT+2sWezpuCFXKi9yqyPpL | |
uQ+gu//sRDyE274sIcIUJh44FCE3qfIciTkZ1MUsfmIMc3a05K7Gdvm1P+f5gUV1 | |
OPDAaQ/5lJwlvycWf9eDeTZbblDSx2MYQG8RoYOA2mDpAgMBAAGjUzBRMB0GA1Ud | |
DgQWBBS+8TwxNtS0cS/mL7Sj+kXHgcTh3jAfBgNVHSMEGDAWgBS+8TwxNtS0cS/m | |
L7Sj+kXHgcTh3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA0 | |
GhdYBNyPniY4vkvlzxKbC1CosSkOvHjOJMbX/Gpjx7wv1DRVFmww9taoamUQAkX2 | |
T5XH80apRY5GTQTOAAIiMvYLXBFA+KTIc4+ufaY5DM1CXIe/1sx4GBY3mn+esQ8p | |
Wkdz8M5Bm7tA7OKC2/PQmJXL5hpC+ovChAKNTGOTwu7phNbzuHGNF3RRS6lueDZM | |
Ghf0FoNxTA/bfdZ0YhdKjjjtQWTlUxT/NMv+ksz+6HmLCLRco5v1vJCDBmqF0hn1 | |
JxMOqGj1Cs7mnNL4X6WaCA8UMcEvrE31GL5KRSH8tFPOA68dExrsMctGzHmSnXac | |
gQ9cqeqjHndarAIJdXpk | |
-----END CERTIFICATE----- | |
kind: ConfigMap | |
metadata: | |
name: unison-ca | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oidc-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: oidc-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oidc-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oidc-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oauth2-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: outh2-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oauth2-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oauth2-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: kubernetes-dashboard-certs | |
namespace: kubernetes-dashboard | |
spec: | |
secretName: kubernetes-dashboard-certs | |
secretTemplate: | |
labels: {} | |
commonName: "kubernetes-dashboard.kubernetes-dashboard.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "kubernetes-dashboard.kubernetes-dashboard.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: oauth2-config | |
namespace: k8sdb-proxy | |
type: Opaque | |
stringData: | |
oauth2_proxy.cfg: | | |
oidc_issuer_url="https://dex.blog.tremolo.dev/dex" | |
redirect_url="https://k8sdb.blog.tremolo.dev/oauth2/callback" | |
client_secret="WBbOSLXVKaeWzQ0ak58XVbQIAzuQZTBW" | |
cookie_secret="laSqRSLA28J1Gy1mK69uXpkJyEv5nEvi" | |
# we don't want to proxy anything so pick a non-existent directory | |
upstreams = [ "https://oidc-proxy.k8sdb-proxy.svc:8443" ] | |
#upstreams = [ "http://echo.k8sdb-proxy.svc:8080" ] | |
--- | |
# Source: kubernetes/charts/oauth2-proxy/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: oauth2-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: oauth2-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: oauth2-proxy-dashboard | |
spec: | |
containers: | |
- name: oauth2-proxy | |
image: "quay.io/oauth2-proxy/oauth2-proxy:v7.4.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg | |
- --email-domain=* | |
- --provider-ca-file=/etc/https-tls/tls.crt | |
- --http-address=http://0.0.0.0:4180 | |
- --https-address=https://0.0.0.0:4190 | |
- --tls-cert-file=/etc/https/tls.crt | |
- --tls-key-file=/etc/https/tls.key | |
- --cookie-refresh=60s | |
- --provider=oidc | |
- --insecure-oidc-allow-unverified-email=true | |
- --client-id=oauth2-proxy | |
- --cookie-secure=true | |
- --cookie-httponly=true | |
- --ssl-upstream-insecure-skip-verify=true | |
- --pass-authorization-header=true | |
- --scope=openid profile email groups offline_access | |
livenessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
readinessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
successThreshold: 1 | |
periodSeconds: 10 | |
resources: | |
{} | |
volumeMounts: | |
- mountPath: /etc/oauth2_proxy | |
name: configmain | |
- mountPath: /etc/https | |
name: tlscerts | |
- mountPath: /etc/https-tls | |
name: cacerts | |
volumes: | |
- secret: | |
defaultMode: 420 | |
secretName: oauth2-config | |
name: configmain | |
- configMap: | |
name: unison-ca | |
name: cacerts | |
- secret: | |
secretName: outh2-proxy-tls | |
name: tlscerts | |
tolerations: | |
[] | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kube-oauth2-proxy-db | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 4190 | |
protocol: TCP | |
targetPort: 4190 | |
name: https-kube-oauth2-proxy | |
selector: | |
app: oauth2-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: oauth2-proxy-api-db | |
namespace: k8sdb-proxy | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: k8sdb.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: kube-oauth2-proxy-db | |
port: | |
number: 4190 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- k8sdb.blog.tremolo.dev | |
secretName: oauth2-proxy-tls-certificate-none | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: kube-oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kube-oidc-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: kube-oidc-proxy-dashboard | |
spec: | |
serviceAccountName: oidc-proxy-dashboard | |
containers: | |
- image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
ports: | |
- containerPort: 8443 | |
- containerPort: 8080 | |
env: | |
- name: KUBERNETES_SERVICE_HOST | |
value: kubernetes-dashboard.kubernetes-dashboard.svc | |
- name: KUBERNETES_SERVICE_PORT | |
value: "443" | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 15 | |
periodSeconds: 10 | |
name: kube-oidc-proxy-dashboard | |
command: ["kube-oidc-proxy"] | |
args: | |
- "--secure-port=8443" | |
- "--tls-cert-file=/etc/oidc/tls/crt.pem" | |
- "--tls-private-key-file=/etc/oidc/tls/key.pem" | |
- "--oidc-client-id=oauth2-proxy" | |
- "--oidc-issuer-url=https://dex.blog.tremolo.dev/dex" | |
- "--oidc-username-claim=sub" | |
- "--oidc-groups-claim=groups" | |
- "--oidc-ca-file=/etc/oidc/oidc-ca.pem" | |
- "--insecure-skip-tls-verify=true" | |
imagePullPolicy: Always | |
securityContext: | |
runAsUser: 10001 | |
runAsGroup: 10001 | |
allowPrivilegeEscalation: false | |
volumeMounts: | |
- name: kube-oidc-proxy-config | |
mountPath: /etc/oidc | |
readOnly: true | |
- name: kube-oidc-proxy-tls | |
mountPath: /etc/oidc/tls | |
readOnly: true | |
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount | |
name: ou-token | |
volumes: | |
- name: kube-oidc-proxy-config | |
configMap: | |
name: unison-ca | |
items: | |
- key: tls.crt | |
path: oidc-ca.pem | |
- name: kube-oidc-proxy-tls | |
secret: | |
secretName: oidc-proxy-tls | |
items: | |
- key: tls.crt | |
path: crt.pem | |
- key: tls.key | |
path: key.pem | |
- name: ou-token | |
projected: | |
defaultMode: 420 | |
sources: | |
- serviceAccountToken: | |
audience: "https://kubernetes.default.svc.cluster.local" | |
expirationSeconds: 60000 | |
path: "token" | |
- configMap: | |
items: | |
- key: "ca.crt" | |
path: "ca.crt" | |
name: "unison-ca" | |
- configMap: | |
items: | |
- key: namespace | |
path: namespace | |
name: unison-ca | |
nodeSelector: {} | |
automountServiceAccountToken: false | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: kube-oidc-proxy-dashboard | |
name: oidc-proxy | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 8443 | |
protocol: TCP | |
targetPort: 8443 | |
name: https-kube-oidc-proxy | |
selector: | |
app: kube-oidc-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- users | |
- groups | |
- serviceaccounts | |
verbs: | |
- impersonate | |
- apiGroups: | |
- "authentication.k8s.io" | |
resources: | |
- "userextras/scopes" | |
- "userextras/remote-client-ip" | |
- "tokenreviews" | |
# to support end user impersonation | |
- "userextras/originaluser.jetstack.io-user" | |
- "userextras/originaluser.jetstack.io-groups" | |
- "userextras/originaluser.jetstack.io-extra" | |
verbs: | |
- "create" | |
- "impersonate" | |
- apiGroups: | |
- "authorization.k8s.io" | |
resources: | |
- "subjectaccessreviews" | |
verbs: | |
- "create" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: impersonator-oidc-proxy-dashboard | |
subjects: | |
- kind: ServiceAccount | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
creationTimestamp: | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: oidc-proxy | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
tls.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDETCCAfmgAwIBAgIUbkbKfQ7oeurnTzrygH/GCKI36E0wDQYJKoZIhvcNAQEL | |
BQAwGDEWMBQGA1UEAwwNZW50ZXJwcmlzZS1jYTAeFw0yMjExMDcxNDQ1MjJaFw0z | |
MjExMDQxNDQ1MjJaMBgxFjAUBgNVBAMMDWVudGVycHJpc2UtY2EwggEiMA0GCSqG | |
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnqVwyQo22rG6nUZcSe/GmVfr90Kzgux09 | |
468pSSQdpDq9RTQUOvfATPBW81wBRfP1/ryEhshruAKa9/5h+5B/x8ncxTXpm8B7 | |
vD7etv8WuryKPsILuidOD0GQSETo77AXM7FfiROr01j7w6QPwuPvBJSp3ikiC/Dc | |
vE66lvIEXN7dSgDddvuvGQNDWOYlGZhf5FHW/5drPHuO9zuyUG+MMi1iP+RBMPRg | |
Ie6v8BpOgrsgdtmXLa4VMsPM+0XfD0H8cSf/2H6WS4/7D8AulnPIoKcY+FLJPAm3 | |
ITR7/l6Q0IQuMSw6BLKafBFnBVcTQSH7yJdAJ5gH4VYDr2jkUZL3AgMBAAGjUzBR | |
MB0GA1UdDgQWBBSf9D5FKwHIF7xWqF/48n+r/RTQ3jAfBgNVHSMEGDAWgBSf9D5F | |
KwHIF7xWqF/48n+r/RTQ3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA | |
A4IBAQB7Pl29+rRvxp+TxKOtBddKxHaE2UELnbidhU/16QmnuViBAXbuERHAvcJa | |
naoZecBUARtiLXOjh91A6Ao5ZDOdDNYNRCgLb6s7CUXR+3KzvVFcITTRtkSNLJ15 | |
g4hjYrAKDY1H3OswQ/SrhLoFBwgxbICQyxSKit49Dk+exszn1BE716iiIVgYOGZO | |
yIayzBYumFss40jkmhlnk5enab8IL4TqpCe/qbvm5wNjKZUZ3jbl3d1UemqYNuYV | |
cEcZ4QymABYKy4VE3TRYRbIdet4V6uYHF5YPyEEiY0TUe+XURZVAmiOcrkjnUHOx | |
1bjzRqJZL5TwoFCg5eeDzuY4ZTcc | |
-----END CERTIFICATE----- | |
kind: ConfigMap | |
metadata: | |
name: unison-ca | |
namespace: oidc-proxy | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oidc-proxy-internal | |
namespace: oidc-proxy | |
spec: | |
secretName: oidc-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oidc-proxy.oidc-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oidc-proxy.oidc-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
name: kube-oidc-proxy-api-server | |
namespace: oidc-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kube-oidc-proxy-api-server | |
template: | |
metadata: | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
spec: | |
serviceAccountName: oidc-proxy-api-server | |
containers: | |
- image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
ports: | |
- containerPort: 8443 | |
- containerPort: 8080 | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 15 | |
periodSeconds: 10 | |
name: kube-oidc-proxy-api-server | |
command: ["kube-oidc-proxy"] | |
args: | |
- "--secure-port=8443" | |
- "--tls-cert-file=/etc/oidc/tls/crt.pem" | |
- "--tls-private-key-file=/etc/oidc/tls/key.pem" | |
- "--oidc-client-id=kube-login" | |
- "--oidc-issuer-url=https://dex.blog.tremolo.dev/dex" | |
- "--oidc-username-claim=sub" | |
- "--oidc-groups-claim=groups" | |
- "--oidc-ca-file=/etc/oidc/oidc-ca.pem" | |
imagePullPolicy: Always | |
securityContext: | |
runAsUser: 10001 | |
runAsGroup: 10001 | |
allowPrivilegeEscalation: false | |
volumeMounts: | |
- name: kube-oidc-proxy-config | |
mountPath: /etc/oidc | |
readOnly: true | |
- name: kube-oidc-proxy-tls | |
mountPath: /etc/oidc/tls | |
readOnly: true | |
volumes: | |
- name: kube-oidc-proxy-config | |
configMap: | |
name: unison-ca | |
items: | |
- key: tls.crt | |
path: oidc-ca.pem | |
- name: kube-oidc-proxy-tls | |
secret: | |
secretName: oidc-proxy-tls | |
items: | |
- key: tls.crt | |
path: crt.pem | |
- key: tls.key | |
path: key.pem | |
nodeSelector: {} | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
name: kube-oidc-proxy-api-server | |
namespace: oidc-proxy | |
spec: | |
ports: | |
- port: 443 | |
protocol: TCP | |
targetPort: 8443 | |
name: https-kube-oidc-proxy | |
selector: | |
app: kube-oidc-proxy-api-server | |
type: "ClusterIP" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: oidc-proxy-api.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: kube-oidc-proxy-api-server | |
port: | |
number: 8443 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- oidc-proxy-api.blog.tremolo.dev | |
secretName: oidc-proxy-tls-certificate-none | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: impersonator-oidc-proxy-api | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- users | |
- groups | |
- serviceaccounts | |
verbs: | |
- impersonate | |
- apiGroups: | |
- "authentication.k8s.io" | |
resources: | |
- "userextras/scopes" | |
- "userextras/remote-client-ip" | |
- "tokenreviews" | |
# to support end user impersonation | |
- "userextras/originaluser.jetstack.io-user" | |
- "userextras/originaluser.jetstack.io-groups" | |
- "userextras/originaluser.jetstack.io-extra" | |
verbs: | |
- "create" | |
- "impersonate" | |
- apiGroups: | |
- "authorization.k8s.io" | |
resources: | |
- "subjectaccessreviews" | |
verbs: | |
- "create" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: impersonator-oidc-proxy-api | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: impersonator-oidc-proxy-api | |
subjects: | |
- kind: ServiceAccount | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
creationTimestamp: | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: activedirectory-cluster-admins | |
subjects: | |
- kind: Group | |
name: k8s-admins | |
roleRef: | |
kind: ClusterRole | |
name: cluster-admin | |
apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: k8s.keycloak.org/v2alpha1 | |
kind: Keycloak | |
metadata: | |
name: cluster-kc | |
namespace: keycloak | |
spec: | |
instances: 1 | |
db: | |
vendor: postgres | |
database: postgresdb | |
host: postgresql.default.svc | |
usernameSecret: | |
name: keycloak-db-secret | |
key: username | |
passwordSecret: | |
name: keycloak-db-secret | |
key: password | |
http: | |
tlsSecret: keycloak-tls | |
hostname: | |
hostname: keycloak.blog.tremolo.dev | |
ingress: | |
enabled: false | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: keycloak | |
namespace: keycloak | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: keycloak.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: cluster-kc-service | |
port: | |
number: 8443 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- keycloak.blog.tremolo.dev | |
secretName: kc-tls-certificate-none |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lVUTFyTnZkMEJCK3ZuVEVWZDFEQVV0QW03dTNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF3d0tZMngxYzNSbGNpMWpZVEFlRncweU1qRXhNRGN5TVRVMU5UbGFGdzB6TWpFeApNRFF5TVRVMU5UbGFNQlV4RXpBUkJnTlZCQU1NQ21Oc2RYTjBaWEl0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdnM5emFhNkxGdExWQlRpWG9Fb21xM0Y3SjJiVWljU0VpOWRJbFRPTWsKd3luM0MvTWJncGpQYXlwRVJFTHpUQXYxRERJTzhCWmhvT1J5cVhQSHlNQTV6SURWblY3aE9NYUFXY3diSkVwRApmRlF1ZUVVYTVVL3J3ajU5YzR4cW1sa2VUN2paR3Nyc21QaXY1UGpQVGRNbDdUSFhQOGJjNm1kR05odkpabUZtCm9QVERvRktiMi8xQm9JVVBXbGpmVXhEM1QxaXNvQ3JPVDF6UDNpcHBKcFVUKzJzV2V6cHVDRlhLaTl5cXlQcEwKdVErZ3UvL3NSRHlFMjc0c0ljSVVKaDQ0RkNFM3FmSWNpVGtaMU1Vc2ZtSU1jM2EwNUs3R2R2bTFQK2Y1Z1VWMQpPUERBYVEvNWxKd2x2eWNXZjllRGVUWmJibERTeDJNWVFHOFJvWU9BMm1EcEFnTUJBQUdqVXpCUk1CMEdBMVVkCkRnUVdCQlMrOFR3eE50UzBjUy9tTDdTaitrWEhnY1RoM2pBZkJnTlZIU01FR0RBV2dCUys4VHd4TnRTMGNTL20KTDdTaitrWEhnY1RoM2pBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBMApHaGRZQk55UG5pWTR2a3ZsenhLYkMxQ29zU2tPdkhqT0pNYlgvR3BqeDd3djFEUlZGbXd3OXRhb2FtVVFBa1gyClQ1WEg4MGFwUlk1R1RRVE9BQUlpTXZZTFhCRkErS1RJYzQrdWZhWTVETTFDWEllLzFzeDRHQlkzbW4rZXNROHAKV2tkejhNNUJtN3RBN09LQzIvUFFtSlhMNWhwQytvdkNoQUtOVEdPVHd1N3BoTmJ6dUhHTkYzUlJTNmx1ZURaTQpHaGYwRm9OeFRBL2JmZFowWWhkS2pqanRRV1RsVXhUL05Nditrc3orNkhtTENMUmNvNXYxdkpDREJtcUYwaG4xCkp4TU9xR2oxQ3M3bW5OTDRYNldhQ0E4VU1jRXZyRTMxR0w1S1JTSDh0RlBPQTY4ZEV4cnNNY3RHekhtU25YYWMKZ1E5Y3FlcWpIbmRhckFJSmRYcGsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | |
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHZzOXphYTZMRnRMVkIKVGlYb0VvbXEzRjdKMmJVaWNTRWk5ZElsVE9Na3d5bjNDL01iZ3BqUGF5cEVSRUx6VEF2MURESU84Qlpob09SeQpxWFBIeU1BNXpJRFZuVjdoT01hQVdjd2JKRXBEZkZRdWVFVWE1VS9yd2o1OWM0eHFtbGtlVDdqWkdzcnNtUGl2CjVQalBUZE1sN1RIWFA4YmM2bWRHTmh2SlptRm1vUFREb0ZLYjIvMUJvSVVQV2xqZlV4RDNUMWlzb0NyT1QxelAKM2lwcEpwVVQrMnNXZXpwdUNGWEtpOXlxeVBwTHVRK2d1Ly9zUkR5RTI3NHNJY0lVSmg0NEZDRTNxZkljaVRrWgoxTVVzZm1JTWMzYTA1SzdHZHZtMVArZjVnVVYxT1BEQWFRLzVsSndsdnljV2Y5ZURlVFpiYmxEU3gyTVlRRzhSCm9ZT0EybURwQWdNQkFBRUNnZ0VBRVpNblU2UHQ3NjlCMVdlU2o2OFJSVFBxWnNRVnUvQmR3THVUbEh6TVVERVgKaWZlb005bUoxUFpyWjAwMmQvSjQwM2NaRWYrUU1va0tpdTRwOFNsaXo3SVM5YWFYMHUxWDM0Z0Y5eXo4WFhHWApsZjhuT1BNOGZvR1QxWnlqM0ZxVUEyME90V3RabXNxVi9FYU9hQnV4aWkrM2xtdkVpOFRMZk9wQmRBMHp3Y09SCnl2TVViMlExdUVNREk3cHpwSGZrOGc1ajBlUHlDUjlwSklPWFZ1Y1hCZW13WFhGOTVIZHNtV25VN2ZUVEc2K20KSTgzR2pGOTRTQTByWWRUNFR4WlA0cUt1eGdPK1JJelNxckE0NGNOdHZyalBvSVRsWThwcjRnaVJDeVBiTVNWawpiYXBaeHRuUE5iOE1ndG1xeHFSZnVndWVmaFkrcmlzVlcrdVhKK29ORVFLQmdRRHdPRnZEc09ocnpsVmFucmVqCk9HdndNVGtOR0JlUC9iNVFSZXVFRi9NMFlDZjBZRWN1OWFBVThhSVdOWnpsUElFVEpqOVB0Q1EyU1MrWnc3SVoKTkU0NHJTZ2REZUI2TTE1elBRUndYeUxPc1JJSTVPTHYrSWtMTm5meGplWkJuNE1ZK1RiaVRFc1F0ZmpaVjJKVQoyQzVPa2EyL1I4U3l3ZUc0VURrRFp1YlBjUUtCZ1FEL2NzejhST3ZGUTJLKzhTSXVMSmtmWUw1N2RmY21rWXNkClQ4Y0prbENmc2U0WnQ2RWhZNkE1THlVUkpJRTRwQkRwRzd1VkdhdURpM244YVJ3cFMxSjNuYno4RXgzeGNnWFYKaUNuV3J5eGlzMnh3UjJsVGhiZHllNzg5dWZ5NE9OcHlUYW9LU21VYTk1RzB4TUoraEYyOUxZcGlaVXhRNGtsWgpQRE1saWE1YytRS0JnSCt5RmVYQzV1cFg5cnVEWDY4ZVVSS1B0L29qOG5LU3VsWkZ0TnExT0kyQkIvdzZLZHptCnFVQTQ2cWJQdlNXR3NqNlJ1Rm9RTXFmQTQ5TGpXb3RYYUxWc0pzUzdHYmNjRTN0QzFsYzkyMnp3Wjl2ZWdGeDgKUzYxd09QWnBMaHQ0UmVKQ3FGQkhxaWVwOUN6azdOcVpTSlJ2a0dMOExhMndydUtoa28waWFGT2hBb0dCQU1ZTwp2NHAwOFl5LzQ0Y0NOU3N4M3dNcUltWmRIMlJqQWthV3ZVN1poL05acEsrQjVjZWFrL2JpYTgzdnpOVWF1QlhWCkw4cTUzWGFmcE5Ra3R2WDVkWlpTMGQxc0FSSmNBdFA5djlxNWRTT04wK3oySVY3bDFVZEpWUXpKOEh6eGI4V2kKRzgzZ3dxVjNBQnoxVll0OG02VjY4c201bXNNM3dBRVZJTjdnOGpVWkFvR0JBS2NKQ0NUczJRSUl4SGFmQVNLMQpZWG1XRG9aZVdod0JtTThlSVNvNzZtU2pYK2Q2cDRadWNUTXZITkRJNEVSQ0RIeVc4OWprRVF1NUxkR2NpbW1pCnNlTEo2WENEOTVkTEVBWWdMTU96UC9IMjFPQUR6ZjMvQk04SHVoaWxjbzZkRTRKalV4bkdnOGY5QXJhTlkwMC8KREJJRlhJcHpNbEFQUkVEd1JaUjFhcWRpCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | |
kind: Secret | |
metadata: | |
name: cluster-ca | |
namespace: cert-manager | |
type: kubernetes.io/tls | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
annotations: | |
force: update | |
name: cluster-ca | |
spec: | |
ca: | |
secretName: cluster-ca | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: keycloak-internal | |
namespace: keycloak | |
spec: | |
secretName: keycloak-tls | |
secretTemplate: | |
labels: {} | |
commonName: "keycloak.keycloak.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "keycloak.keycloak.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: k8sdb-proxy | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
namespace: "k8sdb-proxy" | |
tls.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDETCCAfmgAwIBAgIUbkbKfQ7oeurnTzrygH/GCKI36E0wDQYJKoZIhvcNAQEL | |
BQAwGDEWMBQGA1UEAwwNZW50ZXJwcmlzZS1jYTAeFw0yMjExMDcxNDQ1MjJaFw0z | |
MjExMDQxNDQ1MjJaMBgxFjAUBgNVBAMMDWVudGVycHJpc2UtY2EwggEiMA0GCSqG | |
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnqVwyQo22rG6nUZcSe/GmVfr90Kzgux09 | |
468pSSQdpDq9RTQUOvfATPBW81wBRfP1/ryEhshruAKa9/5h+5B/x8ncxTXpm8B7 | |
vD7etv8WuryKPsILuidOD0GQSETo77AXM7FfiROr01j7w6QPwuPvBJSp3ikiC/Dc | |
vE66lvIEXN7dSgDddvuvGQNDWOYlGZhf5FHW/5drPHuO9zuyUG+MMi1iP+RBMPRg | |
Ie6v8BpOgrsgdtmXLa4VMsPM+0XfD0H8cSf/2H6WS4/7D8AulnPIoKcY+FLJPAm3 | |
ITR7/l6Q0IQuMSw6BLKafBFnBVcTQSH7yJdAJ5gH4VYDr2jkUZL3AgMBAAGjUzBR | |
MB0GA1UdDgQWBBSf9D5FKwHIF7xWqF/48n+r/RTQ3jAfBgNVHSMEGDAWgBSf9D5F | |
KwHIF7xWqF/48n+r/RTQ3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA | |
A4IBAQB7Pl29+rRvxp+TxKOtBddKxHaE2UELnbidhU/16QmnuViBAXbuERHAvcJa | |
naoZecBUARtiLXOjh91A6Ao5ZDOdDNYNRCgLb6s7CUXR+3KzvVFcITTRtkSNLJ15 | |
g4hjYrAKDY1H3OswQ/SrhLoFBwgxbICQyxSKit49Dk+exszn1BE716iiIVgYOGZO | |
yIayzBYumFss40jkmhlnk5enab8IL4TqpCe/qbvm5wNjKZUZ3jbl3d1UemqYNuYV | |
cEcZ4QymABYKy4VE3TRYRbIdet4V6uYHF5YPyEEiY0TUe+XURZVAmiOcrkjnUHOx | |
1bjzRqJZL5TwoFCg5eeDzuY4ZTcc | |
-----END CERTIFICATE----- | |
ca.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDCzCCAfOgAwIBAgIUQ1rNvd0BB+vnTEVd1DAUtAm7u3kwDQYJKoZIhvcNAQEL | |
BQAwFTETMBEGA1UEAwwKY2x1c3Rlci1jYTAeFw0yMjExMDcyMTU1NTlaFw0zMjEx | |
MDQyMTU1NTlaMBUxEzARBgNVBAMMCmNsdXN0ZXItY2EwggEiMA0GCSqGSIb3DQEB | |
AQUAA4IBDwAwggEKAoIBAQDvs9zaa6LFtLVBTiXoEomq3F7J2bUicSEi9dIlTOMk | |
wyn3C/MbgpjPaypERELzTAv1DDIO8BZhoORyqXPHyMA5zIDVnV7hOMaAWcwbJEpD | |
fFQueEUa5U/rwj59c4xqmlkeT7jZGsrsmPiv5PjPTdMl7THXP8bc6mdGNhvJZmFm | |
oPTDoFKb2/1BoIUPWljfUxD3T1isoCrOT1zP3ippJpUT+2sWezpuCFXKi9yqyPpL | |
uQ+gu//sRDyE274sIcIUJh44FCE3qfIciTkZ1MUsfmIMc3a05K7Gdvm1P+f5gUV1 | |
OPDAaQ/5lJwlvycWf9eDeTZbblDSx2MYQG8RoYOA2mDpAgMBAAGjUzBRMB0GA1Ud | |
DgQWBBS+8TwxNtS0cS/mL7Sj+kXHgcTh3jAfBgNVHSMEGDAWgBS+8TwxNtS0cS/m | |
L7Sj+kXHgcTh3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA0 | |
GhdYBNyPniY4vkvlzxKbC1CosSkOvHjOJMbX/Gpjx7wv1DRVFmww9taoamUQAkX2 | |
T5XH80apRY5GTQTOAAIiMvYLXBFA+KTIc4+ufaY5DM1CXIe/1sx4GBY3mn+esQ8p | |
Wkdz8M5Bm7tA7OKC2/PQmJXL5hpC+ovChAKNTGOTwu7phNbzuHGNF3RRS6lueDZM | |
Ghf0FoNxTA/bfdZ0YhdKjjjtQWTlUxT/NMv+ksz+6HmLCLRco5v1vJCDBmqF0hn1 | |
JxMOqGj1Cs7mnNL4X6WaCA8UMcEvrE31GL5KRSH8tFPOA68dExrsMctGzHmSnXac | |
gQ9cqeqjHndarAIJdXpk | |
-----END CERTIFICATE----- | |
kind: ConfigMap | |
metadata: | |
name: unison-ca | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oidc-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: oidc-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oidc-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oidc-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oauth2-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: outh2-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oauth2-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oauth2-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: kubernetes-dashboard-certs | |
namespace: kubernetes-dashboard | |
spec: | |
secretName: kubernetes-dashboard-certs | |
secretTemplate: | |
labels: {} | |
commonName: "kubernetes-dashboard.kubernetes-dashboard.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "kubernetes-dashboard.kubernetes-dashboard.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: oauth2-config | |
namespace: k8sdb-proxy | |
type: Opaque | |
stringData: | |
oauth2_proxy.cfg: | | |
oidc_issuer_url="https://keycloak.blog.tremolo.dev/realms/cluster" | |
redirect_url="https://k8sdb.blog.tremolo.dev/oauth2/callback" | |
client_secret="WBbOSLXVKaeWzQ0ak58XVbQIAzuQZTBW" | |
cookie_secret="laSqRSLA28J1Gy1mK69uXpkJyEv5nEvi" | |
# we don't want to proxy anything so pick a non-existent directory | |
upstreams = [ "https://oidc-proxy.k8sdb-proxy.svc:8443" ] | |
#upstreams = [ "http://echo.k8sdb-proxy.svc:8080" ] | |
--- | |
# Source: kubernetes/charts/oauth2-proxy/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: oauth2-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: oauth2-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: oauth2-proxy-dashboard | |
spec: | |
containers: | |
- name: oauth2-proxy | |
image: "quay.io/oauth2-proxy/oauth2-proxy:v7.4.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg | |
- --email-domain=* | |
- --provider-ca-file=/etc/https-tls/tls.crt | |
- --http-address=http://0.0.0.0:4180 | |
- --https-address=https://0.0.0.0:4190 | |
- --tls-cert-file=/etc/https/tls.crt | |
- --tls-key-file=/etc/https/tls.key | |
- --cookie-refresh=60s | |
- --provider=oidc | |
- --insecure-oidc-allow-unverified-email=true | |
- --client-id=oauth2-proxy | |
- --cookie-secure=true | |
- --cookie-httponly=true | |
- --ssl-upstream-insecure-skip-verify=true | |
- --pass-authorization-header=true | |
- --scope=openid profile email | |
livenessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
readinessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
successThreshold: 1 | |
periodSeconds: 10 | |
resources: | |
{} | |
volumeMounts: | |
- mountPath: /etc/oauth2_proxy | |
name: configmain | |
- mountPath: /etc/https | |
name: tlscerts | |
- mountPath: /etc/https-tls | |
name: cacerts | |
volumes: | |
- secret: | |
defaultMode: 420 | |
secretName: oauth2-config | |
name: configmain | |
- configMap: | |
name: unison-ca | |
name: cacerts | |
- secret: | |
secretName: outh2-proxy-tls | |
name: tlscerts | |
tolerations: | |
[] | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kube-oauth2-proxy-db | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 4190 | |
protocol: TCP | |
targetPort: 4190 | |
name: https-kube-oauth2-proxy | |
selector: | |
app: oauth2-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: oauth2-proxy-api-db | |
namespace: k8sdb-proxy | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: k8sdb.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: kube-oauth2-proxy-db | |
port: | |
number: 4190 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- k8sdb.blog.tremolo.dev | |
secretName: oauth2-proxy-tls-certificate-none | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: kube-oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kube-oidc-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: kube-oidc-proxy-dashboard | |
spec: | |
serviceAccountName: oidc-proxy-dashboard | |
containers: | |
- image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
ports: | |
- containerPort: 8443 | |
- containerPort: 8080 | |
env: | |
- name: KUBERNETES_SERVICE_HOST | |
value: kubernetes-dashboard.kubernetes-dashboard.svc | |
- name: KUBERNETES_SERVICE_PORT | |
value: "443" | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 15 | |
periodSeconds: 10 | |
name: kube-oidc-proxy-dashboard | |
command: ["kube-oidc-proxy"] | |
args: | |
- "--secure-port=8443" | |
- "--tls-cert-file=/etc/oidc/tls/crt.pem" | |
- "--tls-private-key-file=/etc/oidc/tls/key.pem" | |
- "--oidc-client-id=oauth2-proxy" | |
- "--oidc-issuer-url=https://keycloak.blog.tremolo.dev/realms/cluster" | |
- "--oidc-username-claim=sub" | |
- "--oidc-groups-claim=groups" | |
- "--oidc-ca-file=/etc/oidc/oidc-ca.pem" | |
- "--v=11" | |
- "--insecure-skip-tls-verify=true" | |
imagePullPolicy: Always | |
securityContext: | |
runAsUser: 10001 | |
runAsGroup: 10001 | |
allowPrivilegeEscalation: false | |
volumeMounts: | |
- name: kube-oidc-proxy-config | |
mountPath: /etc/oidc | |
readOnly: true | |
- name: kube-oidc-proxy-tls | |
mountPath: /etc/oidc/tls | |
readOnly: true | |
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount | |
name: ou-token | |
volumes: | |
- name: kube-oidc-proxy-config | |
configMap: | |
name: unison-ca | |
items: | |
- key: tls.crt | |
path: oidc-ca.pem | |
- name: kube-oidc-proxy-tls | |
secret: | |
secretName: oidc-proxy-tls | |
items: | |
- key: tls.crt | |
path: crt.pem | |
- key: tls.key | |
path: key.pem | |
- name: ou-token | |
projected: | |
defaultMode: 420 | |
sources: | |
- serviceAccountToken: | |
audience: "https://kubernetes.default.svc.cluster.local" | |
expirationSeconds: 60000 | |
path: "token" | |
- configMap: | |
items: | |
- key: "ca.crt" | |
path: "ca.crt" | |
name: "unison-ca" | |
- configMap: | |
items: | |
- key: namespace | |
path: namespace | |
name: unison-ca | |
nodeSelector: {} | |
automountServiceAccountToken: false | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: kube-oidc-proxy-dashboard | |
name: oidc-proxy | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 8443 | |
protocol: TCP | |
targetPort: 8443 | |
name: https-kube-oidc-proxy | |
selector: | |
app: kube-oidc-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- users | |
- groups | |
- serviceaccounts | |
verbs: | |
- impersonate | |
- apiGroups: | |
- "authentication.k8s.io" | |
resources: | |
- "userextras/scopes" | |
- "userextras/remote-client-ip" | |
- "tokenreviews" | |
# to support end user impersonation | |
- "userextras/originaluser.jetstack.io-user" | |
- "userextras/originaluser.jetstack.io-groups" | |
- "userextras/originaluser.jetstack.io-extra" | |
verbs: | |
- "create" | |
- "impersonate" | |
- apiGroups: | |
- "authorization.k8s.io" | |
resources: | |
- "subjectaccessreviews" | |
verbs: | |
- "create" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: impersonator-oidc-proxy-dashboard | |
subjects: | |
- kind: ServiceAccount | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
creationTimestamp: | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: k8s.keycloak.org/v2alpha1 | |
kind: Keycloak | |
metadata: | |
name: cluster-kc | |
namespace: keycloak | |
spec: | |
instances: 1 | |
db: | |
vendor: postgres | |
database: postgresdb | |
host: postgresql.default.svc | |
usernameSecret: | |
name: keycloak-db-secret | |
key: username | |
passwordSecret: | |
name: keycloak-db-secret | |
key: password | |
http: | |
tlsSecret: keycloak-tls | |
hostname: | |
hostname: keycloak.blog.tremolo.dev | |
ingress: | |
enabled: false | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: keycloak | |
namespace: keycloak | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: keycloak.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: cluster-kc-service | |
port: | |
number: 8443 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- keycloak.blog.tremolo.dev | |
secretName: kc-tls-certificate-none |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: oidc-proxy | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
tls.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDETCCAfmgAwIBAgIUbkbKfQ7oeurnTzrygH/GCKI36E0wDQYJKoZIhvcNAQEL | |
BQAwGDEWMBQGA1UEAwwNZW50ZXJwcmlzZS1jYTAeFw0yMjExMDcxNDQ1MjJaFw0z | |
MjExMDQxNDQ1MjJaMBgxFjAUBgNVBAMMDWVudGVycHJpc2UtY2EwggEiMA0GCSqG | |
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnqVwyQo22rG6nUZcSe/GmVfr90Kzgux09 | |
468pSSQdpDq9RTQUOvfATPBW81wBRfP1/ryEhshruAKa9/5h+5B/x8ncxTXpm8B7 | |
vD7etv8WuryKPsILuidOD0GQSETo77AXM7FfiROr01j7w6QPwuPvBJSp3ikiC/Dc | |
vE66lvIEXN7dSgDddvuvGQNDWOYlGZhf5FHW/5drPHuO9zuyUG+MMi1iP+RBMPRg | |
Ie6v8BpOgrsgdtmXLa4VMsPM+0XfD0H8cSf/2H6WS4/7D8AulnPIoKcY+FLJPAm3 | |
ITR7/l6Q0IQuMSw6BLKafBFnBVcTQSH7yJdAJ5gH4VYDr2jkUZL3AgMBAAGjUzBR | |
MB0GA1UdDgQWBBSf9D5FKwHIF7xWqF/48n+r/RTQ3jAfBgNVHSMEGDAWgBSf9D5F | |
KwHIF7xWqF/48n+r/RTQ3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA | |
A4IBAQB7Pl29+rRvxp+TxKOtBddKxHaE2UELnbidhU/16QmnuViBAXbuERHAvcJa | |
naoZecBUARtiLXOjh91A6Ao5ZDOdDNYNRCgLb6s7CUXR+3KzvVFcITTRtkSNLJ15 | |
g4hjYrAKDY1H3OswQ/SrhLoFBwgxbICQyxSKit49Dk+exszn1BE716iiIVgYOGZO | |
yIayzBYumFss40jkmhlnk5enab8IL4TqpCe/qbvm5wNjKZUZ3jbl3d1UemqYNuYV | |
cEcZ4QymABYKy4VE3TRYRbIdet4V6uYHF5YPyEEiY0TUe+XURZVAmiOcrkjnUHOx | |
1bjzRqJZL5TwoFCg5eeDzuY4ZTcc | |
-----END CERTIFICATE----- | |
kind: ConfigMap | |
metadata: | |
name: unison-ca | |
namespace: oidc-proxy | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oidc-proxy-internal | |
namespace: oidc-proxy | |
spec: | |
secretName: oidc-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oidc-proxy.oidc-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oidc-proxy.oidc-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
name: kube-oidc-proxy-api-server | |
namespace: oidc-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kube-oidc-proxy-api-server | |
template: | |
metadata: | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
spec: | |
serviceAccountName: oidc-proxy-api-server | |
containers: | |
- image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
ports: | |
- containerPort: 8443 | |
- containerPort: 8080 | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 15 | |
periodSeconds: 10 | |
name: kube-oidc-proxy-api-server | |
command: ["kube-oidc-proxy"] | |
args: | |
- "--secure-port=8443" | |
- "--tls-cert-file=/etc/oidc/tls/crt.pem" | |
- "--tls-private-key-file=/etc/oidc/tls/key.pem" | |
- "--oidc-client-id=kube-login" | |
- "--oidc-issuer-url=https://keycloak.blog.tremolo.dev/realms/cluster" | |
- "--oidc-username-claim=sub" | |
- "--oidc-groups-claim=groups" | |
- "--oidc-ca-file=/etc/oidc/oidc-ca.pem" | |
imagePullPolicy: Always | |
securityContext: | |
runAsUser: 10001 | |
runAsGroup: 10001 | |
allowPrivilegeEscalation: false | |
volumeMounts: | |
- name: kube-oidc-proxy-config | |
mountPath: /etc/oidc | |
readOnly: true | |
- name: kube-oidc-proxy-tls | |
mountPath: /etc/oidc/tls | |
readOnly: true | |
volumes: | |
- name: kube-oidc-proxy-config | |
configMap: | |
name: unison-ca | |
items: | |
- key: tls.crt | |
path: oidc-ca.pem | |
- name: kube-oidc-proxy-tls | |
secret: | |
secretName: oidc-proxy-tls | |
items: | |
- key: tls.crt | |
path: crt.pem | |
- key: tls.key | |
path: key.pem | |
nodeSelector: {} | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: kube-oidc-proxy-api-server | |
app.kubernetes.io/name: openunison | |
app.kubernetes.io/instance: openunison-api-server | |
app.kubernetes.io/component: kube-oidc-proxy | |
app.kubernetes.io/part-of: openunison | |
name: kube-oidc-proxy-api-server | |
namespace: oidc-proxy | |
spec: | |
ports: | |
- port: 443 | |
protocol: TCP | |
targetPort: 8443 | |
name: https-kube-oidc-proxy | |
selector: | |
app: kube-oidc-proxy-api-server | |
type: "ClusterIP" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: oidc-proxy-api.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: kube-oidc-proxy-api-server | |
port: | |
number: 8443 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- oidc-proxy-api.blog.tremolo.dev | |
secretName: oidc-proxy-tls-certificate-none | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: impersonator-oidc-proxy-api | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- users | |
- groups | |
- serviceaccounts | |
verbs: | |
- impersonate | |
- apiGroups: | |
- "authentication.k8s.io" | |
resources: | |
- "userextras/scopes" | |
- "userextras/remote-client-ip" | |
- "tokenreviews" | |
# to support end user impersonation | |
- "userextras/originaluser.jetstack.io-user" | |
- "userextras/originaluser.jetstack.io-groups" | |
- "userextras/originaluser.jetstack.io-extra" | |
verbs: | |
- "create" | |
- "impersonate" | |
- apiGroups: | |
- "authorization.k8s.io" | |
resources: | |
- "subjectaccessreviews" | |
verbs: | |
- "create" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: impersonator-oidc-proxy-api | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: impersonator-oidc-proxy-api | |
subjects: | |
- kind: ServiceAccount | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
creationTimestamp: | |
name: oidc-proxy-api-server | |
namespace: oidc-proxy | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: activedirectory-cluster-admins | |
subjects: | |
- kind: Group | |
name: /k8s-admins | |
roleRef: | |
kind: ClusterRole | |
name: cluster-admin | |
apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: openunison.tremolo.io/v1 | |
kind: Trust | |
metadata: | |
name: argocd | |
namespace: openunison | |
spec: | |
accessTokenSkewMillis: 120000 | |
accessTokenTimeToLive: 1200000 | |
authChainName: login-service | |
clientId: argocd | |
codeLastMileKeyName: lastmile-oidc | |
codeTokenSkewMilis: 60000 | |
publicEndpoint: true | |
redirectURI: | |
- https://argocd.blog.tremolo.dev/auth/callback | |
- http://localhost:8085/auth/callback | |
signedUserInfo: true | |
verifyRedirect: true | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: argocd-cm | |
namespace: argocd | |
data: | |
url: https://argocd.blog.tremolo.dev | |
oidc.config: |- | |
name: OpenUnison | |
issuer: https://k8sou.blog.tremolo.dev/auth/idp/k8sIdp | |
clientID: argocd | |
requestedScopes: ["openid", "profile", "email", "groups"] | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: argocd-rbac-cm | |
namespace: argocd | |
data: | |
policy.csv: | | |
g, "k8s-admins", role:admin | |
--- | |
apiVersion: openunison.tremolo.io/v1 | |
kind: PortalUrl | |
metadata: | |
labels: | |
openunison.io/instance: orchestra | |
name: argocd | |
namespace: openunison | |
spec: | |
label: ArgoCD | |
org: B158BD40-0C1B-11E3-8FFD-0800200C9A66 | |
url: https://argocd.blog.tremolo.dev/auth/login | |
icon: iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAAfQ3pUWHRSYXcgcHJvZmlsZSB0eXBlIGV4aWYAAHja3ZtZlly3lUX/MYoaAnDRDwftWp5BDb/2QQQlipYtu1xfpVQyk9G8eLjNaS5Ad/77b9f9F//VFJJLubbSS/H8l3rqNvil+c9//f0ZfHp/vv+2fZ8Lf3zc3e/j3ngo8jN+/lrH9/WDx/Pvb/jxGWH+8XHXvs9Y+17o+8SPC0Z9su5i/3yTPG6fx0P6Xqifzy+lt/rzrc7vEtb3he9Wvt+xvkv/dhH93f38QKpEaWdeFc1ODNG/P9vnDuLne/Dd+DNEboo/E7/nmBw/UvyxVgLyh+X9+On9zwH6Q5C/C/Lu1+j/9tsvwbfxfTz+Esvy40Llz58I+c+D/0L80wfH72+Oh//wxFJif13O9/ve3e49n9WNVIho+VaUdz+io/fwQi6S4ntb4avynfm9vq/OV/PDL5Kz+cTJ1wo9GFm5LqSwwwg3nPdzhcUtJjtW+Wm2LL7HWqzWbcVPnvgK12rscZNBi8uOi5GH7bd7Ce9z+/u8FRqfvAMvtcDFAm/5h1/unz3573y5e5dCFHz7xOm8BJsql9tQ5vQnryIh4X7zll+Af3x90+9/qh9KlQzmF+bGAoefn0vMHH6vrfjyHHld5uenK4Kr+3sBQsRnZ24mRDLgS4g5lOCrWQ2BODYSNLhzi8kmGQg52+YmLcVYzFVrps/mPTW811q2YnoYbFL7xBIruelxkKyUMvVTU6OGRo455ZxLrrm53PMosaSSSym1CORGjTXVXEuttdVeR4sttdxKq6213ka3HsHA3EuvvfXexzA3+KDBtQavHzwybcaZZp5l1tlmn2NRPiutvMqqq62+xrYdNzCxy6677b7HCe6AFCedfMqpp51+xqXWbrzp5ltuve32O37LWvi27a9f/0bWwjdr9jKl19XfssajrtYflwiCk6yckTFLgYxXZYCCNuXMt5CSKXPKme9GU2TjJrNy43ZQxkhhOsHyDb/l7vfM/Ut5c7n9S3mzv8qcU+r+LzLnSN3f5+1PsrbHQ7348qYuVEx9pPt4/rThrA2R2vhPf/5/uNDMhO96ErHHIHJzTJRFcddO2atTr516y2Q07NpHsNnyWSXlkPfMvQLbN9R8eHcGovuZ1O26q8fVwOHi/Ind1x7ypKwuaeB9bRZ/KaNNSU07qV1bJ5O/vNqxsTO1eVqafQEgcU2SdoER7tM3emmMercvfMw9cAHXzftCADekBYfcsOfg4ZVSPGcBW37OyUevHW/JLh5utLZb4zpc+Qxq54R127RVTh++7FBOKaLsDRyGmqgxs+lrDtuObiNRtC6UPdoeaZcZoeljsec0gJg6D+WGvtgxT0LHAyF/og5tjfeb//2n+/WBf/Lz5nJ9qSuc2TdtZsSRJii7nGRujuRHPbWGTSQuTXpXGcifarWAGvR41bJj6hs6iLvamWftUcjwrHAr0BVbdmdy8eNZOYvbMepqPpVzzs6l7nr0JsTVS8mtkxsCTmotJJsr7KZEj1sccT+3pbJAmmk0/I5jB9uFuqi05ilVSrFbnf3wFKLO744IaEc3DQBw/yE0d+7oIMvqZ1W1Mbg874pzgD9l5o2QQDxnz3NdGVuL+p0IAm46pMN7evKUjQO9Sgfp6g0L/bJ9LiOHdMnbbo1+QIWM01nHmSAT5TFSAAdXvCd3AgomkY/uaqS84qQwUFEU3OVD/Ch9xyNVhSq4kGQB8WLvoCkkfNNs6+4Fol9QbALd8Tq/ictAjbZyB8BXbrFc9hk0URrHh3c3LS700I2Dmm2jrgNYDmq+0S6HZbfiCmUcZs2TSl9j9DCLdailxENuuNnbYflT8jFPUjoVu0Pf+xC9MIB7kDlWMBt2WsoKSC4Jdib5jNvmmUbrQykEOtW5s/WbFtntrR3W3SqhLHRuhY3gE0drt2bEK/FnbaO0DR4Ef4LwxOd0USCl93yp5DbpQ5r9HlDb5qbEePPtLWxHcZLx1BcymdVwK/XcUGqzqo5oe5c1IY4FSYmPDlVATukKXhGoGcJXgQqyNgqFRmpSWzs1uOQ15lrzrxtwZrqrCwinAzhBngJU3LjXGqjgMICre8gt+kjxOHziTiY9bK2tWUOkAxJ6GOzqFMDpzd1WgZlLBS0auQy8gla+RoTTIox37vS3jNlS7HP71he1vCbvoymBOtqgFZvu0rR5tl0UWNpIvVGpIW7NK/zqsg060g272B4LmbFivGupjSmY0mxDu25HqvbQkSwEhM7VeDRsbmlD/AWRT2lQgzgGqpm+h6zTvlOCEagcbVINAIijitD5IA5BSKQxIdErNY16wgjeOgZVKJbnfSQVfKrJgJLsKxe/sdOeO1cQcoyVaDg1wNaDhrSgePSkNZCZpzb4HAkPScjcE7IpH0RLbnWtLBFiuTtwg8ICpv1JlY4ECFeZ/A98QDavqvE3gBEIm3eaCU5bwj0Qtix6Z09LabvTAZN2Bt/obBADCSSo2OB+BdY8gYYdwf8tPEGjgTR1bYkaGpzORO70cN1oGRqjyYmTMJPEXBoBJEDCUOAb7c5fjavdeQMvppxZXwLCWo8J96Oubyj/waowIgVEhWuRYniUTQnNRDjSrsLgll6/Q8/jU/eJ3PxBGLivMtgq5XARja+Kd81i4gIYAmoL00zlRNLqURCY859oBlBk2cux/kKVymUiBwlooHiWsKhL0XYkAqSiTBEIgKF5SpOVAQZ1d9sKOg97N+b+VGMry+iTDlTQEx3QRSFXm6WcfQ5Au1WfOPzqQWPY/MBrfqEdeoeKHES3BBUAYTzwYzwo1VnrRlXkTo8AlSQfNYyK5wZ4Fm1Cec+SGwnPEcWdTnLciw3c8ipg4Oz4LAKE29nSGj7nsERpVMIEo9vIhugOrIlEikcGOvouVLATplCFoPLC1t6W6fMGFAMxcHQvfkQqhfK4OR/lCqymDgifuJ2Wo+FFzBRkm2nHOQuhiQ03V4fqKRIIpBMXAUP6SZTOEZGAiq1E7jiitrnrNlV+M7hA6wYTJHALXYBMgwBwLcJ8SAqkWlbzUXY5LURDZ919rGmwH3masVRUUHB5+S38H9QyVLsgyIRyQz1MUof+GwX9X+bozSOk4BYgHeqgrFAds6AFAdu8EVpN3Bdqz3QBDAhKQs4CWYzCyfRa2lQsoY4EAekA1oNL9AMOikqfSNEWKMhJJgMUvUDAVBC8ZSEwg+FeMjRlWGBUYEJcge08gYemxaWBLAhEfVuE4Tg70heZOjLYKt3mt9KJVEEyYNEUPSAFM9P5BKq1ly1EhEkhTLgLeQo+bNcgYVD8bClnWP0SwgsIIagLHHmGtCPYAOGBsOLKYKfBX5R7R+uipK4hPh0CfZHvLJqD5MGbgK7l00vHMVHgNACqHc5KBQup37zPiBWsF+hEZdFqrMllleZT7zhZ6gWd3AQ4nfK547DMIGzkimg1VVzBsCKCAAZg3wsgJ+zgHdjQqVp03PVIkiiLNnAGY0M1C1IM0icwtH8gjbwBL/jAemdiudwvaVl9OuxFFJOzVA8GBao/hk6fkUqD7UcEKZaQQF4XYpopjaVOpRMEGVUWpqL84c1JU1Jmd8uCjg1iUJuH5gY0AFDeSOI7fEIxo1gR7AG1bBFKzRAo6z3TdSoOjsQXIxBXDhFxxRMXOYggohXIQOduuIxGkPLSrBS2A7wIIsqEvkPyOaIO+jbM8USgGPGZdBLe1iNmIVTQGr8N32GaqVZyW4fY5krODpw6uTUEuevWWPEWQBBgDd/MoIep7kIfUnS8fePaWCRCkA4/6oRh3O3Ch1HJCHK8SAEuEUYRdqBQEkyp5uV6KIqFuk8VkqMzYGvMBJeHLDf+w8NbhLHKNdAMECTuDNgmK8hm2m8HTBM607iUKDNLLRJE0x02W8IoaopaFdbBuRSIIQrcSSSfQjjldhSDyfLFjLai5cBbhHNqaEq8DYjiawNCQW9aWEIAwXk1ZAgoNhQfrkdgvZcnOn4AgqAD8vEiIE9A9OQdLdBnK3K7MP7eQHDfLVaMpAH9vntgBL3l6+OsrtHDGXiuleCQzV3Je+6OOi+H+E+wUbdXNWLDXGGOdk51H8FIqFMlE7C1GaEVpBljGhvZb7LTwP2id5p8lcGXhB+moBRQ5dvTw0keejtxJUEleY0OpInERBqG41hICK7hFpDxNsq2FCgkIrAQQlyerkGtKD0gvDuqNNK91JpAIkr1jHv8oRaAJNQAyLeUSNQscgiKzoh0D+N4wh4n9wQGIWv6HeRjqQDaHAGfHAtpoErxa+H9sKiPLWiHFpDX9XhgZMwCa4+AparcAIoNIlZXiUckmQLiEhSZmZumhKvkOLo/cz8IZ/zajPCYEf0dKOYn3nmBI6xoLe49TToIqXLe3E8UiSJBKpEK1h2hbtjlLsg7IB5gIemveSPkjLHOGh8WzdzAUArr5opwIIqIryEzcjXqw0hRF1v9jmUmyPKCWWuIcDQKbiK0OhhkGoAh1TAq+1Q0MrTbPn4D2KHBP1hN10CNrA4pJ56GfChQwgVZBgoS47A13i3xSorDSnFDe/gz2hkmAbm49dwCWqYnEk8XkxUWx2ep3qikm12CuSVlRAYkAEUF2xF3bA06YiBsOqBSddO8Kxv1CUZXIQ70jFlABhaEoAO8ULhQcF+4W2i2zXki0IrcNoC51JfV6DWgwP3wwZAiyyGvwD96Se7S8LSBv+IBUfZIOkv8zyVr1/goscoEJyADUSUEe0ikn4Odphq6B1PpaRN8B7cP/qoqmdAfdSylDd2zrg1Cb1wcwhbfOxCpRzYHYj8Yqizds4hVTafI+NHE2FSlWYYvtaeUkLjoXMgCJ4tKYrl/9RrAH1jvkTulITQJa7AXqx6icXgGjGGhr9TbxJ3idnB9tRh0jODiT2QvesEcxY7Ev0m2Hk0oZgoSoaRZQt7PlTQ2gKqpDoMcZge8oFtYDxJBWQ1At+DXTsug3ZvS7tdFICO1AkVjXMD1J/gD0NblRDWkoGoDqQUyhZcDfdLNO6vy9Eh4+vZIb69A87I07Wvh6+DuBDuiaNGVostIryPJ0D/CVmuAgnZAHfYlZlQkwhlUGR6viXpA2cIflPIFGROyECLKqHGqq3J3Cy11fIRYWTKByqhaSTWkp8ZykB1CHplAQLemRhMmahcN3ulgg+hl2Ze6HNweHUKDrwA5jaOddB8iLo83FgDfz4KwsEHUeNKQMeG9FBu8ZxwAM/SDIdeHI5zBEfRTw1q6RTkAbmlTAB55o4llp3UrxsoGyi9zBbpnB17ZVsVTYFciay8smVbhb1jJ4DQVpLIQa3TBxDuuQrusjI8d8/hA/LahVAytA1/BIxd3KCSoECcojdtA/i4nAxLVmlkourHxCCgqjuUvueQGEOQHYRQDfEUJ4FxXiANBj5puiA5qYDplnXIFzw7ckvqwAgydiH7mXmn6LEMceS1hB5uj14gxHYi/TZqC/h8aAkLZYnXECg0vi1oNp4XiGQUlOOiATnbQi0UlDuR9+8zLZiAoOlHDV9fj8KZNWhSufQNcktEwYmfduzR31EzZ02r1hn7ksf9B87p/o8PTa/D8Ghya1iuu2gyxkafDQMEytMTbZcE4URZgobQf3YfkQVcqolQMGpB4YYXehJWw1S2ZSBcibh0GGBTHB/ImZMBIvTckzcCQ+o02foO+RIOGCMuslA7a8d4p70seQQhumMZ3gocm+SRS2bR5IcR4kgrjo+JjBnYaYodw0/2zwjCLCNSAfn3OLN2EJIwOuY1YhGZZD8SYcORJW6OQ/xX2IgqQ8s/ioy52NY0pFsiEUrwHVuMzTgnXbd5e4AZoaovz0HKoCJSyxo4avr4ElEzUaDxgBkD0j7pJJrZ7XO1idXptpvoYf1VaawuXwFaw4qJVW4Y2+lzwc8a1UUR8BO12UHHUiS51QntY7KI/J2hKdFH7W8g3NTk51G+N9BQ+524gwzQ+XomKrRokLcT97lj2pO6FbsnaFDodZFbofkvTB6JLBKgl6QTDCwueCCwCXt2LMRg5VN8VuTpMlCcLgRCBq4smW/TU1kxbE7nYsWpE5i7tLFLbZMSAZwQOOaWgNJUL6yKLiUtygFPJgFfW+BwDGqUXI5QD4Wxin2yQIURjf15pa7OQaAWNyMa9Ig5gszSXUVN4QD5WoxkMM/HUUJrcJEEN2nP3lTftglTYUapYfYjgp1tF19NoZnMwk/whdi9TaSeCl5raoApRaTUYdggcHCBL09RJUg7PgpTpmvURC1mZaMMhRIJyDZZszYFWL6wBG6sZAxWsjcHk76smJB1IxbpThEzz0DYqqIQjseaeWND2JC9epPXtf0SkKNaAN2JiMbU7gn14myXt0dDpDQmGmJmrc8ug011O20FzIc8x7aASFQvvAFq7qNC0M6PJLGY0GEXZq1CQlEsKEqQebmx5wiZuiAWm2usLjHzD7eG2z3ZZbYVsszIg39P1M+pxLD2JpLWONjmwtM2Nt1NDLI6Gai8Shb+geMubBPYouRWXdl0AOdPwJeiykAZNW7Q7oIajabdmb5JiJk1DwU+sCD0fdm9B9SCJoeEdQLAzrE20VePoCfHlNlR9MFqEABeDLyppX1JqdDN9gOYARrPwAv2dgCPtYVKbAXyh8jFPleo7FiLf1/kLYI0hGYpwbdgE6q4F7XGBcVSDrG9st5AG2J3oc33tGuRhcaG5wCcNTlxXqaIaeC9pQd5zK2vATXF67Uvh+llS/ajgHqOU1/aavMgnUjcAAfLi3dGBH5ABWTsZRZossDz8gARcUvNXioHP06BIQ4qtQUoIVL0X2aJUp1w2tmKhyS+4BtoST5YBzt9NyqQDe8VAwgKonABC94O6D+8xKpGyBlgSMcFmbfRLx2cgNAfLYcFvF5VsI4h7XJ5+QSoSMsGLdu/7qW/kGCknmoqS9SxtVviAPAAsCAoamIj7PooslinI940+8YJi9ES0c+FeNxIWOpdfJQZlIrTw+n0kY9lgNlXMNWmoeCfCvC8dGuI/fymcVQA3zJ2g4lBRRZsJQ6odykbZ0UJICjvofXKxacfUgEY6kMxjIhX3tKrXlNdHDZJx9LgyihhPj3s+NodriRCAsLAj0MXyW0JVlk4p05N1wh82YIlb1AmV9Gn8sulPNBWCLcjMpzEctQQ/o2DonSoD3vmwFLBUcCPK6iyPaQPXoF9MjGB0U0lRIMBSWQjMiceh+/kwZCHSQ+d4rgTtRXQCq2CrdvDlaOMkHCg+XnxYmSZlOIzkW/thvV0t6BDr2jKg8gPil3oGwFOXSKdYYFaqBirQNKJTe/A50pYFBLQigIqO3qM6ygSbkICliuaf2Dm61V/szEBNHknLqLGobvWDeeSrLelgyVKaGEXQIuaYaBJIFEV+A6NOi254EKFqE6NJ94nvAChRRAJhgCgcPqBLlWAYNJ6lc52cBF4+xxAQLRpu4aJFt/HP4U77RiRYx1mIa9dBlI33i64Si2W9ahOoabiMcDxyM5qMIhKChuPcn/Zkr+oaFQZpESjcGza9HWmwdZwYjTih4jARhCiScdA74pFxodD6Q/ml2Yk2bb0BGm1ebReT2ugTLbyhS9dQWQTwmVYvkQAHQg9XMzzDI+b1NA66g+rI2BFU8FJbajBRLOCQDp/TnXZm6IQkOIWNZC2yTtXgrEwQwgW99pMRJ5rNo6XR/ghd+nqmqV36xgVhETKg/dFQtJvr8QJ3aettAoX48v0OAJGATrnPrINFOm3EBVEzlUvpaJRBLNfVlxO5FAiqwQ9Az61Jc6CCZkaP0YlQbtSAEvVKvCFibfxoj5aojtpQE8nR103DO9IGTB6uTUi2arWBUEtTTGQmDZmJfhCET4w/Ep3LaisNxXm0yYL0G+p4pFk40hiFwj8yXRXK8DxSeQUYRq4Q4Xdq2x6DCq4RHDo4vuEwvn8cudWLrVv0FoItN4OOwqRyL/pcQ17ifnUwJsvwYuNkKCmaQidoppY1foNFEv44ayi/sHhgGMpL8zB8VJRUqLAI3ITdbjywEzora7LrpSiwlnjIBIy7C1RwQx1R0xDJUA+dXadpPAZdNk1Mk5Q1LBNlNdDqQRu2TZtt6u2D7GrddZ3zqLEYnJ3AEXKNkQTxt0AcbQZqUqqUtgbG4CMGVRtUaLWGjoQpSpJHcjgjlaIKmCc3TEbRwZgLk0+BTh90ZVNARNLAZeZmcC69a/C3FxVu9R2JIZNHuo2+Xiqu3CkDbSMj8X81KjpefLJw752o1V430D53QLCHgc5iLbSDThCgtMhSp6gw/gYhErL8mDEG014xlQEna6/0iGz4AB1jTG6ib4N/M0yYWEEKRdMtDaSuhm7y6ohPxBus74usF6b/GR3UZEWU0+w9EmxtSGW/aW5qdtAsdWpIslFiGoAcWp00YCtWxjRopE9PYEng5W58CEJCp32esS/+7Q55NCiurGla+h7RHPyNLy98e9GYADg0iJXZHRoN2nBtCTJr3mWeWkniBviIGCqg7NLeA7BQl2N8ECu24FgStg4GVTSjA4igwTJ5eiwqdp2C1i442qnUJg+kgjgicUxCkZAPPKv9cDVyUxkXro5Sgl2AZqpIW1Iof9OWrooUZo4ScDqDUJI283QY1uPMDcUQoH86pAEEi9wPnAemNn80/Ay0CAWloU+tcPVCKg9kH6RJT2vmVLKcnkENEC+UkHSKoGlQFTUOmJjuNyp2yhVqhwL5bLeTJ4y6tkF0jMkj1WpMOgqE0GukPrwxVNQRMySqXC3KBP53vD51GpoKAmIww9EvbSJI+QToGnDVrgMFPTBvWZgYwsuxzmZSjjpTQhAcHUAAtDPtdU80IZJyD8ow6rzNRIMd0Sb3mHR8753iIh0RnXX2XEuzaurW4TDhUKyottB0pJvw6azFSDpDld4tDm3azYmiglV3QQyjCbg5gFlb55lCINg6Yrffpno+7yAp6FfezD4BJoQ9g4DVW/v+RNGbTxq7+IqehviyMBnMti7UuWTN8BY6TnPVmJIEhrnQmdRKs19r2EUMBVCNLJM4QMQgmLM2obvT8dmyDmIKgoqSwXxQQcjokJa2az+uDIkOOGw04xv3lHdoRnhatWYC7+hdv4pYYyJbTlA/JrijqNTQWWim9K2Mvz+awQ1qFqFLO8ThiXL4DURCleDPJkIU56pzbhuBgTCgUlgbgkm72PTghKTPpPngmC5PkLvLCdY07S4NnYGcJNkHVh90aBITgnw27haCwWyIIYD+jHkYpKLS6nDUQqMXhyDV3l6QnmfFOmLzDorqmKWOnH3O01zpMx5Cttka6pegWdrnOE1D8SSnvcmhra6uc+pdm/CCt4xH8rJCUJUlo+rR/MhkOg0Fqg3BWDHF+w64DlNaHJ3ekTANBaEdc5UPICBeRYFZPhSr/1pqmpccajClfXQQden84iQnALSjhzI8T+dBvT40rtQ+c1rarJ2kT0a+cMM4ucozCLCIHRoKJcIP06KRXXTP3+mIIlkR4VKqB0oWyGHntREyNIXUGRnJYk3WUGx4xRDukVF9E6TqnbZpCBqZRd1MMCJpeINWAgN5tyYrBRmdsZKovWVUXdSoOhPrqH+LoaN4fm5n2HMCxM3VjhdO4CcagHY7S8Bl9w054MFVtO/OYhCUSPxOHwQCQOUgP+y4MnQKXOcXpP0wOoCXztzSWSp9SRr495IDSIklDU0R8Sc6egwmmVw9FuA4TZXtxics1J6fwSngiTKuwaR6Vm3hNolSPLg2+MEZnDEr9nSJNfjJZxfHXBILAjAUDLJY21zAqDUUXrOZyREMxeJ1gPnSekkZ6dx9xSgLyzXSdPgYVBehl2C/AsvRSB+d3mqfOk3T9YkwMLCvf0WR0RxUklwagBPvY1D0EZJ16Sgp9XyC8AihsnWUSbuQ+WoACCFjJpBDJl1CR21JXyAXQKZKFyqhXYdSxtGJy7GAgIYOm+I31udN1mhX8A/vjQ2qOJGnMaCDqpOwmn0uzMc6EzxijYJWBMpAZ7/dY5yRdpkGAkgHu7Jl5GeeuBkd8ao6zqyNNlBEE3jTr05aqHbKK+Jbq9zHs1nvmNnsa6+/Oo6uGS496QxrGLVfREdo+z3oxGgtSCGW3GFutQuBhVuRgJj467Pgasc3bbk6XzFKxBynzwlspJTafutsH+DekcK68sKYLwMCZ9Mef6Ka6EJ58iAXNRJat52+gVq8uXSg2krn1rv4vuNvaJRcdHgIk1wupEN2l7IojzP9DphxrqHzdg3YcQiCYpa8rCNBQ5Zf85quLDUF4UMDakuYKPMMiYodoNP2nGm7dIYt+IndDdVLwvoTWhgLaSYzgrLERFwgQGNfTUCxTEB/1DkMWY+kfwRCmFCi2vKFIHEpGQ9HEZ2yqXnE9II5JLgpcGALX9gmSuC2boKXbTd1jX0P/Ez/6t8O0aMYP8oSMsRcPyDNuHPAS7sRfUsKhGHnogHK5zgtzo1Gndy66cQA/K5DIqiREuUwQTYiHJFQQHTBs1FJlhGSGAy8JDKTGhi+eaKF1LgyhqdpyA5sTiR5dcZnwR7UT1EENHufU/9gUAOI4hGN/D2QswaaHAQ0/dQVVbVNoCaOxoLhOLrcP6GiwensB5Wu8whq2JBe5ZWrQ0D6pwbaMsOXIBdoWHw68pxyxSV6/Np5Z5Aha50dttF1EKPq37x0kiWwgNuupomfXykGuh1rrtAcDVG3xjEhO4k4zXm/x7j+1z/df3gBHe3s7n8AmSK3mqmIlHkAAAGEaUNDUElDQyBwcm9maWxlAAB4nH2RPUjDQBzFX1tLi7QI2kHEIUN1siAqxVGrUIQKoVZo1cHk0i9oYkhSXBwF14KDH4tVBxdnXR1cBUHwA8TJ0UnRRUr8X1JoEePBcT/e3XvcvQP8zRpTzZ5xQNUsI5tOCfnCihB6RRhR9COJoMRMfVYUM/AcX/fw8fUuwbO8z/05okrRZIBPIJ5humERrxMnNy2d8z5xjFUkhficeMygCxI/cl12+Y1z2WE/z4wZuewccYxYKHex3MWsYqjEU8RxRdUo3593WeG8xVmt1Vn7nvyFkaK2vMR1msNIYwGLECFARh1V1GAhQatGioks7ac8/EOOXySXTK4qGDnmsQEVkuMH/4Pf3ZqlyQk3KZICgi+2/TEChHaBVsO2v49tu3UCBJ6BK63j32gC05+kNzpa/Ajo2wYurjuavAdc7gCDT7pkSI4UoOkvlYD3M/qmAjBwC/Suur2193H6AOSoq8wNcHAIjJYpe83j3eHu3v490+7vB187cp8Pr2pdAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH5AgNEjYtUHraNgAAIABJREFUeNrsvXmUZWV57/953j2cqYbu6uoRaEaZBJpRFDURERkaARHJL4kmMcNNojfJSnKvSUxMbhKXN5P33hXv1RijkkSicUIQoVFRVFCZu4FmlKHpuYbu6qo60x7e5/fHPtVdp+pUd52pqoD9XavpRfWps/e79/t9n/l5IEWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiRIkWKFClSpEiR4tUCSR/B0sLfbRszp49FfqA2Y9R4LtZzEQeMqwiCVSsaGSRSI2GoGgaxVq8/dzyEEzV9gimRXhW4bfOQ61gzgDAoomtV5ChgncAahFUKy1D6gIJABvAAAzgIkFAlAmLQUJEyUBQYU2WfCEPAbtCdwC6x7AnVGb3q3IED6dNPifSywjcfGTWYyDPW5NSYAcUe6yinWeF0AyeDHAMMAv01onQLJWAM2KvoC4h5Uq0+gfC0A7tjlQOKDTQmuuq8lak0S4m0+PjPrXu8vtBdLYbjUV6r6BmCnA4cD6wlkS6zoAf/U/8zmf7vgNR+qjNenjZ6iXLEF3sA2KHwLPC4CFtRnrTWbr/ynFX70reZEmlBcfOWvZmMOKeI8gaBNwJnAOtqkibbiDSqh9gjIhgBYwTHERyT/DFGMAZM7d9FAJGEOFYPfo9VJbJgrcVaJbaKtRBZTT6nh16xmDlftq1JrlHgRVQfQswPo8g8dNV5y7enbzklUndsnPuGPdeXExGuQLgcOLumpplZxDkkTnAkIYvvGTK+IesZPM/gOeYgiYwAJiGMzOfN6CFyqibEia0SWSWKLEFkCaqWapj8iWLFqh4Uc4e5RghsA+5VuNVqdM/Gs9cMpW8/JVJbuP2R4ZwYjgUuEuQdwJuBFbNUtBqbjBFcR/A9h2zGkPUdsr7B90wibURAtJ5sOkvDa+2FSv3fqoKqEsdKGCWEqlRjKkGckCtS7JSUa7Ahaj97BuVbInqHxTyiRMNXblgdpTsjJdL8CLRlaI1g3iRwJYnqdgLgTpc4iuKYhDT5jCGXcchmHHzP4DpTpGkgpRbjRcshu8paJYqVMLRUgphyJaZUk15TxDKzd8c4ylaEu4BNcSiPbDx/RSndKSmRGuLWLcPH+io/j3AdcBpQmHpWCqgFYyDrO/QVXHryDhnfxXFAXqaPVFHiGKphTLEYMV6KKFdjrE2k2ww1MAL2AT9SK5+vOmy69qwVxZRIKbjjkVFPXX2NiXkvor8Asr6R2uS7ht68S3+vRy7j4Bg55ER4JWyIGmniWClXYw5MRkyWIipBPNevxKD3K/Ipq3q7qIxeec6gTYn0KsM3H9qXdRy7QYV3C7wbWD9dDZsiTyHn0Fvw6Mm5uK4sqpq2UDAmWWMUKcVKxEQxoliOqIb24LOZBqtwH8rnLdy+r2K2vff1A5oS6VWAOx/dd6GqfR+wETh6+o4wAoWsQ3+vT0/ewXcTR8GrgUBzOTCsQhBYiuWQscmQYjlR/Uy9vzIAHlPVL4jlPy4/d+XulEivUGzaPHosor8DvAdYSc11rQpihN6sw4plPoWci+PIq4448yGWjZViOWLkQMhEOURtQztqK8r/iWPzpY3nDZRSIr1yCDSI6PXA7wMn16sxQiHnMNjnUyi4OCLYlEBHJJQqTJZCRscDJksxdvZDs8BtauVjYuT+yzcMVFIivUxx1+ZhP8S8HdH/CrwNcKYkkOMIfXmX5b0+hXziPEgJ1KQtJRArFMsR+8cDxosRUawz3ecjwE0gn7l8w4rHUiK9zHDHlpHXGOGPVHknMACHAp/9BZfBZRnyGQcxqQOzE1BVSpWY0bGAA8VwZpDXAs8A/0+tfPaKc145MahX7O75+gPPuxmv91oR+SuSWNBB+J5h9UCW/h4XkZRA3SLU+GTI3v0BlSCeudEi4Ouq9s+vOHvVkymRliju3Dxygor8Pqq/jiTJowp4jrC812dwmY/vOUneWYouqnxCGFlGxqrsmwgII63bcCq8gLUftcZ8aeNZg+MpkZaKGvfgDiNe9mrgQ8AFU3YQkqhxK5dlyGfdxEhO9/mCbTAFypWY4bEKB4rRTA9fEfhybPVvN56z8qmUSItNoidGsoTyR4L+DrWEUquJFFqzIsvyXh8x6cZeTFhVxidC9uyrEIQ6013+uCp/csXZg7elRFo8Ve5EK/yNwPXTV9aTdVg7mCOXcVIJtFQ2nEClGrN7pMJEOZqpGhwA/pqYT11+7uBkSqSFItCWQJTxSxQ+InDhlC3kOsJgv8+K/gyu27mAqgC+EXwnSU2NVKnGSqzdeTHagc8sVTLFsTJ6IGBkrEoY19lOgcBnI/SjGzes3J4SaQGwacvwr4H8BXDMlCqXzxrWrshSyHuYDm+0ft+Qc8zB+IgCoVUOBDGhbe3BHyzMQ7G1v1WTMgar0xcww5EsSfwmKQIUhKlq2lph4LTfWqpk0lrsafdIhWIlros7KdytxB+8csPqB1IidQk337ctm80W/kzgD+GQV66/4LJuMIfndd4YKriGPt80fGDVWNkfxPMK5MaaFNLFOvXHYi0HPYja5os0kpSqOyK4InX/v1QRRpbdI2XGJqKZdtMzGPld3+/71ltP8TQlUgdx+5bhlQbzYdD3U8tQEAMr+jKsHsh0JTfOAMsyDllH5jCiYV81JpjGpIN9FVBia5Pyb2uJp8rCu/zwddrJb2rSyjUGzwiOMZhald9S2AAiSaHh0L4qI2MBsdapejtQ/T0b5W+98vxClBKpI6rcyNHAR0mSTUUVPLfeK9eN0JAjMJBx8A6T/bA/iClFWmtIkpAmsonEmWqTsNgPe+oejICRhFSuMUnTlanmKou4ERXYPx6wd7ZXbx/IX5aK/Z+47iI3SonUBm57aO/xrut8CriU2mmf8QxHrcrRk3e7em0jsMw/jERC2V2MmAgjYnvIxnm56PZGBNcIvuPgTvWUWEQUyxE7hspUAjvdbpqw8L8CtX9z7dmrKimRWpFEm4dPQvhnkIunTtas73DMqhz5nLMgZQ6Hs5EmQ8tLExXiV0CmhCMJoTJOIqkWA0agXI3ZvrdMqVqXXlRB+WuN7ceuOG9VNSVScyQ6GZGPA2+fIlFPzuGolXlyGdPxTO251Bsj0OcZss6hE1uBamzZNRlQjGJeKVASu8p3DL6TqH8LLaVEoBrE7ByuMFmq0+ZC4K+iQP/hqgtWVlIizcsm2nc82H8mKX1AFfoKLutWZsl4nQuyKkl8KOcmnq7IKsXI1sWHYlWCOMYTIe8mG6saWybCmEpsX7HZvwK4RvCmpJTIgqmtAgSRZedQmfFiOD3BuAp8rEz1r9+54ahKSqTD4PYtQ8cYzI3AW6dI1FtwOGZVAc/t7MsseIYet95FXImVsSAmtkoltlSi+FWf5OqIkHUTQi1k1nwUK7uGy4yNB9PLXUoWPmJj/v6qcwejlEiNJNGjI2tQ+Tjo9VMSozfvcsyaPJ7pHIl8I/R6hkwDJ4ICu4shY9WQqN4d+6qGkrjR807SJXYhCCU1Mu0YKjFerOPMJPD7Cp+9YsPidi5acmmctz480ovy56DXTb24vpzL0StzHSHRVOPDXs8wkHEakmhKAgZxnJKowaaOrWUyjJgMI0Jru67qKUkl87qVeXrz7vTr9QB/S9L9iZRINfz3HUVxHf1j4DcAYxXyGYd1K3P4nukIiXwjLM849HqGwzmlgti+om2fTmzuILZMBBHFIFoQtdd3hXWrchSy7nRP7YDAx+58ZGRjSqQaLh4t/65B/jvgJi5u4ZjVOTIZ05FTr+DWpNAR3LqlyLKzWCVMmzccmVCqVOOYA9WQII67Tt6Ma1i/OksuY6aT6Sg1/O2mzcNnv+ptpE1bht4B5l+AVapJOfj61TkKebftOJER6HENBc8cdsGhVfZVIkYqIbFV0ir05pFxDXnX7aq7XARKlYiX9pQJ6rOFv6lWf/2Kc1bueVUSadPm4TMQ+TywAcAxwtGrcvT1tD/MzjXQ7x9eCqnCeBAzXAkp1eJBKYdalxqeEXKui++Yrm7c8WLI9qEy0fQyDOUTkaN/cNWZKxc0YLvoqt23towsR+R/TpEIYNXyTEdI5DvCwBFIFFplZzFg+2SFUhTXlSAsPTN/6dNbSAadTQYh5TDqmiNCgd6Cx+qB7Mwb+E3H8vuvLhvppR+ITforXDX1cJb3egwuy7S9ZbKOsNxPcsfmehGTYcwLExVGq+GSSCpFBBWDTs20UIvEERKFmLCCCcqYKEDiENFa6oyYWud7w1LSRRUoRjGTQdg1R4QAg/0+g/3edPXfEeS/3bF55IpXjWq3afPIexE+BeSsQl/eZf2afNtVrXlX6POcOb1yVmF/NWJvOSCyi+Derm18RZE4xFTLOOVJ3IkxnPF9OBOjOJP7MMUxTHkSKiUIAgSLGg/1s2gmj833E/cNYPsGiPtWEPUOEBd6sdkC6mVQY5IUebu4wyE8I+Q9F9eYrmzg2Crb95Q4UKyrZ/qJRd9z5YaVz72iibRp8/DZiPwHtZ5zvmc4dk2+7f4KPa6hxzdzitrQKntKAWPVaOGlkHFQ42CCIu6+vWT2bMPf+xLeyHbM/t04pX0QVBCb9DKYqnVVSIanxMls2Fq1E6KKTs3J9Hxsvg/bv4Zo5TGEa9ZTXbuecOUxxD3LAal97+J4Io0IBa87dpMAlSBm254S1cBOF4ufDEPn999xwfLqK5JItz862iOqn5SkrggxwtErcyzrbd0uUqDHSyTRXIuqxJadtQTThSYQAmZ8hNxPHyH/zEN4e17AKY+DjaemLc9jkYqNlMM3iUiKn0TA+jniwbVUTjyT8umvJ1h9PLgexDGLUXkkQMFzybhOV77/wETA9qHy9LMiAH7t8g2Dn39FEmnT5tFfR/QTgAewvM/j6FX5tr6z4Ap9/twkKoUxO4oB5dgujGEoAipIHOCN7CC/9R7yW7+HOzYKxkMdr2WbRiNFYzs/LsQREgdoxqV60vmUzn0b1eNOJ872HGqcsMAoeA4Z1+3K5ts1XGLkQDjtu2WbKhuvOHvF1lcUke54ZPgsMXIrcKwq5DIOx63LJ5kL2iqJ5q4VAhirRuwpBQTxAsSGRMA4SKVIdtdz5J/4EZmn7sEtjqEmA05nihA1VjSy8xcsapGoirpCeNwGSmdfTOWEM4mWrTw0z3MBJVPec8i6bse/N4qVF3cXmSwfaqaiyn+qOv/lynOWj78iiLTp8aECsfk34LqpnLfj1hboLbQedM05Qr8/t2NhfzVidzFYmKI7MSCQ2f4kvQ/dRea5hzCVCRCHrnSntIoNtTmpogoao45DvO41FM+9mOKZb0SzvRCHC3qo5l2HnOd2/BwrliJe3F0iPpSZMonyu+547sa3/UyhKxvBXdAnF8vPk0wIR4CVyzL0tJG5kHESde5wJNpVDBam/MEYnNIEPffdRu+DdyBBJbGNjNfFawrGAxswf5tHBMRFFNwdz7Bs+1PkHv8+By55L8HRp9RIuTDqXimKQSDXQcmkCvmcy+Ayn737DvoYehA+EPSV7wZeeFlLpDs2D58gIl+k1pM7l3E4dm0ez23tpHaNMJBxcOciURCxa3JWR5quqHISR2Rfeoq+799E5qXHUa/AgvZHjhXbjJo3cwlhFZvPMvmWn6d49luIC8sWTNXrlgMiiizbdpcoVQ/l/1nko3sne//sfW/0O35SLMjbvv/xohh4L3De1KE4uMzHb5FEjsAy38xNouoCkchxMeVJ+n50KwM3f4zMzmdRv5cFbzLuCOK2fk31Mkg1ovfOzzFw66fwdz2DOu6CBHgVKIURQYcz7T3XMLg8U7cEg/7Wmp7xN7xsJdKmR0bORLgTYa1VWN7jcsyaQkvvSUg6+uTmYNF4ELNzskrUZXVOXQ9v+CWWf+ffyD63ObmzRc4s0NCibfZPFhsR969k/JIbKJ791kP60gL4aHp9D9+YjiqWO/aWGB0Pp6v/tzs4N1y6YXnxZSWRNj2ww0HkDxHWQtKXe9VAllaD3HnXkJ2DROXYsrsUdJ1EiJB56QlWfvnvyT394JJJzxHPQJudf9S4mPFRln3jn+n70TeQMFiYQ0ChFEREHSxdEWDlQHZma4JLIuJrX3aqnfUzlyH67qmHNdjvk88230JLgUytNLzRVgljZedkQCW2XSdR7rktDN7yj7gjO1DPZynBuB1onyoGwpjeO/+F/ntuxlTLieOky4hUKUVRxwRgUtNmWLksM91+zAj8xqbNo2teNkS6ZUu5zyAfAPKqkM04rOj3W2qh5QpzeuhihZ3FJGOhmwtSxyX/1E9YfvsncfYPgeOx5GCkM/NwjQEy9Hz3Cyz7zk2Y8viCkCmILeWoc71MVJNE6Hy27t4vQPTKbzwyJC8LInmULwEumtKBV/R5LXnphKTHQqPe+AoMlQLGw6i7i3FcCk/cy8A3P4kzOdaxwGpXhKZjOmP9iqBOhvwD32LZt2/CVCYXRIWtRDFBBzUL1zUs7/WnP5M8qr+UM37/kifSHY/u6zPYXwCWQSKN+nq8lgzJrCPk5iDgeBAxWg277OI2ZJ/bwvJNn0GC6vy8cqpgDJLJINkc4vu1TbgQMS2QDmZaqxjyD26i78e3IWG162Sa8uR1Moje3+OS853pp/ObI42uWvJEErXnAZdMF69+C+NWHGHOEvEgtuwtBXS1tYJx8Pe+yLK7/g1TGj8yiVTBODir1+Cd9Bq8U07FO+UUvJNPwT3hRKRv2cJIJbezhYCKR+H7X6D3ke/Vvra7ZIpVKQWds5c8zzDQN71uSQzCb9/56L5lS5ZIP3pxjwP6K8ByVcj4hmUtVLwqiZfON437zu0pBZTjLsaKjIMpHWDZd27E2/v8/GwEz8M9/njc9esx/f1INov4PpLP4wwM4J94Es7qNd13KUuSmdRJJwuxS++3/pX81ntQt/uqbWgt1U41VFHo7/XJZuocXW9Qa69eskSaOOCdC3L11IYf6PPxveY9dRlH6JlDio2WI8aqXXQuiCBxyLLv/jvZ5x8BZ37eOWfdOpwVKw6pP1OLnvrbc3GOOQYzMND97AGnw0eMMRCELLvz82R2Pt1154PW7KVOqHgHR6Iu8+uPG+FXNz2yr29JEsmqvg9YNiWNlvf5NDvoRIBeVxpKm3JkGa4EXQ8n92z5PoUt30PdeZR4qCL5PO7g4JE/ZwzuuqMTr18XJZOItB1Xaiilx0bo+8EtmOLYgqh4lTDqGDP7Ct7MVl5nI/ZnlhyRbt88fKoI7zgojXq9JCDW5H7JudKwmtIqjJTD7paIi8Hf+yK9991ay9xmXkQy/cvA849MDlUkl8X09HRfvevCUanikHniR/Q8fm/nidrIixdbgrj9YkwlGUw3o4C0F+Gabz82lFtSRDJGroEki8F3DX0Fr2kSObWJD41nEcUcCLvbiFCigN77N+Hs29XUTjTZbHM2RzOfb3UtTnc2uljo+cEX8Pa+uCDxpVKHhhhoTSpNc3wZ4GJrneOWDJFu3zK+CpXLqc127ck7ZPzmL5FxaDhmMrYwXA67WxZhHLIvbiW39dsdttbneKvdp1JXFHg1Dmb/GP3f/xJE3XeJT00F6QR8z9CTq3u3x1vVi5cMkYTgLNAzp/TzvryHaVL0G0kqXhv91v5qSDGMu+6l6/vhFzARTW8OWy7PnxyqUKksCI+6NTFC3SzZx39E4an70AWQStU4nl6s147WRF/Boy4xXHjnd7YcKCw6kb61ZZ8ryUCwFQnrhUKTYykVyNYmb89EYJWRStRV21aNoefRu/F3PI26mWYte+zYfjQIjkxAY7DFIrY4yYKgW9JCBFWHnge+gzs+siBSqRMZD6pQyLn4/qFMc4E3BLZ67qITKZJoQFUPBmB7cm7T6UAGKHiNX8a+ckhgbVelkbt/N4XNd4OTaW1TVSrEw0OHl0oiaBQR79wBUbQwWePdvIRxcHc8Q+6FxxfkTKjYzrjDPdfQX2+/F0TMtYtOJKw5T0TOmFLP+gteU3tEgZzbWBpVYstY0OUWWmrJP/Mw7v5dbRnP8e7dxENDtaaMtRolOVSrpNWA+MUXsQcOgFmgAkAj3SVTEJB7/EeYSrHrS7GxdigPT+nr8eo68YrIxlsfHhpcVCIJuhHI2lpnoHzOaSp1x0jSyKQRwcaDmLDL3UKd0jj5Zx5qPxUujole2kb0/PPY0VHsZBEtldCJCeK9ewl/+gzx6PCC1i91/Upi8J97CH/Ptu578ISOjCE9uE+zzrRGtHq8J86bWvm+juR5fOfpykBUmbx0SgHtK3g4jjTVKdc3MoenTjkQdLkrqgj+0Eu4O59of4PXesXF+/cRj+1PssSl9ubiaKG2dkOHg3bLSyiCVMrkHv8BleNOY+7Z8B2SSrWZTO02TTGSJLOOH5qa7ovRt923V79x4WppKsbSEYkUViYuAk6EZERhT4/bdPZLxpGGsb2JMKYcdXdynqiSe/YhTLXUYXVRIQohDKeRaJHQ9X5+Hrkn7sHdvxec7qusQWw7IpUKOXdmBe2F+3aPrl4U1U6QSwBnquFj1m2u7t4R5hy9sr8SdbfwwBhMcYzMT+8HWbo1RkudSOq4OGP7yD33CCrdd4XHVok6oO57niGXcaYL0OOMyMkLTqQ7Hx0dAF4/9bJ6cm7TsSPPkYbjVyZD2/WqV4yLv/NZ3JGXFiRC/0qGSobskw8gYXlBapaCWNs+ZI0Ihawz/Xb7FT33m4/tdxaUSFbta4CTEskiST+GJr8ja2SOAGxEt7urqVpyzz6I6NKaL9QNO6brRHJc/D0v4o3sWJgeD9Z2JMsll3Wmj+r0gPNdG2UWlEiCOYtkTDuuI2R8p8kTATIN3MCBVYrdLh83Bqd0gMz2J1DHJ0X7z1NKk/i7ty1Ir9ZYlShu/0pZz8Gr70x1huAMLBiR7nx0Xwb0bMCHpGTCded/8imJt66RbToZxF2fKq7GwRvejntgJFXrOvVMreLv2YZE3W/jpUBg209gdl2ZWb293qInLhiRYmt7gVMBQ83RYJqMwubmKJUodjnDewr+nhcTz5qYV/YOl4W7kDeyM/GAdlmdFJLBce3m3xkj5OpbxPWr2rOaIuN8PnTHlpF+Ud4AHFMbJTcaqfzYJI1Njp2iZDbjNDVyxzGC3yAIG1ml3O3+dAgSBXgjuxAxKK98Hi3IGkVwxoZwykVsrrfrl7OqhNbimvYmPeYzdQ4HRORNm7aMPCZwoqo6CPsDY+67+swVL7VEpE2bR08B/RjCFQldkqu5wmPAd6glqbpGyDTR3CRR6xrXhVXimMAuQE+DagV3bAh9pUujhSbt5FjSKGb5mgU5IMLYkm2zCX/GN7iOEB7qAXKNwnWAO8UwT/WpTVtG/thX+cZbz15h502kW7eO+Brp7wpsbPDPZ9bUOkc1cTR4TRBJSGqOpAHBSmHijem2YmCqpaRHXUqkzj7ZoIQ7OU51ga4XWUusitPqBERNklh91xBE8RRvMjO/TZRTgQ8HDpuBbfO2kbLWWSboGw/zEQ8wSW8GB8fMv6Rcao6GRijF3R8pogKmWsJUi69st/diIApxigdAFkZhtom93tZ3OMaQqQ/MzoVTDHJSU84Gi3VBMvNhRdY3TQViHWkchA2tpRJ1n0gCOJUyBNVXx+ZeyLNCFVM8AHbhLM+w3XiSKLmMOSL5FVyrszlhjmTH6LzekZL1nabMWWeOzP5ypERdV+uSW5WggrEhKbrwbMsTLOTkdBtre5X7CtnDDPOuJ43SFJHmCyNCxm9umLI7xzihchQv0KBtRaIQNJ7/Sd7oZEm1wsZEqpaRBZyYHqti2yBuYic5OE5rQ8HdDjwzPNfgNnEDQpIl3tDRENkF2pyCiUNUG2SWJ/OKUQsaAbZWgqD15BERcDTp2DU1b3kpE+tIPnAFRcCCWjn0Upi5bgUn0UTmWq8EwUIKJCyKbcfhALhO0q4rbiFbon0iaZJ02ox9pIArjbsEVWO7cHtR6y1WjcHWhJTGNSu2pj83/nWFYNoGc5IEcuPXGhC9HKSV1khjwcZmXptfEQiptUVWRLS23kO/LDZcUNVONckI99rQsYwRfNdQrja/BztSN+B5BiPzf2yGxt10A2uJrS6QQDKo46KxYKuKhtPII02obdM+o3EiwWyQEMl4IF73u3q14m1QK2gkNWnbBgkjSYgVgRhNiAWo4y14WMF2pJeDtLT/3E4cad7UlLh5rsMIDVOJgtjW7eOuwXGR0gTu888Qj8dgpXM2j0xtsKSWT4KahMosES+7BRuZRAp1UmAoaCxoLIg6UCyDjcHzIF6YdK9Yta1KapHETGnlCzqQ/Z0Mcmpmk4g0Zn1gtbvKgCQ9fL3tz7L8xr8j992v15PosLukwZ/5/GYMcQniyZq9tVganAUNDXHVoLF0VetSPLytm+n/wv/FGdq5YE1eOlFK7zqmpWfjdmJzek16Opw5ersHXe7nLdUyuYfvoeeb/4ozWUQz2TmU7ah2mrqYnn6kfwXS04dkssmmiGK0UkInxrAH9qHFiYNzkTDObNEjCYmiSXByiYRaSPtJI4jLoOFhugmpJpLDJr0DxfUgk0O8TPKyrKJBBQ0qSZIvgHHnWG+ScJl7+Ad4Lz3N5FW/TOWM85NegV2cwBHXzrd2JL/rSEu/3zaRhOZL9M0c846ibnUKchxMcYLe73yN7L13IHE8m0SqaLWCiMU57hS8sy7AO/FUnBUrMfk84vlgnENNRKIIDarEkxPEQ7sJn3qM6PEHiPbuQNxs0ky/wSLjUiKlnNzCkMlWIa7MsP1miCqtlhEDzlEn4J58Bu5xr8EZXIXkezCuV2sEqWgYoMVJoqHdxC8+S/jMo9g921EcxM8yI+sr9bajAAAgAElEQVQTzeRxxvbT9+VP4u29momL34Fm811T9RRN3k0bTDJGWmoU0xkiOc157JyGhiLdmTDhuMjkAfq/+mkyW3506BStO8piEEvm3AvJXLyRzEmnIfmeun50c5ntzmrghJPJve7N2LF9VB97gPJdtxFvfzHpINRArbHV5GB2C90lU1wBWzmM7RoGkMmQfePbyFz0VrzjT8ZMrdvMMfFPlYwqWIstThD89Amq93yH4LEHIVKY2dnHcZEwIv/tLyP7hhh/5/vQXE8i8bvguUsI0HrOnTE0VcHQESJpzXHQbG/pRmqdVe18RokYzOQB+r/yz2Qf/gGamTHnyFoQwT31LPKXbCRz9utaG7Iskki9FSvJveVKsue/ifKPv0fl7juJ97xU84vP8JqFEBfB6RKZ4grY0hzfbSMk34v3hovJv+UyvBNObdLOlKRpTP9ysue9key5byB8+jFK39tE+OiDifo3/bASAccl/8BdiAjj1/wyNlfoyhAB26bxZ2QxVDtNxoY0a0vKHKdBRxU7ESQo03vXzWQe/clsEkUh0r+c3BXvJvf6N2P6Bzp36Z4+8pdeg3/62ZTv3kTl7m8mInfGg7IhUO68mmerNUkkDR5yVMU983UULr0a77SzEpW1AweWd+oG+o57DdXHN1Pe9DWiZx8Hv159Vi9L9qG7sX0DTFx6Hep5HXd6tHsYS82jHLMIqp1oc7GIhhJpSr/tIJFyD91D9p7bZ6tyYYhZdzS973k//imvbU0KzefhHnUsPe/6JZy1R1P6wqfQOAbHmbXpxYDp0KgkDcGWG6hzqhCHZC+9jvyV1+EsH+z4eiWbJ3v+RXjHnkDxli9Qvefb4Pr1hBaH/N03Ew2soHjR5UgH+/1pJzx3Iovl/m5eFDZSBXW+GbLzsos8/G3P0HPbjUhNfTskiSKco46h/zc/iH/6hq6R6NDmypF/60Z6/8t/RzIejdrPxpXEWdYJGyFuNFlGFbUx+Wt+gZ6fe19XSFT3+FeuofcXf5PcpVfXxK7O8OgJvbfciP/c4+B6Hb12u1pNq23S23fwS/Mfl7lOk048SWOQ4jg93/g3nFKpXhqFAc764+n7zQ/iHnsiC4nMBW+m91f/ACkUZruANZEi7XqGbblBrEqT3MWe63+FwjW/kLi1FwCSy1O44X3kLr8e4rCe3cZgqlX6vnkTZnxfh+NMutBbukNEauHC3W4dmL//e/jPP4lO19GtxaxcQ+97fht3/QksBjLnX0T+2vc2lIIaJWpZyyQKk9SkWQ/XxuQ2/lwiHRY4ZUe8DIWrf47sJdfCjK5C6vl4L/2U/IM/gA6GPTpjHcjiEGnJQAzO8G7yD9zdwA3rkL/65/FOOnVR7y/3pkvIvO5nIaw2dBK0pJto7Xd1Nom8c95E/q1Xdsap0KLdlL/8WtzXnjebMCLkHrwbd3Rv567XkaNYF4FIytLpwGMtuWe24gxvr19aFOFvuJDsBW9s61RWVWybp6f4GQrvuB6zam0yaGz699eyz5u+r6iBSmct0tNHz8ZrMX3L2nystq11OytWUbjsnUg2N2vbO7teJPPUlpf9Gb4oXeNtl04SU57E33JvkisyZRrFMZLPkr/inUg239L3jo6OsnPnTvbu3Uscx6xYsYJ169axbt26luazOquOIn/tLzL5T3+TePGmfYetNplCpDWVbuZpFpTJv/09uCec1vLzHB4eZsfOnQwNDaGqrFy5knVr17J27dqmv8s/61wyF11M5c6bIZOrk9LZB+6ifM4bsIX+rqYQdVM1bJtIVhO39XyTv3WOm5V2yWQc3F3b8F7YWu9gqBbJXv5OvBNOafor4zjmjk2b+OrXvsaXvvpVSgcOHPy3q6+5hmuuvoZ3ves6+vv7m/7u7LlvoHrmBYRbN9elE2kt3c3M0yeQJKPO+GEY4Bz3GnJvubylRxlFEbfeeitfu/lmbvriF+sk5/XXX8+173wn11x9NT09PU0pXYVLryF44AfYA+OHVG/j4L30NP7zT1E5+yJos1+Htk2k1krW21PtaknEtumsjNl3WkvMbuNehOyTD2Gq00bV2xjp6yf3pktbItE/f/rTvO9Xf5UbP/c5quUybiaDm8ng+D633nYbv/WB9/PXH/kIY2Njzd9uJkfmTZc1LMxqxumgUQMnoI3IXXI1UuhriUR/9/d/z7tuuIGbbroJx5i6dX/l5pv5rfe/n3/8+McpFpsbdWlWrSV78UY0rNS9N1Ehu+VetANOh3YnuB9KM1pAIsmU3dDkhRtFn5PSihYfghikPIn/5EOo609nA/55b07skSZPpXvuvZc//OAH2bd/P67v170gEcF1XVSVj/3DP3Dz179OFEVNE98/8WScdcfPOlg0nL+Go+GMQ8xanHXrkxhZC7j99tv50w99CNd151x3uVTiTz/0Ie68886mbafMeW/CWba8boHqZvCffQxnbLjtHuztGv3aonrXtrNhqsS3XSKZdm7GcXCHduCOzBik7Bi8M85DmkxPL5fLfPGLX6Q8MYGZR4zjLz/yEfbubd7zZPqX4550+qw3pzo/753aBoFcVbzTzsH0L2/6fkZGRvjSl788j3MreSZ/9KEPMT4+3qTjYRDnlHPqPXjGYIrjeDueR532iNSORBIBa7WlStvOEKmJRF6ZY4+YOfrczeseRPB2voiEYV1wz/QP4B51bNM648joKP/0yU/OKx3f8X22Pfccj2/d2oJ6l8U97oTZr0GP3NwokbgNtGTHwT3hFMTPNH0/u3bt4qbPfx7jHdlAM57HT59+ms2bNzfttfRec/qMtCGBWPF2vthWTKltOxuIY10kiYQS2+aaRcQN7tRIYi5oC8eI2Bhv745Zj9GsOhqnt/lG7rt27kx+fx7DfqdOwKeffro1b8/qo8CfHeM5IpGk8WckV8BdvbbpmhxVZWR0dN6n+tRnnn322Sa1Bxd33dGIn5ulnrsje5Cw2l49UZs2UhS3lj/ekVLzsElPi7WNCeO1KtajEDM2Uj+7VBWzYlVLLu9WjM1W4yzOwApMvkHakOXIrbMaXFIKvTh9/a09x1bW3Yoa1L8cKczw+DkG58AYElRblitC44To5ojUWmC0AxJJCMPmYsFJpvfsn/tGWpNIUYiZnJyRs6WYvmWI13xu2VScxM5DZ50i3WtOOqm1E7TQg/T0zTIc57U/VWadUKa3b/YmnadtsXxgYP4HSe0zJ53YfM6iyeeRfO/s91guJkRq1eck0p7XTml5AmBHUoSCyDYVR7Nz1B75jrR2Q1GUVHtOf4gKks+35AUaHBzkve9977z09ThIcsjOOvOs1h6e52Ny+dnXms/BOHPDqyK5QsvpQOvWreOd112HDY/sf49rnzn33HOb3/B+FrL5GfcvSBgk3W9bVuvaczbo1F5ePNVOiZtgkp3D0+cb06KO29g6F8dp6XTL5/O85z3vIdtbmNfp/PGPf5zVa1a3eIqapGVVs69P57ZBWs2mXjk4yM/dcAPZwuHXPfVvN954Y0vBaByDNLI/bYy0UYLern1kVQlDuzjZ3yKJgRZH2pSN2EiCekbwjbSQt9k4mqstlksaY3jzm9/M3//PvyUOAqJqFWvtwQ2kqkTVKlG1yn/9nd/hhhtuwPdbkwKqmhT8NUOWIx4qtLzujRs38uE//dOG67a1dcdBwIf//M+55ppr5hUeaLiuhukt0tbQt7Zc3zWPXRgtompnLVRDO28i6WE8d5lW+oq5bpJmo/UFZBpUWq49zuVy/Pqv/Rq333EHR59wIjYMD26uKXXun/7pn/irv/xLVq1a1frDiyO0Up19EMgRnFdCQ6Ncg6CtxiI9PT383u/9Hl/72tcoDAzUrdvW1n3jjTfy3/7wD1m2rMVk2Eaq+JQ0dVvPWnNE2moOGYa1Tr+L0Y5rSlWvVC39PfNvtxpabdiDLO8a9lebyDlSRV0Pm++tbSDv0M8nxtEobCmmApDNZrn8ssvY+shDPPTQwzzx1JNEYczxxx3LBRdcwJo1a9pPSamUoDg+Sx2b19fO7EluDFqaTNqK5Qot31Mhn+faa69l+1vewgMPPsgzzzyDWsuJJ53EBeefz8qVK9tbc7WMLRdnncY2k0dbtO+kRqR2RFIlsFirTfWx7yiRAMpB3JQrNK45HGa6AnKekyxEaYpI8fIViE4zFEWw+0aSTdUikabUhb6+fi6++GIuvvhiOg07tp+4ODHbrpnHZItZWpAIdmIcOzmBWbaiTZVdWL58OW+/9FLefumlnV1zsZg01az/Kdrbi/UzLbnhRaQtG0k12cOtugw7UyErEIQJm2XeRGqcipF1BN80OWXcOESrjqo3kEWIh3ahTSZWLjSi4b1QrRyZJA2P4AY/L04Q79+3hFesxPtGoDQ5SyLFAyvBa+3QM9JeDMlaqFTbcHR0ikhhZAmamG2UNIRs7HnJNZkbJ6qERx0HnlufDLlvL9HIHlBdmnsqjoi2v9jQzX7ECRba+DMalIl2b+9KA8aO0CgMCbe/gNa5uRVRCFYfjTpuS+/LaUMiiSST0YPIziubTJslkklCfvNyokVWCYLm/G1Bow0EFJodchNHRKvXE61YU5f4p9UywdNbl+ymshPjhM893VAazWcUTMPPqRI9sxVbLi9NIlUqRE9unhHzU2wmQ3TMiS1P+XONaSvPrhrExPGRNSoB4gZcOuyOdaxMAjsO85FJYGSKppVg/mMrlbmnT+Qc01wCqyqaLxCcdh4ST2uyYVzCh+/BTk4uSRUn2r2D+MWnZnsW3HnqCiaZv1Q/Vc8QPb2FeGTvkiRStPNF4uefrNddo5Bo3bGEq49uKWlVALeVrJjpNn7FzvfS+xH2NEWkWMJJ0M8C++f4yGeA26lJrXI1nneempCodlGjwKxryLQQnwhOOx/reYdUA8cl3vYs1UfvX4LiyFK5/4ezbTitlZrP8zQSj1mZ1HZsP5UHfrgkD4/KD76FBmHd4SFRlcpZb0CzuZZKzR0jbXnsEvsomn5Lce1PI3xJ1D7TFJEuO2u1ho7eLJhfQbkF4QGEBwXuch0+UAom/wT4MckgRCqBbSqgZYFKg8isK0LBbdLhEFuCo44jOvb0+pfhZinf8VXs+P6ldTJve47gR9+a1SBR3KTP/7yNXDf5nTp4GYLv3Ua8a9uSWnPw1KNU77+7vpWxjYn7V1A9/bykmWfT1ASv5YyY2ruILZVpZonC08bwmyBfgWTPA3eD/IEV+R9XnDU4y4N1xFf2jjNWBcCtdz4b3VYtjuUdLH6olbddsDoC2LRl5HGgCGSiKLGT/HnaOAJUrdLTIJ7U4zuMVsMm4qmKzfdQ3fAGvJemHRieT7RrG+W776Bw9S8sjXM5qFK89QvYcgXJ1JcTmAxNe2CNn4x0OnREO8QT4xRv/wp97/u9rneTnZ9tVKL0za8kaojn1tm31Q1vIh5c09K4F6kRqR21LpghAIyw1fH49w2Vgc9u0eF8JEhkTXD1uSuCOW20+V7sste4tmYT1UsVsU8bNS8AA7EqpWpMb8Gd98LCWAmt4s/oXZB3DVnHUIyayH0yhsopG8j9eB3OyO6D7BQ3Q+V7m/BO3YB/8msXfVOVf/gtgod/PItEYubf9KRu2R5Ypz7dUDI5qvd9n8oZ55N9/c8uMouUyr3fI3xyy6y5Ubann/K5b0KN05K3zjWSTNlrFQKlajQ9FBOp8nAUmHj12aI1ITEfc7U9XHnWqmGU+6ZkYrEcNRWY1ZpUmnVjIvT5bnPPVpVw9TrK5/9MfRaxCHZ8P6Vv/Cd2bHRx1ZunH6N8x80N4yUm0+IbMY3sqiSoXfrmV4i2v7C4a37uKUp3fm22qLUxwWsvJDz6+JZDFF6b3jprlVK5bvbEuMJDl501EDf5CjoAke8CNmF3TBA291CqcePZSP0ZB89pzhsjCMUL30qw/sQkn+vgSh3Cx+6n+PWbIAwXZUPFw3spfvlG7P6RWbqsOE04GRq9yEwDV7gY4p0vMPmVG7GT44uz5n3DFP/jU9iRvbNc3lropXThW5Ipfi1tO/Cc9rZwFCmlal2l6XaBp1o4yzqCe4BtAkSRZaIUNpXJH9lEvZvlvTOGft9tTv+1Fts/wMRV70VzufoYkpuh/O2vM/GVz87O9er2hhrZw8SN/0j0zGMNyxycHI0zFZp4k06ukUvLJXjoXib+/RPYAwvrcLEje5n49McIn32i3k5ThbDC5M9cRfXE01sehemK4LZVlp5oUGFUl3B9fyxm96IQ6fINK/YCd03JhPHJMJkmOd8sB6AyR6388ozT9MOSMCQ48bVMXvmeGYaDILleKt+6hcn//Bzx6NCCbKjwuacY//T/JnzsQcjkG5JIWihJmqkji9eYTJLrIfjxd5n4t/9HtOulhVnzC89w4DP/h+CJLbPL/YMSldddQumNlyNx681OPMdpK2nYKowXo+laZYTqXRvPGogWhUjJi5TbgNAYKFct5WrUlO5ajbVhQCzrGHq91o7q8nk/Q+X1l9W7tETA9ane8y3GP/N/iF54pqsbqnLf9xn/9P8i+umT9a16p6lkJtO565nMHCpiJk+w5X7G//ljVB9/uLtrfvCeZM3PbJ2dMBxHhMefzuTl/x+aybXcolgkqV9r3RpJEggmy9G02LBuj9S0FIBzOvXwfvkDfzKhqpcBqy3JmPWe/PxdUBZwTdK3oX7BSY3JeNhCjMH3CY45Hm9oN87QjllzTe3QLqo/uRv1PNy1RyUl2tKBLuSqxKNDTH7lRkpf/Rw6c07T1C144Obp7JwbSeJKGjM7uUsEHRsluO9ubBTjrluPZLIdXPMwpa/9K8UvfhotFWev2VriVes4cP1vEK1Z31af74zjkHWdNogk7BuvMl6MDia7KvznxrMHv7ioRPql3/hgRQ0nAa+XmtjsK7g48zw1plof593ZXhjXEUqhJWh26rkqNtdLeNxrcMcP4O74aS2CKQcdEMQRweafED73LOJnkEwOyWSQFno9aKVMvHc35Xu/R/Hz/5dgy/2Il2toE4kHbo6uDNYRSb6/IZlMUjgZPf4gwVOPoo6L5PKI7yMtxJu0WiEe2k3lvu9T/PwnqG7+SdJqa+aawyrxqnWMX/drBCed0fZMpILvtmUfWavsGa0SHarsrgry4c//09893+L51Tnc+ejoRlX9PLBMRFi/JkdfobnAyDLfkHdn766xasT2yWqL+o7BTByg99tfIffD28DNzPIgEUfgCM76k/FOPRPvhFPwjlmPc4TUfi0ViUf2EL70AuGzTxE+tQU7tCMRC3O0FzOZzg9gnkvMR2XQYE6XFYjiHHUC7qln4Z90Cu4xx+KsWJ1IqrnWXC4Rj+4lfOlFwmefTNY8Nb29ARmlWiQ49lTGb/gtwqNPmGqw3aopSMYx9PpeWwfN+GTItj3l6SltP8Rw1eVnDo4vOpE2bRleW0uruAhgoNdj3apcUwahZ4TBjDNL21DgxYkK40Hc8iEuUUD+h7fT852vzerKWkcqVXBcTE8fZnAlzso1OMtXID29iBg0CrGT48Sjw8RDe5ICwnIx8RCKmVtVEnCyrWUvtOOEiCu1KeeHkdxTdRmmpxezYiXOqjWY5SsxPT2IcdA4wk5OEO8bIt5bW3NpMpEsc7loNWlKUz3jQsbf8UvEA6s6MralL+O3ZR8B7BwqM3ogmP6q/tvlGwY/1ur3dTR3ZPdTL+xZe+oJ3wYuVHAmyklMKePPf9GhVcqxkndlFuNXZX1KYaWlpoSQjKefvOQ6orXr6fnurUkqkVK/8aXWLEEtdnw/dv8I0VOPojaetgmSZitinKTHgKnNODqcOugkUsh4LCyk5hU0CaEaD6eaavar2IkD2LF9RM9sRe20URciQG3NjntorlPDwwiwEdo3QOkNb2PyTZejhb6W3dzT4TumbRJVA5s4GQ59zTZFvt3mY+4s7twycrbCncAqVVg7mGXVQKYpSe4bYSDjNKx43FUMGKmErd+4COo4uPuHyT38IwrfvwUpTnbG4G50OQfETzxp4rCo4w01ToaSaVCzn7okFdVxqW64iNKFFxMcd8pUd/pOnAn0+l7bQdjRsSq7RirTaX+TWH77snMGW6636bipe9mGwc0Kd0z9//6JYLpBN2+pVJmj4+WKrJt0GmrDuyRRRNw/SOl1Pwvrj8LJ6bwK6Zp14zg5cHoSdU4Miz4jVKbuqQAm2+G3X+tXI57CiScyccUNBMedWpNOnZnC5zmmvbw6wMbK/olw+sFeVLilHRJ1hUgAkerngJJIUgc/Nhk0dfgpUIxsQy0k4xhWZN32T1O1qOOg2QxORnF7wC0k0qPl1mom+X2nAF5vslllCY67FhecPLi9NbXPaf/QMDkOPkPtyaN+pvYmO3N6CJB1nbZeuzEwXgopV+JpB7tuddDvtnt/XcmvN+r+WCX+psC7EWH0QMCyHg/XmX+6e2CVYmjpbVCSsTzjMhHETIRxWw9WHTfxyGkyc1Yy4Pq1cZLxNPexneZkmtYprGY2HCz5FodD3X+WaJuIus1pQHKJ82NqvTplCk5r4l/XHE0OmojJmt3aYWEOSXz1srVs7s7da8Z18Ixpi4hRrIyMBdhpt2vV/OvlZ6/YtySJtPGc5cGmLSOfAy4X6K0GlrHJiMF+v6mFFyNL1pFZxqUjwuq8T3m8QqTaOpmMSdo/Td8xUxvMcLBF3sF/1mmGpRzGynwZkGiWSja9QFBnHBwzXowcZhCRaBIIx3ROFDsi5Nw2t6rAgfGQUjWebns/Yh3/qx0RHt17P/oT4AdT/z82ESRdhprRZxUmwsY5eHnXsCbvt04iBYyD9XNH3vjTT2EzTeoIr0xMW+uUpD3454j99hT1MqjpnFGY89yOjGvZPx7MMJflU1ed2Tu0pInkiTMG/AcwAUl5xWQpanrvVWOlNAcBl2VdlmXc1qkuBvWzS7dd18sU1svQKe9NxjH4TvvbdHwypFidZgooDxjLzR0zZ7r1MN921oBa5E7gwZptz+h4QBjb5h0PoTZskmKAVTmPrNviMkRqLz0lUidVRetnOhJOcETIum5HxlnuGw+mC8iKCv9a8cLhJU8kgCs3rBgFPgkEIlAqx+wfD5tOfY9UmZhjmFnGMSzPuC0qEYLNZFOB1FG1UFA/i3aASFnXaXmu8LTb4cBkSKlSFwzegiPfuObMNfqyIBJA2Q9uAb4xpXsPj1UpV+OmD6xybCnOoeL5xrS2EBFsJtd2I/wU9RqE9fy2B35l3fayu6dIFISWof3V6QdtKMhnrzhjRUcLs7pOpHeeti6IHf0HYHRqKNnw/mpL01YmA6XaIFBbbXGALgjqZWvGcyqWOiaRvCxt+FLxjCHnOh1h9fD+KtX6MMm9auVLnV72goQLS9XgAeBzkJT3HiiGTBSb75tgUcZr5RRTob5yZBmrRi0/aZupRU1THnVoR02FFFq3iwqe0/b0PRGYKIYzTYlJhI9efs7A2MuSSO8+76jYIp8FHoekFmR4f7WlwbehVfZVY/ZVkj8HAtva1LjaiaV+ruaqTdG+BFCUmie0ReQ8B7cD7yOMlKGxADs9zqh81tfSXV05PxbqGfvLx59C+QxQBShWYsbGg5acO1aTFl5Vq1gg5zpkWvLcKbbDMY9XvWbnONgWh4XlXIeM0xm3+YGJgGKlTlN5wsIn37phvX1ZE+lt649X6/GvwPenfja0v0qxHLUdbAMoeF5L8QbrZ8Hx0lhSh2AdJ7E7m0TWMeS99hNtRJIe9MNj1emvtKzKJ21VutagY0F1mitfO7g/hr8AGRKSLqt7RiqEkbYdK0jGwbhN5WNJLS/MOt0vElJA4+gVTlhNskVmzvM9krbiGPJe++9gaqDyntEK1bBuT33XYr9w1YUr7CuCSAAbNwz+RFX/ZsrxMFmJ2Vvvnmx9MSIU/Pn3iUg6sHu1Qc62i/tLUddHzvlZxF8E6aearK/bbv7aGFJ15+9s8Iyh4Lkdu7Wh/VUmSnVazhDKX208e1VXW+wuipUdavQ5hVumTpH94wHjxc50P3VF6PFdnHm9GIt1/CS7oct7W+MY55y3kL3ifUmLqm4St26JMVLoxb34XdMGVndRIrkZ8Hzm0x/XNYYe323bQze1j8aLYVI+fujHMehHLj97sOtzfRaFSFefs2YM+DvgeUi8eHtHqwRtlkUcFDJi6PX9+UXFHRf1c111NogIcRgwNlkk88YryF79G0guC1G1uw86CjADq8lf/zvEZ/0MQaXU3TxbVaznoY53xMfp1UjkdIhE1dCyd1+VeFqAUuGmEPO5hdjTi+b3vWLD4I9U9WNABElS6+6RSr27sg0yOUbo8b3Dk0kVHAebySPdlhBq2b19OxGGzOsuofArf4Gz9jgISl25llbGcY47jfx7Poh3xoXsGx0lKBWRbrr6VbF+NqnzOgyTPGMSFVykI8eXKuzdV6FUqTuIH7Xwd+/YsGLyFU0kgJfi+FPAv03ZSwcmI3aPVjomGxw5MplUTJIm1GW7xXMcXvjpTykVJ0EM7gmvpfDr/wPvgstqzVa0Y5tZvAzZt7+Xnt/4S9z1JwPw4vPPEYYh0sWSXVFF/Txq3Dl51ElJNCWP9u6vsL8+lDKu6Ec3bhjculB7eVGJ9JvnrYnB/Bk1l7gIjI4FSaZuh+CKJA0z5jqJxaDZHrSLEkkBz3XZuXULe/ccGj9qlq+mcMMHyF3/AZz1pyblqXHYPKmshaiKuC7uay+i8Mt/Qu6qX0FyPQCUqwGPPfoovuN09X0KFpvJJadiAyZlnM7ZRFMYm6gyvK86PXtBgU+sfdz/0kLu5UUP6V++YWC3wh8Bz049haHRSku1S3NtYlOTTA2TIAVsNsc8h7e3scmUwvBPeeyJJ7HTm4F4WTIXvI3Ce/6Q3Lt+B+e40yAuopVJiIJa3bvO1mXiCIIKWh1HMi7eBW8n/94/oXDD+3FPOZfp1Xfbt7/EY488QiGbbbmV2bxVu0yuYaOKvOtQ8LyOkUiAYpFetooAAAy9SURBVCliz+isvM2bTOT+z7N/sX9BXaOLPxMxEQoPEPOXCJ8Q6AtiZedwmePW5MlmnY5oPUYgX6u0LIXxNKIJNtfbdSLFCsev6OOv/+UzXPrWi+nt6am/v+WryLzubfgb3kj80tMEj95L9Nyj2P170WrNSaCS1E45LtLTj7PmeNzTLsA77QKcgVVJw4kZG9Vay8OPPILseIbMqWcR2i5KXrVoplA/aJkkvpdxOysNK2HMrpEKQf1Ilnsi9E+vOm/Zgg+DWhJEuvzMQcvuL/3HpqG3ngJ8SMCpBpbtQ2WOXZPH90xH7CYBcm6inxfDODmdFayf7/oaVZV1fb3c8x+3cOedd3L9u97VgO0GyRVwTzkX95Rz0dI4dnQPdmwYLU4k8tXPYfqXY5atQpavRI4wuXlkZIR/+fxNbFxRwJHa1OwuKrE2lz/YLMWpxfV8YzrqE41iZedQZWY5znOgH7pqw8qXFmMPLwkiAbD2Bo0fGvuo40YDwAdEoFSJ2TFU5ujVOXy3cy8j4yTZxeUwpgrowZlFdf1yOm4n9fkebz9xFe++/nq2bt3K6aeffnji5/tw8n04x5zcMnm/8rWvctett/DB9/wscbcDwarYTAFByDiGnJc0uu/UVZNsGMuOvWUmiyFyyIk0auHDV25Y+cPF2r5LKu1543nLKor8hcJNU86HyXLE7uFyS5nih9vUbs0Fm/ccNJNPKjq7vM9ynuH8dYMAfPjDH2bbtm1dvd7Xb7mFD/z2+0E8juvP1cVYumQIQjZPwXMoeJ1zbx+SRJZdwxUmStE0EmlZlT++csPgFxZz7y65+oErNvz/7Z1tcFTlFcd/z7139+5mF/KyuwErUdAWRZFNtGq1Lw4MSgIoYnGsMnamghWs6LQztrUy1alp60w/WLU67Yid2tYRx6r4UmDaD+20044YW8TR2lYrLzEJYROSDcm+3ntPP9zNmgCBANmwSe5vhk9kIPe55zznec495/wj3YjcT1EBEHoHLNoSqaHKAWPz8EpRoWsEp4XHpZXCr+ucFwmDGeClV16hubmZAwdKoxq4detWvrFhAwAr5s2k0vSV9hYobo9YMDSdoKHGvOvYEejozpDsH3Y4zSE8OJBJ/fJ0221ZNuI01cf2iiN3Ay2DG13PoTytnakxjUzFRfAHUfqpak+ObrHPrQ6zoCqIbhhs2rSJ9Xfeye7du4dn8k6BVCrFy1u2sGzFCjo6OgAfX5oVGZNJPMe/KGioQHDMl9FxhI5Emu7kMCfKAI/mkMdWfe4sx3OkkZypIfYv27HXAm8MRo/efov2RIq8NbbrJoaJGP6SH+0chDlVIS6srcS2HXyBAC+9+CKLr7mGl7dsIZE4+aE2lmXx7nvv8cgjj3DDypVgWRiGgT/sZ37tdHRKX7CK5nPLrcZwHS3boS2R5mAyN7QQ1QGeshz7h9fV12bKwV7LujV0WcOMdxC5Y9CZFG71Q9uBtDuYf4xuTMrnd1PHJfYkEagyDb5wdgwsBxHBME0++vBDVt14I3ffcw+/ffZZ9g/5aHs8stksO3bsoLm5mTVr1rBx40Y0nw/DNHFEaJpVzZyqEFLykWOFwZC+sRHEHRwx3J7I0HsoPywHJEoeVw7fW94wI1kutmpQ5jTWx97Z/vaB9SjtaeBicJWo93WmqKsNnnpq3MF1Il8AUumSP48jwtWzo1TWTCOZHMAwNAzTNb7Nzz/P5ueeI1hZyeqbbmLRwoXMnTuXSCRCqMLNLGYyGfr6+mhtbeXNlhZe37qVljfeAED3+4v/1mDW7sq6CLUV5pjfL4+6SxQqv8diQ8rlhY8TKQ4NDNMxygFPKkvdv+TiaKqc7HTCzKHaurOrXtN4goIaoAgEAzpnxgJUBE5hP1AaKpXE3PQdtANtbrdsyZMOGk/+cw/3/mEnumke8RKs7IlVhes+3xHFqJYjzAgHePXLl3FhJEy+1Bk7K4/URMiu+ylOuPqk2zUUkM7YtHWlGRiWnSMN/MIR7YGl9TV95WafE2bqx9KG6NsOfE0KM/IGW4pbO9P09Z+C8BhupQC+4LiNbbAcYdV5ZzD3zFrso6i1G6aJYZrofv/RdWg1rXh8M0zz6BXd+RxrF5zFvJrwUafUluRo5w+6ld8nGf1UYcLU3gMpBtL2UCfKAA87DhvL0YkmlCMBLI1H/+sg63BniovClTFs7UxzoCfryqCehB+JZoBZwXh5kiNCTcDPD6749DErk5RSGIZRdJjiH5/vmJOTrLyNilazNn62a+Dj8lQCZqggxnxi/+OgHkFXT47WzjS53LCynx5EbUjn0j9a2hAdKFfbnHBzqJbFY+1p5C5gE4VRyI4IHd1p2hJp8iecHhfQtEJ1w/jVOToIV55ZzbpLz8Yaw/uLLa6o8u8WXUAs6MMer0cSATM4opL7sSO0Q3tXmrau9OEfjfcBG/ZMDz+98tI6q5ztckIOdFsZj/U4cLcD9wMJd1dzBc327U+RylgnprqiNAiEGO+RXNUBH7fFZzM/Og3Lssem2t0SHrpqLl+sqyn9vejwo50ZQtToBMZU8T5ksW9/mkRv7vB31iKKtY3x6LPrzjHLfmLMhJ2MuDQezWQd9SjIHcB/Bs/Y/WmLvR1punqziIxSu1YpNyKN8+uyHGFeTZjHFl8EYpC3Tn6eggKsrMWtC+r46vyzxmw+3IlEJAmERiWWO9it1J3Msnd/2i35Gf4jz4vI6qYF0T9OFHuc0CNGVzZE8o3x2MuIuhn4W9GgbIf2rox73s6P4nuTUhCoOC05TEuEy86oYvstl0MoiHUSFQ4C5LMWN8yvo/mqeVQHfKXtOxrptwiEjruG7vx3h487U7QlMuStYTI/aVA/QbT1TfWxDyaSLU6KWb2N9ZGdjsP1wBNAMatzsC/P7vZ+kv3540QnVUg2nB7yjnDlp6r50/WfZcW5M7CyNtYohAFsEay8Qyzo56FFF/Czqy+iJuArfZX3SK5UjEgjBS0h2Z9nd3uK7r4jGjr+B9w1oIW/21hf0zPRbNBgkrC0Idq1fWfy22j5FtyO23maBpmsw77OFFVhP9EqP8GjNgq6qdvT+VXNFuGSmZU8vGg+i+fUct+Oj+g/2AvooGsU62NEwHIAG9C57ZLZ3HLBLOIzKvFr2jilukcINSNsRgr3U0V3Mkdvfx7blqHlPhbuaLaHG+PRtyaq/U0aRwJobKhMAc9s25VoUaIeRHHj4FyRnkM5+tMW0So/kUoTXWN4i7JZUfoBiqNwpjPCJqsvrGPxnBn85eNuXvuwk9dbe+BQoaQsYHJ53TSaZkdZPCfGZ6pCbvepyGk4zh12tDNDw74hKeUWnHYnc3T1fqIhPGSZewUeRrGpaUG0eyLb3qRV2Nq2KxFQom5HcS8wi0GBSxFCAYOZkQChoF6U6Dbe34F/8w9B+cri99eU2zNlOUJfzqI/ZyMIIcMg7NcJGBoiMs6ZuWM4kZ0md/P3seZ/3q1qEBjIWHQezLrzN4ZbmgX8XSnZuGTB6WvG8yLSKGiKxzLA41t3db2pKb6F0KRgGkrRn7HZvX+A6rCPmul+ggEfyh9wJe3LJNHqCOQKervT/XpRdFpEin9XXluyjgpUgAjpjMXBvjy9/Xms4cc4gD3Ar2yRny+Lxzoni71NemGgpfHoDstv3C6KO6TQ36Spgjh0Ms+ejhRtiRQDluZOCC0zpOBUluMKUttShgI0Aug6KVunPZFib0eK7r4ctjPMibIIvwa+Yiual9VPHiea1BFpKMvPr+p77d2Dm3XL/rPS1DoR1iuIKeWW6ncnc9i9DmHxYUh2Eh94S3i/w6C9B5IqhzpS+LIF+LEg2wonhUmHMVVe9LXzawToAB7Ytqv7VZBvAo1AjQJlawaCD7GzbgbXE/EbdTQSGxzdxNaNoQ5kFY5xz+Q056nrLqrtnMzLYEzFd98Uj/xjy9tda0wlCxXqVlCNtm7UiM8P2YJQhBTyEJ5DHd1/BNTg7ErBVfX4pF3/3wIv2PDc8nj0/amwHsZUNYTr66NZYPv2nV1/FU1dplu5tYJaCQSLO+2g4rM65nfGqReBBHCG3tUE0f0iSvtAoX4j4ryApn20fEEkP1WWxbsNFEjctaRB9wVfBZk10kopbWqvmDiM2PbhaL6+vuj5t5xzX/Pvp+LaePss0Lp6iUbOv1AcmXm8uwA2U0+32QGxOGbvlJbPTZ/2wVtX9H39WuU50hRF9xsRQa0azVFXCg41eI+a7BGo+KzHPfEpRDdvTuWY4znSFMWvG8sQdfkJNTE5k9ehxB4SgUbzbJ/cIc9Runa7Z1EeHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh6Tlv8DgcrQirbYVLoAAAAASUVORK5CYII= | |
azRules: | |
- constraint: o=Tremolo | |
scope: dn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
labels: | |
kubernetes.io/metadata.name: openunison | |
name: openunison | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZtZ0F3SUJBZ0lVYmtiS2ZRN29ldXJuVHpyeWdIL0dDS0kzNkUwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05aVzUwWlhKd2NtbHpaUzFqWVRBZUZ3MHlNakV4TURjeE5EUTFNakphRncwegpNakV4TURReE5EUTFNakphTUJneEZqQVVCZ05WQkFNTURXVnVkR1Z5Y0hKcGMyVXRZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNucVZ3eVFvMjJyRzZuVVpjU2UvR21WZnI5MEt6Z3V4MDkKNDY4cFNTUWRwRHE5UlRRVU92ZkFUUEJXODF3QlJmUDEvcnlFaHNocnVBS2E5LzVoKzVCL3g4bmN4VFhwbThCNwp2RDdldHY4V3VyeUtQc0lMdWlkT0QwR1FTRVRvNzdBWE03RmZpUk9yMDFqN3c2UVB3dVB2QkpTcDNpa2lDL0RjCnZFNjZsdklFWE43ZFNnRGRkdnV2R1FORFdPWWxHWmhmNUZIVy81ZHJQSHVPOXp1eVVHK01NaTFpUCtSQk1QUmcKSWU2djhCcE9ncnNnZHRtWExhNFZNc1BNKzBYZkQwSDhjU2YvMkg2V1M0LzdEOEF1bG5QSW9LY1krRkxKUEFtMwpJVFI3L2w2UTBJUXVNU3c2QkxLYWZCRm5CVmNUUVNIN3lKZEFKNWdINFZZRHIyamtVWkwzQWdNQkFBR2pVekJSCk1CMEdBMVVkRGdRV0JCU2Y5RDVGS3dISUY3eFdxRi80OG4rci9SVFEzakFmQmdOVkhTTUVHREFXZ0JTZjlENUYKS3dISUY3eFdxRi80OG4rci9SVFEzakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFCN1BsMjkrclJ2eHArVHhLT3RCZGRLeEhhRTJVRUxuYmlkaFUvMTZRbW51VmlCQVhidUVSSEF2Y0phCm5hb1plY0JVQVJ0aUxYT2poOTFBNkFvNVpET2RETllOUkNnTGI2czdDVVhSKzNLenZWRmNJVFRSdGtTTkxKMTUKZzRoallyQUtEWTFIM09zd1EvU3JoTG9GQndneGJJQ1F5eFNLaXQ0OURrK2V4c3puMUJFNzE2aWlJVmdZT0daTwp5SWF5ekJZdW1Gc3M0MGprbWhsbms1ZW5hYjhJTDRUcXBDZS9xYnZtNXdOaktaVVozamJsM2QxVWVtcVlOdVlWCmNFY1o0UXltQUJZS3k0VkUzVFJZUmJJZGV0NFY2dVlIRjVZUHlFRWlZMFRVZStYVVJaVkFtaU9jcmtqblVIT3gKMWJqelJxSlpMNVR3b0ZDZzVlZUR6dVk0WlRjYwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
kind: Secret | |
metadata: | |
name: unison-ca | |
namespace: openunison | |
type: Opaque | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: activedirectory-cluster-admins | |
subjects: | |
- kind: Group | |
name: k8s-admins | |
roleRef: | |
kind: ClusterRole | |
name: cluster-admin | |
apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: authentication.concierge.pinniped.dev/v1alpha1 | |
kind: JWTAuthenticator | |
metadata: | |
name: pinniped-jwt-authenticator | |
namespace: pinniped-concierge | |
spec: | |
issuer: https://pinniped-supervisor.blog.tremolo.dev/cp-issuer | |
audience: concierge | |
tls: | |
certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZtZ0F3SUJBZ0lVYmtiS2ZRN29ldXJuVHpyeWdIL0dDS0kzNkUwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05aVzUwWlhKd2NtbHpaUzFqWVRBZUZ3MHlNakV4TURjeE5EUTFNakphRncwegpNakV4TURReE5EUTFNakphTUJneEZqQVVCZ05WQkFNTURXVnVkR1Z5Y0hKcGMyVXRZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNucVZ3eVFvMjJyRzZuVVpjU2UvR21WZnI5MEt6Z3V4MDkKNDY4cFNTUWRwRHE5UlRRVU92ZkFUUEJXODF3QlJmUDEvcnlFaHNocnVBS2E5LzVoKzVCL3g4bmN4VFhwbThCNwp2RDdldHY4V3VyeUtQc0lMdWlkT0QwR1FTRVRvNzdBWE03RmZpUk9yMDFqN3c2UVB3dVB2QkpTcDNpa2lDL0RjCnZFNjZsdklFWE43ZFNnRGRkdnV2R1FORFdPWWxHWmhmNUZIVy81ZHJQSHVPOXp1eVVHK01NaTFpUCtSQk1QUmcKSWU2djhCcE9ncnNnZHRtWExhNFZNc1BNKzBYZkQwSDhjU2YvMkg2V1M0LzdEOEF1bG5QSW9LY1krRkxKUEFtMwpJVFI3L2w2UTBJUXVNU3c2QkxLYWZCRm5CVmNUUVNIN3lKZEFKNWdINFZZRHIyamtVWkwzQWdNQkFBR2pVekJSCk1CMEdBMVVkRGdRV0JCU2Y5RDVGS3dISUY3eFdxRi80OG4rci9SVFEzakFmQmdOVkhTTUVHREFXZ0JTZjlENUYKS3dISUY3eFdxRi80OG4rci9SVFEzakFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFCN1BsMjkrclJ2eHArVHhLT3RCZGRLeEhhRTJVRUxuYmlkaFUvMTZRbW51VmlCQVhidUVSSEF2Y0phCm5hb1plY0JVQVJ0aUxYT2poOTFBNkFvNVpET2RETllOUkNnTGI2czdDVVhSKzNLenZWRmNJVFRSdGtTTkxKMTUKZzRoallyQUtEWTFIM09zd1EvU3JoTG9GQndneGJJQ1F5eFNLaXQ0OURrK2V4c3puMUJFNzE2aWlJVmdZT0daTwp5SWF5ekJZdW1Gc3M0MGprbWhsbms1ZW5hYjhJTDRUcXBDZS9xYnZtNXdOaktaVVozamJsM2QxVWVtcVlOdVlWCmNFY1o0UXltQUJZS3k0VkUzVFJZUmJJZGV0NFY2dVlIRjVZUHlFRWlZMFRVZStYVVJaVkFtaU9jcmtqblVIT3gKMWJqelJxSlpMNVR3b0ZDZzVlZUR6dVk0WlRjYwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/ssl-passthrough: "true" | |
name: pinniped-concierge | |
namespace: pinniped-concierge | |
spec: | |
rules: | |
- host: pinniped-concierge.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: pinniped-concierge-impersonation-proxy-cluster-ip | |
port: | |
number: 443 | |
path: / | |
pathType: ImplementationSpecific | |
tls: | |
- hosts: | |
- pinniped-concierge.blog.tremolo.dev | |
secretName: tls-pinniped-supervisor-api-doesnotexist |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: k8sdb-proxy | |
spec: | |
finalizers: | |
- kubernetes | |
--- | |
apiVersion: v1 | |
data: | |
namespace: "k8sdb-proxy" | |
tls.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDETCCAfmgAwIBAgIUbkbKfQ7oeurnTzrygH/GCKI36E0wDQYJKoZIhvcNAQEL | |
BQAwGDEWMBQGA1UEAwwNZW50ZXJwcmlzZS1jYTAeFw0yMjExMDcxNDQ1MjJaFw0z | |
MjExMDQxNDQ1MjJaMBgxFjAUBgNVBAMMDWVudGVycHJpc2UtY2EwggEiMA0GCSqG | |
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnqVwyQo22rG6nUZcSe/GmVfr90Kzgux09 | |
468pSSQdpDq9RTQUOvfATPBW81wBRfP1/ryEhshruAKa9/5h+5B/x8ncxTXpm8B7 | |
vD7etv8WuryKPsILuidOD0GQSETo77AXM7FfiROr01j7w6QPwuPvBJSp3ikiC/Dc | |
vE66lvIEXN7dSgDddvuvGQNDWOYlGZhf5FHW/5drPHuO9zuyUG+MMi1iP+RBMPRg | |
Ie6v8BpOgrsgdtmXLa4VMsPM+0XfD0H8cSf/2H6WS4/7D8AulnPIoKcY+FLJPAm3 | |
ITR7/l6Q0IQuMSw6BLKafBFnBVcTQSH7yJdAJ5gH4VYDr2jkUZL3AgMBAAGjUzBR | |
MB0GA1UdDgQWBBSf9D5FKwHIF7xWqF/48n+r/RTQ3jAfBgNVHSMEGDAWgBSf9D5F | |
KwHIF7xWqF/48n+r/RTQ3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA | |
A4IBAQB7Pl29+rRvxp+TxKOtBddKxHaE2UELnbidhU/16QmnuViBAXbuERHAvcJa | |
naoZecBUARtiLXOjh91A6Ao5ZDOdDNYNRCgLb6s7CUXR+3KzvVFcITTRtkSNLJ15 | |
g4hjYrAKDY1H3OswQ/SrhLoFBwgxbICQyxSKit49Dk+exszn1BE716iiIVgYOGZO | |
yIayzBYumFss40jkmhlnk5enab8IL4TqpCe/qbvm5wNjKZUZ3jbl3d1UemqYNuYV | |
cEcZ4QymABYKy4VE3TRYRbIdet4V6uYHF5YPyEEiY0TUe+XURZVAmiOcrkjnUHOx | |
1bjzRqJZL5TwoFCg5eeDzuY4ZTcc | |
-----END CERTIFICATE----- | |
ca.crt: |- | |
-----BEGIN CERTIFICATE----- | |
MIIDCzCCAfOgAwIBAgIUQ1rNvd0BB+vnTEVd1DAUtAm7u3kwDQYJKoZIhvcNAQEL | |
BQAwFTETMBEGA1UEAwwKY2x1c3Rlci1jYTAeFw0yMjExMDcyMTU1NTlaFw0zMjEx | |
MDQyMTU1NTlaMBUxEzARBgNVBAMMCmNsdXN0ZXItY2EwggEiMA0GCSqGSIb3DQEB | |
AQUAA4IBDwAwggEKAoIBAQDvs9zaa6LFtLVBTiXoEomq3F7J2bUicSEi9dIlTOMk | |
wyn3C/MbgpjPaypERELzTAv1DDIO8BZhoORyqXPHyMA5zIDVnV7hOMaAWcwbJEpD | |
fFQueEUa5U/rwj59c4xqmlkeT7jZGsrsmPiv5PjPTdMl7THXP8bc6mdGNhvJZmFm | |
oPTDoFKb2/1BoIUPWljfUxD3T1isoCrOT1zP3ippJpUT+2sWezpuCFXKi9yqyPpL | |
uQ+gu//sRDyE274sIcIUJh44FCE3qfIciTkZ1MUsfmIMc3a05K7Gdvm1P+f5gUV1 | |
OPDAaQ/5lJwlvycWf9eDeTZbblDSx2MYQG8RoYOA2mDpAgMBAAGjUzBRMB0GA1Ud | |
DgQWBBS+8TwxNtS0cS/mL7Sj+kXHgcTh3jAfBgNVHSMEGDAWgBS+8TwxNtS0cS/m | |
L7Sj+kXHgcTh3jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA0 | |
GhdYBNyPniY4vkvlzxKbC1CosSkOvHjOJMbX/Gpjx7wv1DRVFmww9taoamUQAkX2 | |
T5XH80apRY5GTQTOAAIiMvYLXBFA+KTIc4+ufaY5DM1CXIe/1sx4GBY3mn+esQ8p | |
Wkdz8M5Bm7tA7OKC2/PQmJXL5hpC+ovChAKNTGOTwu7phNbzuHGNF3RRS6lueDZM | |
Ghf0FoNxTA/bfdZ0YhdKjjjtQWTlUxT/NMv+ksz+6HmLCLRco5v1vJCDBmqF0hn1 | |
JxMOqGj1Cs7mnNL4X6WaCA8UMcEvrE31GL5KRSH8tFPOA68dExrsMctGzHmSnXac | |
gQ9cqeqjHndarAIJdXpk | |
-----END CERTIFICATE----- | |
kind: ConfigMap | |
metadata: | |
name: unison-ca | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oidc-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: oidc-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oidc-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oidc-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: oauth2-proxy-internal | |
namespace: k8sdb-proxy | |
spec: | |
secretName: outh2-proxy-tls | |
secretTemplate: | |
labels: {} | |
commonName: "oauth2-proxy.k8sdb-proxy.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "oauth2-proxy.k8sdb-proxy.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: kubernetes-dashboard-certs | |
namespace: kubernetes-dashboard | |
spec: | |
secretName: kubernetes-dashboard-certs | |
secretTemplate: | |
labels: {} | |
commonName: "kubernetes-dashboard.kubernetes-dashboard.svc" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "kubernetes-dashboard.kubernetes-dashboard.svc" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: v1 | |
kind: Secret | |
metadata: | |
name: oauth2-config | |
namespace: k8sdb-proxy | |
type: Opaque | |
stringData: | |
oauth2_proxy.cfg: | | |
oidc_issuer_url="https://pinniped-supervisor.blog.tremolo.dev/cp-issuer" | |
redirect_url="https://k8sdb.blog.tremolo.dev/oauth2/callback" | |
client_secret="XXXXXXXXX" | |
cookie_secret="laSqRSLA28J1Gy1mK69uXpkJyEv5nEvi" | |
# we don't want to proxy anything so pick a non-existent directory | |
upstreams = [ "https://oidc-proxy.k8sdb-proxy.svc:8443" ] | |
#upstreams = [ "http://echo.k8sdb-proxy.svc:8080" ] | |
--- | |
# Source: kubernetes/charts/oauth2-proxy/templates/deployment.yaml | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: oauth2-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: oauth2-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: oauth2-proxy-dashboard | |
spec: | |
containers: | |
- name: oauth2-proxy | |
image: "quay.io/oauth2-proxy/oauth2-proxy:v7.4.0" | |
imagePullPolicy: IfNotPresent | |
args: | |
- --config=/etc/oauth2_proxy/oauth2_proxy.cfg | |
- --email-domain=* | |
- --provider-ca-file=/etc/https-tls/tls.crt | |
- --http-address=http://0.0.0.0:4180 | |
- --https-address=https://0.0.0.0:4190 | |
- --tls-cert-file=/etc/https/tls.crt | |
- --tls-key-file=/etc/https/tls.key | |
- --cookie-refresh=60s | |
- --provider=oidc | |
- --insecure-oidc-allow-unverified-email=true | |
- --client-id=client.oauth.pinniped.dev-kubedashboard | |
- --cookie-secure=true | |
- --cookie-httponly=true | |
- --ssl-upstream-insecure-skip-verify=true | |
- --pass-authorization-header=true | |
- --scope=openid username groups offline_access | |
- --force-code-challenge-method=S256 | |
- --oidc-email-claim=username | |
livenessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
readinessProbe: | |
tcpSocket: | |
port: 4190 | |
initialDelaySeconds: 0 | |
timeoutSeconds: 1 | |
successThreshold: 1 | |
periodSeconds: 10 | |
resources: | |
{} | |
volumeMounts: | |
- mountPath: /etc/oauth2_proxy | |
name: configmain | |
- mountPath: /etc/https | |
name: tlscerts | |
- mountPath: /etc/https-tls | |
name: cacerts | |
volumes: | |
- secret: | |
defaultMode: 420 | |
secretName: oauth2-config | |
name: configmain | |
- configMap: | |
name: unison-ca | |
name: cacerts | |
- secret: | |
secretName: outh2-proxy-tls | |
name: tlscerts | |
tolerations: | |
[] | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kube-oauth2-proxy-db | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 4190 | |
protocol: TCP | |
targetPort: 4190 | |
name: https-kube-oauth2-proxy | |
selector: | |
app: oauth2-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
name: oauth2-proxy-api-db | |
namespace: k8sdb-proxy | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/secure-backends: 'true' | |
spec: | |
rules: | |
- host: k8sdb.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: kube-oauth2-proxy-db | |
port: | |
number: 4190 | |
path: "/" | |
pathType: Prefix | |
tls: | |
- hosts: | |
- k8sdb.blog.tremolo.dev | |
secretName: oauth2-proxy-tls-certificate-none | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: kube-oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: kube-oidc-proxy-dashboard | |
template: | |
metadata: | |
labels: | |
app: kube-oidc-proxy-dashboard | |
spec: | |
serviceAccountName: oidc-proxy-dashboard | |
containers: | |
- image: docker.io/tremolosecurity/kube-oidc-proxy:latest | |
ports: | |
- containerPort: 8443 | |
- containerPort: 8080 | |
env: | |
- name: KUBERNETES_SERVICE_HOST | |
value: kubernetes-dashboard.kubernetes-dashboard.svc | |
- name: KUBERNETES_SERVICE_PORT | |
value: "443" | |
readinessProbe: | |
httpGet: | |
path: /ready | |
port: 8080 | |
initialDelaySeconds: 15 | |
periodSeconds: 10 | |
name: kube-oidc-proxy-dashboard | |
command: ["kube-oidc-proxy"] | |
args: | |
- "--secure-port=8443" | |
- "--tls-cert-file=/etc/oidc/tls/crt.pem" | |
- "--tls-private-key-file=/etc/oidc/tls/key.pem" | |
- "--oidc-client-id=client.oauth.pinniped.dev-kubedashboard" | |
- "--oidc-issuer-url=https://pinniped-supervisor.blog.tremolo.dev/cp-issuer" | |
- "--oidc-username-claim=username" | |
- "--oidc-groups-claim=groups" | |
- "--oidc-ca-file=/etc/oidc/oidc-ca.pem" | |
- "--oidc-signing-algs=RS256,ES256" | |
- "--insecure-skip-tls-verify=true" | |
imagePullPolicy: Always | |
securityContext: | |
runAsUser: 10001 | |
runAsGroup: 10001 | |
allowPrivilegeEscalation: false | |
volumeMounts: | |
- name: kube-oidc-proxy-config | |
mountPath: /etc/oidc | |
readOnly: true | |
- name: kube-oidc-proxy-tls | |
mountPath: /etc/oidc/tls | |
readOnly: true | |
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount | |
name: ou-token | |
volumes: | |
- name: kube-oidc-proxy-config | |
configMap: | |
name: unison-ca | |
items: | |
- key: tls.crt | |
path: oidc-ca.pem | |
- name: kube-oidc-proxy-tls | |
secret: | |
secretName: oidc-proxy-tls | |
items: | |
- key: tls.crt | |
path: crt.pem | |
- key: tls.key | |
path: key.pem | |
- name: ou-token | |
projected: | |
defaultMode: 420 | |
sources: | |
- serviceAccountToken: | |
audience: "https://kubernetes.default.svc.cluster.local" | |
expirationSeconds: 60000 | |
path: "token" | |
- configMap: | |
items: | |
- key: "ca.crt" | |
path: "ca.crt" | |
name: "unison-ca" | |
- configMap: | |
items: | |
- key: namespace | |
path: namespace | |
name: unison-ca | |
nodeSelector: {} | |
automountServiceAccountToken: false | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
creationTimestamp: null | |
labels: | |
app: kube-oidc-proxy-dashboard | |
name: oidc-proxy | |
namespace: k8sdb-proxy | |
spec: | |
ports: | |
- port: 8443 | |
protocol: TCP | |
targetPort: 8443 | |
name: https-kube-oidc-proxy | |
selector: | |
app: kube-oidc-proxy-dashboard | |
type: "ClusterIP" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- users | |
- groups | |
- serviceaccounts | |
verbs: | |
- impersonate | |
- apiGroups: | |
- "authentication.k8s.io" | |
resources: | |
- "userextras/scopes" | |
- "userextras/remote-client-ip" | |
- "tokenreviews" | |
# to support end user impersonation | |
- "userextras/originaluser.jetstack.io-user" | |
- "userextras/originaluser.jetstack.io-groups" | |
- "userextras/originaluser.jetstack.io-extra" | |
verbs: | |
- "create" | |
- "impersonate" | |
- apiGroups: | |
- "authorization.k8s.io" | |
resources: | |
- "subjectaccessreviews" | |
verbs: | |
- "create" | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: impersonator-oidc-proxy-dashboard | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: impersonator-oidc-proxy-dashboard | |
subjects: | |
- kind: ServiceAccount | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
creationTimestamp: | |
name: oidc-proxy-dashboard | |
namespace: k8sdb-proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
data: | |
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURDekNDQWZPZ0F3SUJBZ0lVUTFyTnZkMEJCK3ZuVEVWZDFEQVV0QW03dTNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF3d0tZMngxYzNSbGNpMWpZVEFlRncweU1qRXhNRGN5TVRVMU5UbGFGdzB6TWpFeApNRFF5TVRVMU5UbGFNQlV4RXpBUkJnTlZCQU1NQ21Oc2RYTjBaWEl0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEdnM5emFhNkxGdExWQlRpWG9Fb21xM0Y3SjJiVWljU0VpOWRJbFRPTWsKd3luM0MvTWJncGpQYXlwRVJFTHpUQXYxRERJTzhCWmhvT1J5cVhQSHlNQTV6SURWblY3aE9NYUFXY3diSkVwRApmRlF1ZUVVYTVVL3J3ajU5YzR4cW1sa2VUN2paR3Nyc21QaXY1UGpQVGRNbDdUSFhQOGJjNm1kR05odkpabUZtCm9QVERvRktiMi8xQm9JVVBXbGpmVXhEM1QxaXNvQ3JPVDF6UDNpcHBKcFVUKzJzV2V6cHVDRlhLaTl5cXlQcEwKdVErZ3UvL3NSRHlFMjc0c0ljSVVKaDQ0RkNFM3FmSWNpVGtaMU1Vc2ZtSU1jM2EwNUs3R2R2bTFQK2Y1Z1VWMQpPUERBYVEvNWxKd2x2eWNXZjllRGVUWmJibERTeDJNWVFHOFJvWU9BMm1EcEFnTUJBQUdqVXpCUk1CMEdBMVVkCkRnUVdCQlMrOFR3eE50UzBjUy9tTDdTaitrWEhnY1RoM2pBZkJnTlZIU01FR0RBV2dCUys4VHd4TnRTMGNTL20KTDdTaitrWEhnY1RoM2pBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBMApHaGRZQk55UG5pWTR2a3ZsenhLYkMxQ29zU2tPdkhqT0pNYlgvR3BqeDd3djFEUlZGbXd3OXRhb2FtVVFBa1gyClQ1WEg4MGFwUlk1R1RRVE9BQUlpTXZZTFhCRkErS1RJYzQrdWZhWTVETTFDWEllLzFzeDRHQlkzbW4rZXNROHAKV2tkejhNNUJtN3RBN09LQzIvUFFtSlhMNWhwQytvdkNoQUtOVEdPVHd1N3BoTmJ6dUhHTkYzUlJTNmx1ZURaTQpHaGYwRm9OeFRBL2JmZFowWWhkS2pqanRRV1RsVXhUL05Nditrc3orNkhtTENMUmNvNXYxdkpDREJtcUYwaG4xCkp4TU9xR2oxQ3M3bW5OTDRYNldhQ0E4VU1jRXZyRTMxR0w1S1JTSDh0RlBPQTY4ZEV4cnNNY3RHekhtU25YYWMKZ1E5Y3FlcWpIbmRhckFJSmRYcGsKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | |
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRHZzOXphYTZMRnRMVkIKVGlYb0VvbXEzRjdKMmJVaWNTRWk5ZElsVE9Na3d5bjNDL01iZ3BqUGF5cEVSRUx6VEF2MURESU84Qlpob09SeQpxWFBIeU1BNXpJRFZuVjdoT01hQVdjd2JKRXBEZkZRdWVFVWE1VS9yd2o1OWM0eHFtbGtlVDdqWkdzcnNtUGl2CjVQalBUZE1sN1RIWFA4YmM2bWRHTmh2SlptRm1vUFREb0ZLYjIvMUJvSVVQV2xqZlV4RDNUMWlzb0NyT1QxelAKM2lwcEpwVVQrMnNXZXpwdUNGWEtpOXlxeVBwTHVRK2d1Ly9zUkR5RTI3NHNJY0lVSmg0NEZDRTNxZkljaVRrWgoxTVVzZm1JTWMzYTA1SzdHZHZtMVArZjVnVVYxT1BEQWFRLzVsSndsdnljV2Y5ZURlVFpiYmxEU3gyTVlRRzhSCm9ZT0EybURwQWdNQkFBRUNnZ0VBRVpNblU2UHQ3NjlCMVdlU2o2OFJSVFBxWnNRVnUvQmR3THVUbEh6TVVERVgKaWZlb005bUoxUFpyWjAwMmQvSjQwM2NaRWYrUU1va0tpdTRwOFNsaXo3SVM5YWFYMHUxWDM0Z0Y5eXo4WFhHWApsZjhuT1BNOGZvR1QxWnlqM0ZxVUEyME90V3RabXNxVi9FYU9hQnV4aWkrM2xtdkVpOFRMZk9wQmRBMHp3Y09SCnl2TVViMlExdUVNREk3cHpwSGZrOGc1ajBlUHlDUjlwSklPWFZ1Y1hCZW13WFhGOTVIZHNtV25VN2ZUVEc2K20KSTgzR2pGOTRTQTByWWRUNFR4WlA0cUt1eGdPK1JJelNxckE0NGNOdHZyalBvSVRsWThwcjRnaVJDeVBiTVNWawpiYXBaeHRuUE5iOE1ndG1xeHFSZnVndWVmaFkrcmlzVlcrdVhKK29ORVFLQmdRRHdPRnZEc09ocnpsVmFucmVqCk9HdndNVGtOR0JlUC9iNVFSZXVFRi9NMFlDZjBZRWN1OWFBVThhSVdOWnpsUElFVEpqOVB0Q1EyU1MrWnc3SVoKTkU0NHJTZ2REZUI2TTE1elBRUndYeUxPc1JJSTVPTHYrSWtMTm5meGplWkJuNE1ZK1RiaVRFc1F0ZmpaVjJKVQoyQzVPa2EyL1I4U3l3ZUc0VURrRFp1YlBjUUtCZ1FEL2NzejhST3ZGUTJLKzhTSXVMSmtmWUw1N2RmY21rWXNkClQ4Y0prbENmc2U0WnQ2RWhZNkE1THlVUkpJRTRwQkRwRzd1VkdhdURpM244YVJ3cFMxSjNuYno4RXgzeGNnWFYKaUNuV3J5eGlzMnh3UjJsVGhiZHllNzg5dWZ5NE9OcHlUYW9LU21VYTk1RzB4TUoraEYyOUxZcGlaVXhRNGtsWgpQRE1saWE1YytRS0JnSCt5RmVYQzV1cFg5cnVEWDY4ZVVSS1B0L29qOG5LU3VsWkZ0TnExT0kyQkIvdzZLZHptCnFVQTQ2cWJQdlNXR3NqNlJ1Rm9RTXFmQTQ5TGpXb3RYYUxWc0pzUzdHYmNjRTN0QzFsYzkyMnp3Wjl2ZWdGeDgKUzYxd09QWnBMaHQ0UmVKQ3FGQkhxaWVwOUN6azdOcVpTSlJ2a0dMOExhMndydUtoa28waWFGT2hBb0dCQU1ZTwp2NHAwOFl5LzQ0Y0NOU3N4M3dNcUltWmRIMlJqQWthV3ZVN1poL05acEsrQjVjZWFrL2JpYTgzdnpOVWF1QlhWCkw4cTUzWGFmcE5Ra3R2WDVkWlpTMGQxc0FSSmNBdFA5djlxNWRTT04wK3oySVY3bDFVZEpWUXpKOEh6eGI4V2kKRzgzZ3dxVjNBQnoxVll0OG02VjY4c201bXNNM3dBRVZJTjdnOGpVWkFvR0JBS2NKQ0NUczJRSUl4SGFmQVNLMQpZWG1XRG9aZVdod0JtTThlSVNvNzZtU2pYK2Q2cDRadWNUTXZITkRJNEVSQ0RIeVc4OWprRVF1NUxkR2NpbW1pCnNlTEo2WENEOTVkTEVBWWdMTU96UC9IMjFPQUR6ZjMvQk04SHVoaWxjbzZkRTRKalV4bkdnOGY5QXJhTlkwMC8KREJJRlhJcHpNbEFQUkVEd1JaUjFhcWRpCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | |
kind: Secret | |
metadata: | |
name: cluster-ca | |
namespace: cert-manager | |
type: kubernetes.io/tls | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: ClusterIssuer | |
metadata: | |
annotations: | |
force: update | |
name: cluster-ca | |
spec: | |
ca: | |
secretName: cluster-ca | |
--- | |
apiVersion: idp.supervisor.pinniped.dev/v1alpha1 | |
kind: OIDCIdentityProvider | |
metadata: | |
namespace: pinniped-supervisor | |
name: okta | |
spec: | |
issuer: https://dev-XXXX.okta.com | |
authorizationConfig: | |
additionalScopes: [offline_access, groups, email] | |
allowPasswordGrant: false | |
claims: | |
username: sub | |
groups: groups | |
client: | |
secretName: okta-client-credentials | |
--- | |
apiVersion: cert-manager.io/v1 | |
kind: Certificate | |
metadata: | |
name: pinniped-internal | |
namespace: pinniped-supervisor | |
spec: | |
secretName: pinniped-supervisor-internal-tls | |
secretTemplate: | |
labels: {} | |
commonName: "pinniped-supervisor.blog.tremolo.dev" | |
isCA: false | |
privateKey: | |
algorithm: RSA | |
encoding: PKCS1 | |
size: 2048 | |
usages: | |
- server auth | |
- client auth | |
dnsNames: | |
- "pinniped-supervisor.blog.tremolo.dev" | |
issuerRef: | |
name: cluster-ca | |
kind: ClusterIssuer | |
group: cert-manager.io | |
--- | |
apiVersion: config.supervisor.pinniped.dev/v1alpha1 | |
kind: FederationDomain | |
metadata: | |
name: blog-demo-cp | |
namespace: pinniped-supervisor | |
spec: | |
issuer: "https://pinniped-supervisor.blog.tremolo.dev/cp-issuer" | |
tls: | |
secretName: pinniped-supervisor-internal-tls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: pinniped-supervisor | |
name: pinniped-supervisor | |
namespace: pinniped-supervisor | |
spec: | |
internalTrafficPolicy: Cluster | |
ipFamilies: | |
- IPv4 | |
ipFamilyPolicy: SingleStack | |
ports: | |
- port: 443 | |
protocol: TCP | |
targetPort: 8443 | |
selector: | |
deployment.pinniped.dev: supervisor | |
sessionAffinity: None | |
type: ClusterIP | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
kubernetes.io/ingress.class: nginx | |
nginx.ingress.kubernetes.io/backend-protocol: https | |
nginx.ingress.kubernetes.io/configuration-snippet: | | |
proxy_ssl_protocols TLSv1.2 TLSv1.3; | |
proxy_ssl_name pinniped-supervisor.blog.tremolo.dev; | |
proxy_ssl_server_name on; | |
name: pinniped-supervisor | |
namespace: pinniped-supervisor | |
spec: | |
rules: | |
- host: pinniped-supervisor.blog.tremolo.dev | |
http: | |
paths: | |
- backend: | |
service: | |
name: pinniped-supervisor | |
port: | |
number: 443 | |
path: / | |
pathType: ImplementationSpecific | |
tls: | |
- hosts: | |
- pinniped-supervisor-api.blog.tremolo.dev | |
secretName: tls-pinniped-supervisor-api-doesnotexist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment