From 689078b18633571966cf9919f9141c84f67477da Mon Sep 17 00:00:00 2001 From: kozjan <138656232+kozjan@users.noreply.github.com> Date: Mon, 11 Sep 2023 12:48:22 +0200 Subject: [PATCH 1/6] Spring boot 3.1.2 (#398) * upgrade to java 17/kotlin 1.9.0 * upgrade gradle to 8.3 * replace embedded-consul with testcontainers * upgrade Spring Boot to 3.1.2 * change EchoContainer image to fix tests on arm * fix ports generation * replace deprecated WebSecurityConfigurerAdapter in ChaosController * move jackson module config to separate file * fix bad config test * remove deprecated configuration from SynchronizationConfig * update CHANGELOG.md * disable spring boot plugin while keeping dependency management * separate workflow for flaky tests * do not free generated ports * update docker files * fix security configuration --- .github/workflows/ci.yaml | 2 +- .github/workflows/flaky.yaml | 52 ++++ .github/workflows/publish.yaml | 4 +- .github/workflows/resilence.yaml | 2 +- CHANGELOG.md | 10 + build.gradle | 56 ++-- docs/development.md | 2 + envoy-control-core/build.gradle | 33 +- .../envoycontrol/snapshot/SnapshotUpdater.kt | 2 +- .../synchronization/GlobalStateChanges.kt | 4 +- .../synchronization/RemoteServices.kt | 2 +- .../servicemesh/envoycontrol/utils/Ports.kt | 22 ++ .../envoycontrol/groups/NodeMetadataTest.kt | 63 ++-- .../groups/NodeMetadataValidatorTest.kt | 17 +- .../config/LocalReplyConfigFactoryTest.kt | 17 +- envoy-control-runner/build.gradle | 15 +- .../envoycontrol/chaos/api/ChaosController.kt | 41 ++- .../infrastructure/SynchronizationConfig.kt | 2 - .../consul/ConsulWatcherConfig.kt | 8 +- .../infrastructure/consul/JacksonConfig.kt | 12 + .../src/main/resources/application.yaml | 2 +- envoy-control-services/build.gradle | 8 +- envoy-control-source-consul/build.gradle | 18 +- .../services/ConsulClusterStateChangesTest.kt | 17 +- envoy-control-tests/build.gradle | 42 ++- .../EndpointMetadataMergingTests.kt | 2 + .../MetricsDiscoveryServerCallbacksTest.kt | 3 +- .../SnapshotUpdaterBadConfigTest.kt | 4 +- .../assertions/EnvoyAssertions.kt | 13 +- .../assertions/HttpsEchoResponseAssertions.kt | 9 +- .../envoycontrol/config/ClientsFactory.kt | 6 +- .../config/consul/ConsulContainer.kt | 2 +- .../envoycontrol/config/consul/ConsulSetup.kt | 2 +- .../envoycontrol/EnvoyControlTestApp.kt | 2 +- .../config/service/EchoContainer.kt | 4 +- .../IncomingPermissionsLoggingModeTest.kt | 6 +- .../permissions/TlsBasedAuthenticationTest.kt | 4 +- .../envoycontrol/reliability/Toxiproxy.kt | 2 +- gradle/wrapper/gradle-wrapper.jar | Bin 59203 -> 63721 bytes gradle/wrapper/gradle-wrapper.properties | 4 +- gradlew | 282 +++++++++++------- gradlew.bat | 15 +- tools/docker-compose.yaml | 2 +- tools/envoy-control/Dockerfile | 4 +- tools/service/Dockerfile | 1 + 45 files changed, 505 insertions(+), 315 deletions(-) create mode 100644 .github/workflows/flaky.yaml create mode 100644 envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/Ports.kt create mode 100644 envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/JacksonConfig.kt diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a68a60681..fd2dd997c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,7 +36,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: 'temurin' - java-version: '11' + java-version: '17' - name: Cache Gradle packages uses: actions/cache@v2 diff --git a/.github/workflows/flaky.yaml b/.github/workflows/flaky.yaml new file mode 100644 index 000000000..7671d1c26 --- /dev/null +++ b/.github/workflows/flaky.yaml @@ -0,0 +1,52 @@ +name: Flaky tests + +on: + workflow_dispatch: + + push: + paths-ignore: + - 'readme.md' + +jobs: + flaky_test: + name: flaky_test + runs-on: ubuntu-latest + env: + GRADLE_OPTS: '-Dfile.encoding=utf-8 -Dorg.gradle.daemon=false' + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.head_ref }} + + - uses: gradle/wrapper-validation-action@v1 + + - uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + + - name: Cache Gradle packages + uses: actions/cache@v3 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} + restore-keys: | + ${{ runner.os }}-gradle- + + - name: Flaky tests + run: ./gradlew clean -Penvironment=integration :envoy-control-tests:flakyTest + + - name: Junit report + uses: mikepenz/action-junit-report@v2 + if: always() + with: + report_paths: '**/build/test-results/test/TEST-*.xml' + + - name: Cleanup Gradle Cache + run: | + rm -f ~/.gradle/caches/modules-2/modules-2.lock + rm -f ~/.gradle/caches/modules-2/gc.properties diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index acd251d94..5ce6489f3 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -21,11 +21,11 @@ jobs: with: fetch-depth: 0 - uses: gradle/wrapper-validation-action@v1 - - name: Set up JDK 11 + - name: Set up JDK 17 uses: actions/setup-java@v3 with: distribution: 'temurin' - java-version: '11' + java-version: '17' - name: Release if: github.ref == 'refs/heads/master' run: ./gradlew release -Prelease.customPassword=${GITHUB_TOKEN} -Prelease.customUsername=${GITHUB_ACTOR} -Prelease.forceVersion=${FORCE_VERSION} diff --git a/.github/workflows/resilence.yaml b/.github/workflows/resilence.yaml index eea3a94aa..4a9d64bb6 100644 --- a/.github/workflows/resilence.yaml +++ b/.github/workflows/resilence.yaml @@ -25,7 +25,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: 'temurin' - java-version: '11' + java-version: '17' - name: Cache Gradle packages uses: actions/cache@v3 diff --git a/CHANGELOG.md b/CHANGELOG.md index d28b96a19..e48184e43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). +## [0.20.00] + +### Changed +- Spring Boot upgraded to 3.1.2 +- Java upgraded to 17 +- Kotlin upgraded to 1.8.2 +- Gradle upgraded to 8.3 + +### Fixed +- Random port generation for testcontainers ## [0.19.36] diff --git a/build.gradle b/build.gradle index 9b68f1f27..a69874cfb 100644 --- a/build.gradle +++ b/build.gradle @@ -12,13 +12,14 @@ plugins { id 'signing' id 'pl.allegro.tech.build.axion-release' version '1.13.3' - id 'org.jetbrains.kotlin.jvm' version '1.6.10' - id 'org.jetbrains.kotlin.plugin.spring' version '1.6.10' - id 'org.jetbrains.kotlin.plugin.allopen' version '1.6.10' + id 'org.jetbrains.kotlin.jvm' version '1.8.22' + id 'org.jetbrains.kotlin.plugin.spring' version '1.8.22' + id 'org.jetbrains.kotlin.plugin.allopen' version '1.8.22' id "org.jlleitschuh.gradle.ktlint" version "10.2.1" id "org.jlleitschuh.gradle.ktlint-idea" version "10.2.0" id "io.gitlab.arturbosch.detekt" version "1.18.0" id 'io.github.gradle-nexus.publish-plugin' version '1.0.0' + id 'org.springframework.boot' version '3.1.2' apply false } @@ -44,34 +45,25 @@ allprojects { apply plugin: 'kotlin' apply plugin: 'kotlin-spring' + apply plugin: 'io.spring.dependency-management' project.ext.versions = [ - kotlin : '1.6.10', java_controlplane : '1.0.37', - spring_boot : '2.3.4.RELEASE', + spring_boot : '3.1.2', grpc : '1.48.1', - jaxb : '2.3.1', - javaxactivation : '1.2.0', - micrometer : '1.5.5', - dropwizard : '4.1.12.1', ecwid_consul : '1.4.1', - awaitility : '4.0.3', - embedded_consul : '2.0.0', - junit : '5.6.2', - assertj : '3.17.2', - jackson : '2.11.2', toxiproxy : '2.1.3', - testcontainers : '1.16.0', - reactor : '3.3.10.RELEASE', consul_recipes : '0.9.1', - mockito : '3.3.3', cglib : '3.2.9', - logback : '1.2.3', - slf4j : '1.7.30', re2j : '1.3', xxhash : '0.10.1', - okhttp : '4.9.0' ] + + dependencyManagement { + imports { + mavenBom org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES + } + } } @@ -91,7 +83,6 @@ subprojects { apply plugin: 'io.gitlab.arturbosch.detekt' apply plugin: 'signing' - sourceCompatibility = JavaVersion.VERSION_11 [compileJava, compileTestJava]*.options*.encoding = 'UTF-8' ktlint { @@ -167,23 +158,22 @@ subprojects { compile.exclude group: 'log4j', module: 'log4j' } - compileKotlin { - kotlinOptions { - jvmTarget = '11' + java { + toolchain { + languageVersion.set(JavaLanguageVersion.of(17)) } } - compileTestKotlin { - kotlinOptions { - jvmTarget = '11' + kotlin { + jvmToolchain { + languageVersion.set(JavaLanguageVersion.of(17)) } } - dependencies { - testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: versions.junit - testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-params', version: versions.junit - testImplementation group: 'org.assertj', name: 'assertj-core', version: versions.assertj - testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: versions.junit + testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-api' + testImplementation group: 'org.junit.jupiter', name: 'junit-jupiter-params' + testImplementation group: 'org.assertj', name: 'assertj-core' + testRuntimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine' } detekt { @@ -195,5 +185,5 @@ subprojects { } wrapper { - gradleVersion = '7.1.1' + gradleVersion = '8.3' } diff --git a/docs/development.md b/docs/development.md index 85f89347a..94aff10e0 100644 --- a/docs/development.md +++ b/docs/development.md @@ -16,6 +16,8 @@ Envoy Control is a [Kotlin](https://kotlinlang.org/) application, it requires JD ```./gradlew integrationTest``` * Reliability tests ```./gradlew clean -i -Penvironment=integration :envoy-control-tests:reliabilityTest -DRELIABILITY_FAILURE_DURATION_SECONDS=20``` +* Flaky tests +```./gradlew -Penvironment=integration :envoy-control-tests:flakyTest``` ## Running Lua tests locally (not inside docker) for debugging purposes diff --git a/envoy-control-core/build.gradle b/envoy-control-core/build.gradle index 10726697f..8a7578b8a 100644 --- a/envoy-control-core/build.gradle +++ b/envoy-control-core/build.gradle @@ -1,33 +1,36 @@ +plugins { + id 'org.springframework.boot' apply false +} + dependencies { api project(':envoy-control-services') - implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib', version: versions.kotlin - implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib-jdk8', version: versions.kotlin - api group: 'com.fasterxml.jackson.module', name: 'jackson-module-afterburner', version: versions.jackson - api group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: versions.jackson - implementation group: 'org.jetbrains.kotlin', name: 'kotlin-reflect', version: versions.kotlin - api group: 'io.dropwizard.metrics', name: 'metrics-core', version: versions.dropwizard - api group: 'io.micrometer', name: 'micrometer-core', version: versions.micrometer + implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib' + api group: 'com.fasterxml.jackson.module', name: 'jackson-module-afterburner' + api group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin' + implementation group: 'org.jetbrains.kotlin', name: 'kotlin-reflect' + api group: 'io.dropwizard.metrics', name: 'metrics-core' + api group: 'io.micrometer', name: 'micrometer-core' implementation group: 'com.google.re2j', name: 're2j', version: versions.re2j api group: 'io.envoyproxy.controlplane', name: 'server', version: versions.java_controlplane implementation group: 'io.grpc', name: 'grpc-netty', version: versions.grpc - implementation group: 'io.projectreactor', name: 'reactor-core', version: versions.reactor + implementation group: 'io.projectreactor', name: 'reactor-core' - implementation group: 'org.slf4j', name: 'jcl-over-slf4j', version: versions.slf4j - implementation group: 'ch.qos.logback', name: 'logback-classic', version: versions.logback + implementation group: 'org.slf4j', name: 'jcl-over-slf4j' + implementation group: 'ch.qos.logback', name: 'logback-classic' testImplementation group: 'io.grpc', name: 'grpc-testing', version: versions.grpc - testImplementation group: 'io.projectreactor', name: 'reactor-test', version: versions.reactor - testImplementation group: 'org.mockito', name: 'mockito-core', version: versions.mockito + testImplementation group: 'io.projectreactor', name: 'reactor-test' + testImplementation group: 'org.mockito', name: 'mockito-core' testImplementation group: 'cglib', name: 'cglib-nodep', version: versions.cglib - testImplementation group: 'org.awaitility', name: 'awaitility', version: versions.awaitility + testImplementation group: 'org.awaitility', name: 'awaitility' - testImplementation group: 'org.testcontainers', name: 'testcontainers', version: versions.testcontainers - testImplementation group: 'org.testcontainers', name: 'junit-jupiter', version: versions.testcontainers + testImplementation group: 'org.testcontainers', name: 'testcontainers' + testImplementation group: 'org.testcontainers', name: 'junit-jupiter' } tasks.withType(GroovyCompile) { diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotUpdater.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotUpdater.kt index 92ef0be9b..3baea120d 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotUpdater.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotUpdater.kt @@ -150,7 +150,7 @@ class SnapshotUpdater( private fun updateSnapshotForGroup(group: Group, globalSnapshot: GlobalSnapshot) { try { val groupSnapshot = snapshotFactory.getSnapshotForGroup(group, globalSnapshot) - snapshotTimer(group.serviceName).record { + snapshotTimer(group.serviceName).recordCallable { cache.setSnapshot(group, groupSnapshot) } } catch (e: Throwable) { diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/GlobalStateChanges.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/GlobalStateChanges.kt index 53709ef07..4a99ad39a 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/GlobalStateChanges.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/GlobalStateChanges.kt @@ -15,7 +15,9 @@ class GlobalStateChanges( private val meterRegistry: MeterRegistry, private val properties: SyncProperties ) { - private val scheduler = Schedulers.newElastic("global-service-changes-combinator") + private val scheduler = Schedulers.newBoundedElastic( + Int.MAX_VALUE, Int.MAX_VALUE, "global-service-changes-combinator" + ) fun combined(): Flux { val clusterStatesStreams: List> = clusterStateChanges.map { it.stream() } diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/RemoteServices.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/RemoteServices.kt index 23c0932da..3782c7952 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/RemoteServices.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/synchronization/RemoteServices.kt @@ -29,7 +29,7 @@ class RemoteServices( fun getChanges(interval: Long): Flux { val aclFlux: Flux = Flux.create({ sink -> scheduler.scheduleWithFixedDelay({ - meterRegistry.timer("sync-dc.get-multi-cluster-states.time").record { + meterRegistry.timer("sync-dc.get-multi-cluster-states.time").recordCallable { getChanges(sink::next, interval) } }, 0, interval, TimeUnit.SECONDS) diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/Ports.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/Ports.kt new file mode 100644 index 000000000..783efcd08 --- /dev/null +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/Ports.kt @@ -0,0 +1,22 @@ +package pl.allegro.tech.servicemesh.envoycontrol.utils + +import java.net.ServerSocket +import pl.allegro.tech.servicemesh.envoycontrol.logger + +object Ports { + private val usedPorts: MutableSet = mutableSetOf() + val logger by logger() + + @Synchronized + fun nextAvailable(): Int { + var randomPort: Int + do { + randomPort = ServerSocket(0).use { it.localPort } + } while (usedPorts.contains(randomPort)) + usedPorts.add(randomPort) + logger.info("Generated port: {}", randomPort) + logger.info("Used ports: {}", usedPorts) + + return randomPort + } +} diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataTest.kt index e5ed243ab..6ef2480e1 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataTest.kt @@ -19,6 +19,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.OAuthProvider import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties import java.net.URI import java.time.Duration +import java.util.function.Consumer @Suppress("LargeClass") class NodeMetadataTest { @@ -63,12 +64,15 @@ class NodeMetadataTest { arguments("number", Value.newBuilder().setNumberValue(1.0).build(), 1.0), arguments("not_set", Value.newBuilder().build(), null), arguments("null", Value.newBuilder().setNullValue(NullValue.NULL_VALUE).build(), null), - arguments("list", Value.newBuilder().setListValue( - ListValue.newBuilder() - .addValues(Value.newBuilder().setBoolValue(true).build()).build()) - .build(), listOf(true) + arguments( + "list", Value.newBuilder().setListValue( + ListValue.newBuilder() + .addValues(Value.newBuilder().setBoolValue(true).build()).build() + ) + .build(), listOf(true) ), - arguments("struct", Value.newBuilder().setStructValue( + arguments( + "struct", Value.newBuilder().setStructValue( Struct.newBuilder() .putFields("string", Value.newBuilder().setBoolValue(true).build()) .build() @@ -83,10 +87,12 @@ class NodeMetadataTest { arguments(Value.newBuilder().setNumberValue(1.0).build(), 1.0), arguments(Value.newBuilder().build(), null), arguments(Value.newBuilder().setNullValue(NullValue.NULL_VALUE).build(), null), - arguments(Value.newBuilder().setListValue( - ListValue.newBuilder() - .addValues(Value.newBuilder().setBoolValue(true).build()).build()) - .build(), listOf(true) + arguments( + Value.newBuilder().setListValue( + ListValue.newBuilder() + .addValues(Value.newBuilder().setBoolValue(true).build()).build() + ) + .build(), listOf(true) ) ) } @@ -965,7 +971,7 @@ class NodeMetadataTest { // then assertThat(exception.status.description).isEqualTo( "Timeout definition has number format" + - " but should be in string format and ends with 's'" + " but should be in string format and ends with 's'" ) assertThat(exception.status.code).isEqualTo(Status.Code.INVALID_ARGUMENT) } @@ -981,7 +987,7 @@ class NodeMetadataTest { // then assertThat(exception.status.description).isEqualTo( "Timeout definition has incorrect format: " + - "Invalid duration string: 20" + "Invalid duration string: 20" ) assertThat(exception.status.code).isEqualTo(Status.Code.INVALID_ARGUMENT) } @@ -1216,7 +1222,8 @@ class NodeMetadataTest { withService("lorem") withService("ipsum", routingPolicy = RoutingPolicyInput(autoServiceTag = false)) withService("dolom", routingPolicy = RoutingPolicyInput(fallbackToAnyInstance = false)) - withService("est", routingPolicy = RoutingPolicyInput(serviceTagPreference = listOf("estTag")) + withService( + "est", routingPolicy = RoutingPolicyInput(serviceTagPreference = listOf("estTag")) ) } @@ -1228,30 +1235,30 @@ class NodeMetadataTest { assertThat(dependencies).hasSize(4) val loremDependency = dependencies[0] assertThat(loremDependency.service).isEqualTo("lorem") - assertThat(loremDependency.settings.routingPolicy).satisfies { policy -> + assertThat(loremDependency.settings.routingPolicy).satisfies(Consumer { policy -> assertThat(policy.autoServiceTag).isTrue assertThat(policy.serviceTagPreference).isEqualTo(listOf("preferredGlobalTag", "fallbackGlobalTag")) assertThat(policy.fallbackToAnyInstance).isTrue - } + }) val ipsumDependency = dependencies[1] assertThat(ipsumDependency.service).isEqualTo("ipsum") - assertThat(ipsumDependency.settings.routingPolicy).satisfies { policy -> + assertThat(ipsumDependency.settings.routingPolicy).satisfies(Consumer { policy -> assertThat(policy.autoServiceTag).isFalse - } + }) val dolomDependency = dependencies[2] assertThat(dolomDependency.service).isEqualTo("dolom") - assertThat(dolomDependency.settings.routingPolicy).satisfies { policy -> + assertThat(dolomDependency.settings.routingPolicy).satisfies(Consumer { policy -> assertThat(policy.autoServiceTag).isTrue assertThat(policy.serviceTagPreference).isEqualTo(listOf("preferredGlobalTag", "fallbackGlobalTag")) assertThat(policy.fallbackToAnyInstance).isFalse - } + }) val estDependency = dependencies[3] assertThat(estDependency.service).isEqualTo("est") - assertThat(estDependency.settings.routingPolicy).satisfies { policy -> + assertThat(estDependency.settings.routingPolicy).satisfies(Consumer { policy -> assertThat(policy.autoServiceTag).isTrue assertThat(policy.serviceTagPreference).isEqualTo(listOf("estTag")) assertThat(policy.fallbackToAnyInstance).isTrue - } + }) } @ParameterizedTest @@ -1269,9 +1276,11 @@ class NodeMetadataTest { fun `should parse custom data if it is a struct with value`(name: String, field: Value, expected: Any?) { // given val value = Value.newBuilder() - .setStructValue(Struct.newBuilder() - .putFields(name, field) - .build()) + .setStructValue( + Struct.newBuilder() + .putFields(name, field) + .build() + ) .build() // when @@ -1331,10 +1340,10 @@ class NodeMetadataTest { val jwtFilterProperties = JwtFilterProperties() val oauthProviders = mapOf( "oauth2-mock" to - OAuthProvider( - jwksUri = URI.create("http://localhost:8080/jwks-address/"), - clusterName = "oauth" - ) + OAuthProvider( + jwksUri = URI.create("http://localhost:8080/jwks-address/"), + clusterName = "oauth" + ) ) jwtFilterProperties.providers = oauthProviders snapshotProperties.jwt = jwtFilterProperties diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataValidatorTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataValidatorTest.kt index 76451d45c..59197755e 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataValidatorTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/NodeMetadataValidatorTest.kt @@ -12,6 +12,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.EnabledCommunicationMod import pl.allegro.tech.servicemesh.envoycontrol.snapshot.IncomingPermissionsProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.OutgoingPermissionsProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import java.util.function.Consumer import io.envoyproxy.envoy.service.discovery.v3.DiscoveryRequest as DiscoveryRequestV3 class NodeMetadataValidatorTest { @@ -221,12 +222,10 @@ class NodeMetadataValidatorTest { // expects assertThatExceptionOfType(ServiceNameNotProvidedException::class.java) .isThrownBy { requireServiceNameValidator.onV3StreamRequest(streamId = 123, request = request) } - .satisfies { - assertThat(it.status.description).isEqualTo( - "Service name has not been provided." - ) + .satisfies(Consumer { + assertThat(it.status.description).isEqualTo("Service name has not been provided.") assertThat(it.status.code).isEqualTo(Status.Code.INVALID_ARGUMENT) - } + }) } @Test @@ -256,12 +255,10 @@ class NodeMetadataValidatorTest { // then assertThatExceptionOfType(RateLimitIncorrectValidationException::class.java) .isThrownBy { validator.onV3StreamRequest(123, request = request) } - .satisfies { - assertThat(it.status.description).isEqualTo( - "Rate limit value: 0/j is incorrect." - ) + .satisfies(Consumer { + assertThat(it.status.description).isEqualTo("Rate limit value: 0/j is incorrect.") assertThat(it.status.code).isEqualTo(Status.Code.INVALID_ARGUMENT) - } + }) } private fun createIncomingPermissions( diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/config/LocalReplyConfigFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/config/LocalReplyConfigFactoryTest.kt index 08141d3b2..3ffa2b247 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/config/LocalReplyConfigFactoryTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/config/LocalReplyConfigFactoryTest.kt @@ -10,6 +10,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.HeaderMatcher import pl.allegro.tech.servicemesh.envoycontrol.snapshot.LocalReplyMapperProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.MatcherAndMapper import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ResponseFormat +import java.util.function.Consumer class LocalReplyConfigFactoryTest { @@ -246,11 +247,11 @@ class LocalReplyConfigFactoryTest { // expects assertThatExceptionOfType(IllegalArgumentException::class.java) .isThrownBy { LocalReplyConfigFactory(properties) } - .satisfies { + .satisfies(Consumer { assertThat(it.message).isEqualTo( "One and only one of: headerMatcher, responseFlagMatcher, statusCodeMatcher has to be defined." ) - } + }) } @Test @@ -272,11 +273,11 @@ class LocalReplyConfigFactoryTest { // expects assertThatExceptionOfType(IllegalArgumentException::class.java) .isThrownBy { LocalReplyConfigFactory(properties) } - .satisfies { + .satisfies(Consumer { assertThat(it.message).isEqualTo( "Only one of: exactMatch, regexMatch can be defined." ) - } + }) } @Test @@ -295,11 +296,11 @@ class LocalReplyConfigFactoryTest { // expects assertThatExceptionOfType(IllegalArgumentException::class.java) .isThrownBy { LocalReplyConfigFactory(properties) } - .satisfies { + .satisfies(Consumer { assertThat(it.message).isEqualTo( "Only one of: jsonFormat, textFormat can be defined." ) - } + }) } @Test @@ -326,11 +327,11 @@ class LocalReplyConfigFactoryTest { // expects assertThatExceptionOfType(IllegalArgumentException::class.java) .isThrownBy { LocalReplyConfigFactory(properties) } - .satisfies { + .satisfies(Consumer { assertThat(it.message).isEqualTo( "Only one of: jsonFormat, textFormat can be defined." ) - } + }) } private val expectedConfigForResponseFlagsMatcher = """mappers { diff --git a/envoy-control-runner/build.gradle b/envoy-control-runner/build.gradle index 138b8ffd5..cee970308 100644 --- a/envoy-control-runner/build.gradle +++ b/envoy-control-runner/build.gradle @@ -1,5 +1,6 @@ plugins { id 'application' + id 'org.springframework.boot' apply false } mainClassName = 'pl.allegro.tech.servicemesh.envoycontrol.EnvoyControl' @@ -7,15 +8,13 @@ mainClassName = 'pl.allegro.tech.servicemesh.envoycontrol.EnvoyControl' dependencies { api project(':envoy-control-source-consul') - implementation group: 'org.springframework.boot', name: 'spring-boot-starter', version: versions.spring_boot - api group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: versions.spring_boot - api group: 'org.springframework.boot', name: 'spring-boot-starter-actuator', version: versions.spring_boot - api group: 'org.springframework.boot', name: 'spring-boot-starter-security', version: versions.spring_boot - implementation group: 'io.micrometer', name: 'micrometer-registry-prometheus', version: versions.micrometer + implementation group: 'org.springframework.boot', name: 'spring-boot-starter' + api group: 'org.springframework.boot', name: 'spring-boot-starter-web' + api group: 'org.springframework.boot', name: 'spring-boot-starter-actuator' + api group: 'org.springframework.boot', name: 'spring-boot-starter-security' + implementation group: 'io.micrometer', name: 'micrometer-registry-prometheus' - api group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib-jdk8', version: versions.kotlin - - implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin', version: versions.jackson + implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-kotlin' implementation group: 'net.openhft', name: 'zero-allocation-hashing', version: versions.xxhash } diff --git a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt index d39430ed1..6d49b6c72 100644 --- a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt +++ b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/chaos/api/ChaosController.kt @@ -3,11 +3,13 @@ package pl.allegro.tech.servicemesh.envoycontrol.chaos.api import org.springframework.boot.context.properties.ConfigurationProperties import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration -import org.springframework.http.HttpMethod import org.springframework.http.HttpStatus -import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder import org.springframework.security.config.annotation.web.builders.HttpSecurity -import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter +import org.springframework.security.config.annotation.web.invoke +import org.springframework.security.core.userdetails.User +import org.springframework.security.core.userdetails.UserDetails +import org.springframework.security.provisioning.InMemoryUserDetailsManager +import org.springframework.security.web.SecurityFilterChain import org.springframework.web.bind.annotation.DeleteMapping import org.springframework.web.bind.annotation.GetMapping import org.springframework.web.bind.annotation.PathVariable @@ -41,27 +43,36 @@ class ChaosController(val chaosService: ChaosService) { ExperimentsListResponse(chaosService.getExperimentsList().map { it.toResponseObject() }) @Configuration - class SecurityConfig : WebSecurityConfigurerAdapter() { + class SecurityConfig { @Bean @ConfigurationProperties("chaos") fun basicAuthUser() = BasicAuthUser() - override fun configure(auth: AuthenticationManagerBuilder) { - auth.inMemoryAuthentication() - .withUser(basicAuthUser().username) + @Bean + fun userDetailsService(): InMemoryUserDetailsManager { + val user: UserDetails = User.builder() + .username(basicAuthUser().username) .password("{noop}${basicAuthUser().password}") .roles("CHAOS") + .build() + + return InMemoryUserDetailsManager(user) } - override fun configure(http: HttpSecurity) { - http.httpBasic() - .and() - .authorizeRequests() - .antMatchers(HttpMethod.POST, "/chaos/fault/**").hasRole("CHAOS") - .and() - .csrf().disable() - .formLogin().disable() + @Bean + fun filterChain(http: HttpSecurity): SecurityFilterChain? { + http { + httpBasic { } + authorizeHttpRequests { + authorize("/chaos/fault/**", hasRole("CHAOS")) + authorize(anyRequest, permitAll) + } + csrf { disable() } + formLogin { disable() } + } + + return http.build() } } diff --git a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/SynchronizationConfig.kt b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/SynchronizationConfig.kt index 23b592e3a..934e40d91 100644 --- a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/SynchronizationConfig.kt +++ b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/SynchronizationConfig.kt @@ -5,7 +5,6 @@ import io.micrometer.core.instrument.MeterRegistry import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration -import org.springframework.core.task.SimpleAsyncTaskExecutor import org.springframework.http.client.SimpleClientHttpRequestFactory import org.springframework.web.client.RestTemplate import pl.allegro.tech.discovery.consul.recipes.datacenter.ConsulDatacenterReader @@ -29,7 +28,6 @@ class SynchronizationConfig { envoyControlProperties: EnvoyControlProperties ): RestTemplate { val requestFactory = SimpleClientHttpRequestFactory() - requestFactory.setTaskExecutor(SimpleAsyncTaskExecutor()) requestFactory.setConnectTimeout(envoyControlProperties.sync.connectionTimeout.toMillis().toInt()) requestFactory.setReadTimeout(envoyControlProperties.sync.readTimeout.toMillis().toInt()) diff --git a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/ConsulWatcherConfig.kt b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/ConsulWatcherConfig.kt index cbada7d2b..d16e79f68 100644 --- a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/ConsulWatcherConfig.kt +++ b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/ConsulWatcherConfig.kt @@ -1,12 +1,11 @@ package pl.allegro.tech.servicemesh.envoycontrol.infrastructure.consul import com.fasterxml.jackson.databind.ObjectMapper -import com.fasterxml.jackson.module.kotlin.KotlinModule import okhttp3.Dispatcher import okhttp3.Interceptor import okhttp3.OkHttpClient import okhttp3.Response -import okhttp3.internal.Util +import okhttp3.internal.threadFactory import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Configuration import pl.allegro.tech.discovery.consul.recipes.ConsulRecipes @@ -86,7 +85,7 @@ open class ConsulWatcherConfig { watcherConfig.dispatcherPoolKeepAliveTime.toMillis(), TimeUnit.MILLISECONDS, SynchronousQueue(), - Util.threadFactory("consul-okhttp-dispatcher", false) + threadFactory("consul-okhttp-dispatcher", false) ) } @@ -106,7 +105,4 @@ open class ConsulWatcherConfig { private val counter = AtomicInteger() override fun newThread(r: Runnable) = Thread(r, "consul-watcher-worker-${counter.getAndIncrement()}") } - - @Bean - fun kotlinModule() = KotlinModule.Builder().build() } diff --git a/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/JacksonConfig.kt b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/JacksonConfig.kt new file mode 100644 index 000000000..bdca62e9b --- /dev/null +++ b/envoy-control-runner/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/infrastructure/consul/JacksonConfig.kt @@ -0,0 +1,12 @@ +package pl.allegro.tech.servicemesh.envoycontrol.infrastructure.consul + +import com.fasterxml.jackson.module.kotlin.KotlinModule +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Configuration + +@Configuration +open class JacksonConfig { + + @Bean + fun kotlinModule() = KotlinModule.Builder().build() +} diff --git a/envoy-control-runner/src/main/resources/application.yaml b/envoy-control-runner/src/main/resources/application.yaml index 46ea03a2c..8fe991e1c 100644 --- a/envoy-control-runner/src/main/resources/application.yaml +++ b/envoy-control-runner/src/main/resources/application.yaml @@ -17,4 +17,4 @@ management: metrics.enabled: true prometheus.enabled: true endpoints.web.exposure.include: "*" - metrics.export.prometheus.enabled: true + prometheus.metrics.export.enabled: true diff --git a/envoy-control-services/build.gradle b/envoy-control-services/build.gradle index 181b56824..aeabef69a 100644 --- a/envoy-control-services/build.gradle +++ b/envoy-control-services/build.gradle @@ -1,4 +1,8 @@ +plugins { + id 'org.springframework.boot' apply false +} + dependencies { - implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib', version: versions.kotlin - api group: 'io.projectreactor', name: 'reactor-core', version: versions.reactor + implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib' + api group: 'io.projectreactor', name: 'reactor-core' } diff --git a/envoy-control-source-consul/build.gradle b/envoy-control-source-consul/build.gradle index 07deb9d65..d15e0c31c 100644 --- a/envoy-control-source-consul/build.gradle +++ b/envoy-control-source-consul/build.gradle @@ -1,17 +1,19 @@ +plugins { + id 'org.springframework.boot' apply false +} + dependencies { api project(':envoy-control-core') - implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib', version: versions.kotlin - implementation group: 'io.projectreactor', name: 'reactor-core', version: versions.reactor + implementation group: 'org.jetbrains.kotlin', name: 'kotlin-stdlib' + implementation group: 'io.projectreactor', name: 'reactor-core' api group: 'pl.allegro.tech.discovery', name: 'consul-recipes', version: versions.consul_recipes api group: 'com.ecwid.consul', name: 'consul-api', version: versions.ecwid_consul - testImplementation group: 'org.mockito', name: 'mockito-core', version: versions.mockito + testImplementation group: 'org.mockito', name: 'mockito-core' testImplementation group: 'cglib', name: 'cglib-nodep', version: versions.cglib - testImplementation(group: 'com.pszymczyk.consul', name: 'embedded-consul', version: versions.embedded_consul) { - exclude group: 'org.apache.httpcomponents', module: 'httpclient' - } - - testImplementation group: 'io.projectreactor', name: 'reactor-test', version: versions.reactor + testImplementation group: 'io.projectreactor', name: 'reactor-test' + testImplementation group: 'org.testcontainers', name: 'testcontainers' + testImplementation project(path: ':envoy-control-tests') } diff --git a/envoy-control-source-consul/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/consul/services/ConsulClusterStateChangesTest.kt b/envoy-control-source-consul/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/consul/services/ConsulClusterStateChangesTest.kt index 3069ef9f5..86c7f803e 100644 --- a/envoy-control-source-consul/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/consul/services/ConsulClusterStateChangesTest.kt +++ b/envoy-control-source-consul/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/consul/services/ConsulClusterStateChangesTest.kt @@ -2,9 +2,6 @@ package pl.allegro.tech.servicemesh.envoycontrol.consul.services import com.ecwid.consul.v1.agent.AgentConsulClient import com.ecwid.consul.v1.agent.model.NewService -import com.pszymczyk.consul.ConsulStarterBuilder -import com.pszymczyk.consul.infrastructure.Ports -import com.pszymczyk.consul.junit.ConsulExtension import org.assertj.core.api.Assertions.assertThat import org.junit.jupiter.api.BeforeEach import org.junit.jupiter.api.Test @@ -12,6 +9,7 @@ import org.junit.jupiter.api.extension.RegisterExtension import org.mockito.Mockito import org.mockito.Mockito.verify import pl.allegro.tech.discovery.consul.recipes.ConsulRecipes +import pl.allegro.tech.servicemesh.envoycontrol.config.consul.ConsulExtension import pl.allegro.tech.servicemesh.envoycontrol.server.ReadinessStateHandler import reactor.test.StepVerifier import java.net.URI @@ -21,23 +19,17 @@ import java.util.concurrent.Executors class ConsulClusterStateChangesTest { companion object { - private val consulHttpPort = Ports.nextAvailable() @JvmField @RegisterExtension - val consul = ConsulExtension( - ConsulStarterBuilder.consulStarter() - .withHttpPort(consulHttpPort) - .withConsulVersion("1.11.4") - .build() - ) + val consulExtension = ConsulExtension() } private val watcher = ConsulRecipes .consulRecipes() .build() .consulWatcher(Executors.newFixedThreadPool(10)) - .withAgentUri(URI("http://localhost:${consul.httpPort}")) + .withAgentUri(URI("http://localhost:${consulExtension.server.port}")) .build() private val readinessStateHandler = Mockito.spy(ReadinessStateHandler::class.java) private val serviceWatchPolicy = Mockito.mock(ServiceWatchPolicy::class.java) @@ -46,12 +38,11 @@ class ConsulClusterStateChangesTest { readinessStateHandler = readinessStateHandler, serviceWatchPolicy = serviceWatchPolicy ) - private val client = AgentConsulClient("localhost", consul.httpPort) + private val client = AgentConsulClient("localhost", consulExtension.server.port) @BeforeEach fun reset() { watcher.close() - consul.reset() Mockito.`when`(serviceWatchPolicy.shouldBeWatched(Mockito.anyString(), Mockito.anyList())).thenReturn(true) } diff --git a/envoy-control-tests/build.gradle b/envoy-control-tests/build.gradle index f455842c4..1c0826c56 100644 --- a/envoy-control-tests/build.gradle +++ b/envoy-control-tests/build.gradle @@ -1,27 +1,28 @@ +plugins { + id 'org.springframework.boot' apply false +} + dependencies { implementation project(':envoy-control-runner') - implementation group: 'org.assertj', name: 'assertj-core', version: versions.assertj - implementation group: 'org.junit.jupiter', name: 'junit-jupiter-api', version: versions.junit - implementation group: 'org.junit.jupiter', name: 'junit-jupiter-params', version: versions.junit - implementation group: 'org.awaitility', name: 'awaitility', version: versions.awaitility - implementation(group: 'com.pszymczyk.consul', name: 'embedded-consul', version: versions.embedded_consul) { - exclude group: 'org.apache.httpcomponents', module: 'httpclient' - } - implementation group: 'com.squareup.okhttp3', name: 'okhttp', version: versions.okhttp + implementation group: 'org.assertj', name: 'assertj-core' + implementation group: 'org.junit.jupiter', name: 'junit-jupiter-api' + implementation group: 'org.junit.jupiter', name: 'junit-jupiter-params' + implementation group: 'org.awaitility', name: 'awaitility' + implementation group: 'com.squareup.okhttp3', name: 'okhttp' - implementation "org.apache.httpcomponents:httpcore:4.4.15" - implementation "org.apache.httpcomponents:httpclient:4.5.5" + implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5' + implementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5' implementation group: 'eu.rekawek.toxiproxy', name: 'toxiproxy-java', version: versions.toxiproxy - runtimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine', version: versions.junit - implementation group: 'org.testcontainers', name: 'junit-jupiter', version: versions.testcontainers - implementation group: 'org.testcontainers', name: 'testcontainers', version: versions.testcontainers + runtimeOnly group: 'org.junit.jupiter', name: 'junit-jupiter-engine' + implementation group: 'org.testcontainers', name: 'junit-jupiter' + implementation group: 'org.testcontainers', name: 'testcontainers' } test { useJUnitPlatform { - excludeTags 'reliability' + excludeTags ('reliability', 'flaky') } maxParallelForks = 1 testClassesDirs = project.sourceSets.main.output.classesDirs @@ -40,6 +41,19 @@ task reliabilityTest(type: Test) { testClassesDirs = project.sourceSets.main.output.classesDirs } +task flakyTest(type: Test) { + systemProperty 'RELIABILITY_FAILURE_DURATION_SECONDS', System.getProperty('RELIABILITY_FAILURE_DURATION_SECONDS', '300') + useJUnitPlatform { + includeTags 'flaky' + } + + testLogging { + events "passed", "skipped", "failed" + exceptionFormat = 'full' + } + testClassesDirs = project.sourceSets.main.output.classesDirs +} + tasks.withType(Test).configureEach { project.findProperty("envoyVersion")?.with { systemProperty("pl.allegro.tech.servicemesh.envoyVersion", it) } } diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EndpointMetadataMergingTests.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EndpointMetadataMergingTests.kt index 98eb5b8cc..352ee037d 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EndpointMetadataMergingTests.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EndpointMetadataMergingTests.kt @@ -1,6 +1,7 @@ package pl.allegro.tech.servicemesh.envoycontrol import org.assertj.core.api.Assertions.assertThat +import org.junit.jupiter.api.Tag import org.junit.jupiter.api.Test import org.junit.jupiter.api.extension.RegisterExtension import pl.allegro.tech.servicemesh.envoycontrol.assertions.untilAsserted @@ -10,6 +11,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension import pl.allegro.tech.servicemesh.envoycontrol.config.envoycontrol.EnvoyControlExtension import pl.allegro.tech.servicemesh.envoycontrol.config.service.EchoServiceExtension +@Tag("flaky") open class EndpointMetadataMergingTests { companion object { diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/MetricsDiscoveryServerCallbacksTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/MetricsDiscoveryServerCallbacksTest.kt index beffcee16..912b5c89b 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/MetricsDiscoveryServerCallbacksTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/MetricsDiscoveryServerCallbacksTest.kt @@ -20,6 +20,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.server.callbacks.MetricsDiscover import pl.allegro.tech.servicemesh.envoycontrol.server.callbacks.MetricsDiscoveryServerCallbacks.StreamType.RDS import pl.allegro.tech.servicemesh.envoycontrol.server.callbacks.MetricsDiscoveryServerCallbacks.StreamType.SDS import pl.allegro.tech.servicemesh.envoycontrol.server.callbacks.MetricsDiscoveryServerCallbacks.StreamType.UNKNOWN +import java.util.function.Consumer class XdsMetricsDiscoveryServerCallbacksTest : MetricsDiscoveryServerCallbacksTest { companion object { @@ -236,7 +237,7 @@ interface MetricsDiscoveryServerCallbacksTest { expectedGrpcRequestsCounterValues().forEach { (type, condition) -> val counterValue = meterRegistry.counterValue("grpc.requests.$type") println("$type $counterValue") - assertThat(counterValue).satisfies { condition(it) } + assertThat(counterValue).satisfies(Consumer { condition(it) }) } } } diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/SnapshotUpdaterBadConfigTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/SnapshotUpdaterBadConfigTest.kt index 527f7b940..681a50b6d 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/SnapshotUpdaterBadConfigTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/SnapshotUpdaterBadConfigTest.kt @@ -6,6 +6,7 @@ import org.junit.jupiter.api.assertThrows import org.junit.jupiter.api.extension.RegisterExtension import org.testcontainers.containers.ContainerLaunchException import org.testcontainers.containers.Network +import org.testcontainers.containers.startupcheck.IndefiniteWaitOneShotStartupCheckStrategy import pl.allegro.tech.servicemesh.envoycontrol.assertions.isFrom import pl.allegro.tech.servicemesh.envoycontrol.assertions.isOk import pl.allegro.tech.servicemesh.envoycontrol.assertions.untilAsserted @@ -15,7 +16,6 @@ import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyContainer import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension import pl.allegro.tech.servicemesh.envoycontrol.config.envoycontrol.EnvoyControlExtension import pl.allegro.tech.servicemesh.envoycontrol.config.service.EchoServiceExtension -import java.time.Duration class SnapshotUpdaterBadConfigTest { companion object { @@ -72,7 +72,7 @@ class SnapshotUpdaterBadConfigTest { envoyControl.app.grpcPort ) .withNetwork(Network.SHARED) - .withStartupTimeout(Duration.ofSeconds(10)) + .withStartupCheckStrategy(IndefiniteWaitOneShotStartupCheckStrategy()) .start() } diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt index ec4356f5c..cb717e2d0 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/EnvoyAssertions.kt @@ -5,6 +5,7 @@ import com.fasterxml.jackson.module.kotlin.readValue import org.assertj.core.api.Assertions.assertThat import org.assertj.core.api.ObjectAssert import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyContainer +import java.util.function.Consumer private class RbacLog( val protocol: String, @@ -27,7 +28,7 @@ private val mapper = jacksonObjectMapper() fun isRbacAccessLog(log: String) = log.startsWith(RBAC_LOG_PREFIX) -fun ObjectAssert.hasNoRBACDenials(): ObjectAssert = satisfies { +fun ObjectAssert.hasNoRBACDenials(): ObjectAssert = satisfies(Consumer { val admin = it.admin() assertThat(admin.statValue("http.ingress_http.rbac.denied")?.toInt()).isZero() assertThat(admin.statValue("http.ingress_https.rbac.denied")?.toInt()).isZero() @@ -35,7 +36,7 @@ fun ObjectAssert.hasNoRBACDenials(): ObjectAssert.hasOneAccessDenialWithActionBlock( @@ -155,7 +156,7 @@ private fun ObjectAssert.hasOneAccessDenial( protocol: String, logPredicate: RbacLog, shadowDenied: Boolean = true -) = satisfies { +) = satisfies(Consumer { val admin = it.admin() val blockedRequestsCount = admin.statValue("http.ingress_$protocol.rbac.denied")?.toInt() val loggedRequestsCount = admin.statValue("http.ingress_$protocol.rbac.shadow_denied")?.toInt() @@ -172,9 +173,9 @@ private fun ObjectAssert.hasOneAccessDenial( assertThat(it.logRecorder.getRecordedLogs()).filteredOn(::isRbacAccessLog) .hasSize(1).first() .matchesRbacAccessDeniedLog(logPredicate) -} +}) -private fun ObjectAssert.matchesRbacAccessDeniedLog(logPredicate: RbacLog) = satisfies { +private fun ObjectAssert.matchesRbacAccessDeniedLog(logPredicate: RbacLog) = satisfies(Consumer { val parsed = mapper.readValue(it.removePrefix(RBAC_LOG_PREFIX)) // protocol is required because we check metrics assertThat(parsed.protocol).isEqualTo(logPredicate.protocol) @@ -192,7 +193,7 @@ private fun ObjectAssert.matchesRbacAccessDeniedLog(logPredicate: RbacLo assertEqualProperty(parsed, logPredicate, RbacLog::rbacAction) assertEqualProperty(parsed, logPredicate, RbacLog::statusCode) assertEqualProperty(parsed, logPredicate, RbacLog::jwtTokenStatus) -} +}) private fun assertEqualProperty(actual: RbacLog, expected: RbacLog, supplier: RbacLog.() -> T) { expected.supplier()?.let { diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/HttpsEchoResponseAssertions.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/HttpsEchoResponseAssertions.kt index adf1cc509..49a1b9b41 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/HttpsEchoResponseAssertions.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/assertions/HttpsEchoResponseAssertions.kt @@ -4,17 +4,18 @@ import org.assertj.core.api.Assertions import org.assertj.core.api.ObjectAssert import pl.allegro.tech.servicemesh.envoycontrol.config.service.HttpsEchoContainer import pl.allegro.tech.servicemesh.envoycontrol.config.service.HttpsEchoResponse +import java.util.function.Consumer fun ObjectAssert.isOk(): ObjectAssert { matches { it.response.isSuccessful } return this } -fun ObjectAssert.hasSNI(serverName: String): ObjectAssert = satisfies { +fun ObjectAssert.hasSNI(serverName: String): ObjectAssert = satisfies(Consumer { val actualServerName = HttpsEchoResponse.objectMapper.readTree(it.body).at("/connection/servername").textValue() Assertions.assertThat(actualServerName).isEqualTo(serverName) -} +}) -fun ObjectAssert.isFrom(container: HttpsEchoContainer) = satisfies { +fun ObjectAssert.isFrom(container: HttpsEchoContainer) = satisfies(Consumer { Assertions.assertThat(container.containerName()).isEqualTo(it.hostname) -} +}) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/ClientsFactory.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/ClientsFactory.kt index c122bba73..ba9bfd91e 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/ClientsFactory.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/ClientsFactory.kt @@ -1,9 +1,9 @@ package pl.allegro.tech.servicemesh.envoycontrol.config import okhttp3.OkHttpClient -import org.apache.http.conn.ssl.NoopHostnameVerifier -import org.apache.http.conn.ssl.TrustAllStrategy -import org.apache.http.ssl.SSLContextBuilder +import org.apache.hc.client5.http.ssl.NoopHostnameVerifier +import org.apache.hc.client5.http.ssl.TrustAllStrategy +import org.apache.hc.core5.ssl.SSLContextBuilder import java.security.KeyStore import java.time.Duration import javax.net.ssl.SSLSocketFactory diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulContainer.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulContainer.kt index d6988c116..cf734b212 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulContainer.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulContainer.kt @@ -13,7 +13,7 @@ class ConsulContainer( val internalPort: Int = 8500 ) : GenericContainer( ImageFromDockerfile().withDockerfileFromBuilder { - it.from("consul:1.10.12") + it.from("consul:1.11.11") .run("apk", "add", "iproute2") .cmd(consulConfig.launchCommand()) .expose(internalPort) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulSetup.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulSetup.kt index 2207d9ce9..c54f823dc 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulSetup.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulSetup.kt @@ -1,8 +1,8 @@ package pl.allegro.tech.servicemesh.envoycontrol.config.consul -import com.pszymczyk.consul.infrastructure.Ports import org.testcontainers.containers.Network import org.testcontainers.junit.jupiter.Testcontainers +import pl.allegro.tech.servicemesh.envoycontrol.utils.Ports @Testcontainers class ConsulSetup( diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoycontrol/EnvoyControlTestApp.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoycontrol/EnvoyControlTestApp.kt index 2bc55e721..168cd1b0f 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoycontrol/EnvoyControlTestApp.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoycontrol/EnvoyControlTestApp.kt @@ -4,7 +4,6 @@ import com.fasterxml.jackson.databind.DeserializationFeature import com.fasterxml.jackson.databind.ObjectMapper import com.fasterxml.jackson.databind.node.ObjectNode import com.fasterxml.jackson.module.kotlin.KotlinModule -import com.pszymczyk.consul.infrastructure.Ports import io.micrometer.core.instrument.MeterRegistry import okhttp3.Credentials @@ -22,6 +21,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.HttpResponseCloser. import pl.allegro.tech.servicemesh.envoycontrol.logger import pl.allegro.tech.servicemesh.envoycontrol.services.ServicesState import pl.allegro.tech.servicemesh.envoycontrol.snapshot.debug.Versions +import pl.allegro.tech.servicemesh.envoycontrol.utils.Ports import java.time.Duration interface EnvoyControlTestApp { diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/service/EchoContainer.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/service/EchoContainer.kt index 9c1aa15f1..c704ad8f0 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/service/EchoContainer.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/service/EchoContainer.kt @@ -6,7 +6,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.config.testcontainers.GenericCon import java.util.UUID import java.util.Locale -class EchoContainer : GenericContainer("hashicorp/http-echo:latest"), ServiceContainer { +class EchoContainer : GenericContainer("jxlwqq/http-echo"), ServiceContainer { val response = UUID.randomUUID().toString() @@ -14,7 +14,7 @@ class EchoContainer : GenericContainer("hashicorp/http-echo:lates super.configure() withExposedPorts(PORT) withNetwork(Network.SHARED) - withCommand(String.format(Locale.getDefault(), "-text=%s", response)) + withCommand(String.format(Locale.getDefault(), "--text=%s --addr=:%s", response, PORT)) waitingFor(Wait.forHttp("/").forStatusCode(200)) } diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt index f943a3811..b1b889281 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt @@ -365,7 +365,7 @@ class IncomingPermissionsLoggingModeTest { } @Test - @Tag("BAD") + @Tag("flaky") fun `echo2 should allow echo3 to access 'log-unlisted-clients' endpoint over https`() { // when val echo2Response = echo3Envoy.egressOperations.callService("echo2", pathAndQuery = "/log-unlisted-clients") @@ -494,7 +494,7 @@ class IncomingPermissionsLoggingModeTest { } @Test - @Tag("BAD") + @Tag("flaky") fun `echo should NOT allow echo2 to access 'block-unlisted-clients-by-default' endpoint over https`() { // when val echoResponse = @@ -591,7 +591,7 @@ class IncomingPermissionsLoggingModeTest { } @Test - @Tag("BAD") + @Tag("flaky") fun `echo2 should allow echo to access unlisted endpoint over https and log it`() { // when val echo2Response = echoEnvoy.egressOperations.callService("echo2", pathAndQuery = "/unlisted-endpoint") diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/TlsBasedAuthenticationTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/TlsBasedAuthenticationTest.kt index a7cc3f8d7..432865c50 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/TlsBasedAuthenticationTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/TlsBasedAuthenticationTest.kt @@ -5,7 +5,7 @@ import okhttp3.Request import okhttp3.Response import org.assertj.core.api.Assertions.assertThat import org.junit.jupiter.api.BeforeEach -import org.junit.jupiter.api.Disabled +import org.junit.jupiter.api.Tag import org.junit.jupiter.api.Test import org.junit.jupiter.api.extension.RegisterExtension import pl.allegro.tech.servicemesh.envoycontrol.assertions.isForbidden @@ -189,8 +189,8 @@ internal class TlsBasedAuthenticationTest { } } - @Disabled("Flaky test") @Test + @Tag("flaky") fun `should encrypt traffic between selected services even if only one endpoint supports mtls`() { // given 2 endpoints registerEcho2Insecure() diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/reliability/Toxiproxy.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/reliability/Toxiproxy.kt index 8b2b317c6..c684bae1f 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/reliability/Toxiproxy.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/reliability/Toxiproxy.kt @@ -1,6 +1,5 @@ package pl.allegro.tech.servicemesh.envoycontrol.reliability -import com.pszymczyk.consul.infrastructure.Ports import eu.rekawek.toxiproxy.Proxy import org.testcontainers.junit.jupiter.Testcontainers import pl.allegro.tech.servicemesh.envoycontrol.config.BaseEnvoyTest.Companion.consul @@ -8,6 +7,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.config.BaseEnvoyTest.Companion.n import pl.allegro.tech.servicemesh.envoycontrol.config.containers.ToxiproxyContainer import pl.allegro.tech.servicemesh.envoycontrol.config.containers.ToxiproxyContainer.Companion.internalToxiproxyPort import pl.allegro.tech.servicemesh.envoycontrol.config.testcontainers.GenericContainer.Companion.allInterfaces +import pl.allegro.tech.servicemesh.envoycontrol.utils.Ports @Testcontainers internal class Toxiproxy private constructor() { diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index e708b1c023ec8b20f512888fe07c5bd3ff77bb8f..7f93135c49b765f8051ef9d0a6055ff8e46073d8 100644 GIT binary patch delta 44866 zcmZ6yV~{3M)92l`t*d+5wmogzwr%${jcMDqZQHiZY1^EgclU{V_kKTAoQ$fhi29Iu z@>iMvGdKf&b_WirC<6|Gk*MT`8IOk!ijf$wgc~oR`Oo-w2N?nc1jNDFf)O0#|9Y)s z{-1}55TF2T3=j|)n14<}AR(u#9+Yq(Ao|!KAT){jCRmAAYuLbSO=w^IWx%&S-N(_x zu*i%umUPxo11kb-zz{5K%+(qcIZ{gEQgDLqWh6bxS=J)8yrq>4cDCz0sOy3dXTAtW z8|cOYsGU{54|2y#PSUfFM?;mWY&Xuph_swB`6Qom&H7|#Cr5YxX)8BD+UVA(U8sP*+u8?shKi4yhV*4yh93bXZq z1G2SJ^C)n)>_E=5(ewkWy-SV3LB$DrhauJD^-f-Jr}#j=OXqi=4@Q?p|A%T-|A!je z9ypvpS%FeR2e=0{*U9KMO~xHDCeet*(W=C8Li}VK5jxO+tFQp=W#X$SB6hzk;={2w z0{YeoGq;Ztldo(~g+}|%3X}7I)!$bgjqhl55Ke$nP>>P1H}3$|w;s-5pb(BQG0h-_ z4)zyW#vh#g|ha_79S)BJH#{K2`f^Wkouea2r_va7i zY=3Qs@C)GheoC3$aKa!j#Gls8@uX_XD-mx#JD6bUFdHH0Jp%CR#GL>v+MIo z-Xwe;xhN*D$#`0~Odj2qt7PA*J(7~P99at6b1C{LVx@r~A!kv-pFBdrA|2-TSunq6 zNjma624n3(`oRoC+-W7Sq=C_(j;3vQg)=BCW> z;2eU45kg1Du`=g5*>|sk-L0AKn~h_~GE(N?r&XrDJ0v%o0~PhbP1f@vKP_5|10I zs5-!ov1UfQ(F6KLN2}7wiyz5X9OzArB=$(iGG?h>V#Ego2{jb(XM83IC3cCgHeI*K z*v8|cMS}7}A&V&ta%h$r0ag4&$xYwHE_Aq@Ps9Pq`lkGVbr;;78P=eX3l7L#Gqh6? zk>P7|(Se;9YT3|%?5V2ceG*Nl?SrDvRewybjPbMEuu2SpJ2%mW7UQ$k`*uJ5FwjM2iN*lz#sVY zFSZ9L#g#4(qKMFvHnyEf1_EbHojThmilFjsTL{r1g z{>kg_Km+SnO#f-R4EY&*e)fSM)~|^Em3tm|{;`6VT;V6yT+z&kPJ9aeMC_liz?EC< z&t$zpHN&V1y|O(AyzdyGB=on6VL4FaZtM*u7Q4gc{Pvf9Y*Vqacp$Z@6vf|!Np!Gi z!ZDvUY84L71+OWA)ehjH6ezu5xn-_QyH&@!bjx3*Fsk6R(r^}W?N`xu3K~)F%tdxt zG@Iz3Y69Vk!MUyl%BU3-6~QH8Zy9A+>=9+lqS-K11^VdlL&6lR2*;wWvXnqc10JhU zH1TW2dxN6zVP*JTSen{!auTY#N<9S%IbJr?xiN@CT)ZSPE@|Lz`80K^i$s)C+0$S% z3gIAvu+gU^RBPQ#>n+u|r0&sLRwz3;I?TzUw&MuR{P5%hFtK2^dbribt0~>93{Cn8 z%=x@qG7xO`*h^W(Y4jZm)ri5qPisM&xc{xgolZ}KB4eO{Z z$m1D5!*nZp71hC*PuC1YKmOjOrX z(G|x!A=th#)?@$qx`m*fp%4KBVWd52TbpUl%o&T43}Z9)4&_Sd-&FkH8Xxz<$<-5e zFZj=CR@s*pCQOShE~94jO`#TP-o>~|aA)y^T|f9Xvky0LkEc8V_dN8LXE7kdj(n4j z1b5PA3aHm}w|ozH;4#1~CB#+zwEy2ukt&PE;v#>%HC`LnB!fu1da*Vy z&GgMiloIKh+wHtD(Ya$at;VSNHU>sE^@!Ka0Tzd3? z*iLZrhC;_a(KS`OMO-$qw0r$7vR$n&(iCnA#+Dcl)7OF^(vXKZX8GbLET9?E$R%@KjV{uDz>V{wrh^&O8HVMSbs@U#lL-IJsA+5fc>%X>z_ugEd~RXgp)Z zWgkqvlQe2>m*qn1;O-eEe<2H9N-#noIdUSaZ5brDuD0DwZmv2KO>eFa%sL2=w-J&Q z{q7CyJ)S;H^JoonPP6$9j<9c~%Z?2S-j>mu%oS)8CT0x014+(MSTjMVimb~0+j<#B|wgOd@CZa7tCijsPTvRY<5ixOcu+7%rR zHg&@;YsL<*{lZ)ei>!y;Zi@qL3(MIEG+BcKPu)Xk*e{!0ru8}Ybct6NbjzsfNPMI6VMWX+Etux0FQ3?au}C*h%QHrw_}eykN8CG zVGJ<7!gths*nawtF=kND_?Jfw6{*hyOT)w+&e(x%jF=9VL;X^st@i8Rfj+T-X} z(c$6C0xOoCvoG#mYy}+(s@q+79RMZ7JTkyQybPh!U z0gatF&+muyceQ`D)bInnOx4k(Od?-VO`y0D3Ylviq{)(!WcrLc|Lc;My)_Rp;OXWDtDLV#j4Li#0x{#!Er4gM{O z(>u707{BPC{+U7{=Scq-a)-i+O%l07m4F0mSX5M)H({7(klsQNbY;Js5UQfoobJZbVF z=PB@v(X>&MQ6vU}K)3dBj@oG12GO|0xvrg}q;L0nAYhTX2%V!?+0ts4gnx|8Wdj$Y zb=fS&Y`n-brYq;A{9II4R+KAB=qAL4m=jF-E37NLa*aAx*FPQLWxCYOQxOgU`1qBM%0tl{*hY9S!i_j*WysEXN27jWEgzAOD!>$Ef?>f!qAY3L)g)hQ;8by z(xsv@Wj`8Yb|gR=J{u?0CUjv>jt4TaU1*OaA+mOxRdkFnkI$Lc+G!NA!Cr_tSnK)I zOFT5BM4HQrEIW@&OUKisE0 zQF9S8+h$2&agE}&vJ5{_P=vJMpdkck&oE2kc3YYzQ>zul_70R7Y$an~aRE<$Bij+g zcBc)njYeTNdJfDTyRsvY#)#(F;Aiwy0}_$5msRz3M=*tKbI{i3`*krrf$U-i(Xi%} zD9P$?>T}vCA{j=vxz<%FX|}P4n+^E{(d8K=PVWWzTOKn7=!tzC1$>E(TE&Vm2%}Uo z(AHE@d3q&cD$^3>6{5cZs6a*T6O6?C(k_!Cjn(9;c3_L{P`#wzg`}lJ>;=1pV$88z z>B>QNW%C-a1d*cGCkMTG#0)MLX-BK7f5E(CcR_379b50Ip=$xWj7sC+(bc-a5Fo7fROZZn|KP8iojOk(# zCf8O(4nTbON8Xxlx)!bfUIeM+-jw$5s@Gu}+3TUNXDytsHpvHwcDsBFbxNt4dEagN z{gz+1>-WN*0(~%{qH;vu=vqq55L~jT0rGAA-Kk zk7`^k%xXI7OQYyyZEVaE2gB z%u)|dnEP#~D7<#aq?nM`4s5fe#w>`KEbKbsA*}P(`sxUHU-0HAo;RSh=sJ598YNm^ z#S(<$k`ad%eo$ZdW&<@_HT)R9O5*c@RgW3Hhbfa{)7nqPq}K3IeeYS)cT7=2a zwnNWL**WNql_tEhixA|--~F0T9A?8kH)TCImJjL5nC9_9>WCVRry===c!R!lU*(>p zT`vWL%ZP+cMaENSZ8^YU#3@!;!g5etiWui-ghmMm#CP9Ag=C|qD{ zZz4R3jnKat_By)nzFy7V4wI=}Q`>SMzp(S7!1zh8Z#Q!rH;kh<(X$i3ets{_pyP z*Af5ul{gpAr%vt_^n^ouq(d-k! zwTKrG6A>SQSs>uXMXQ+@I|%xb;uw9{u}0@o1=Gxq3uLi(+(IzSK1_+)d{rDl;o!Pw z8CW}_a@;b*Y3i-vC~!eQ_gbtdqDkpcSya)k&d_GRa9ds**FgNLv1WIrmDtdz6kpai z*35lY2dWLC-ZY&Zo44Q;skum4aFIe}PJ3&$UY8%^Ney_ZsMzRKs9}DjD55#yimN|{ zmK5(+0ksi3*XUYpS*ThOMOxKutPArKwKvdBn@Wiz*vbGE&p%3eu|kL!sWvLiun9NS z7WZD$jMnrzdrs#lbT${?B+falD@yQ^Rp(nO#K~9b)9*rd%rco?)hbEKE*d0uXIvk{ z$vpN6=UV3K<(@8H`)(ca)qbbM9yW|GqXwf|1MOa7-q+sR2*g6RR}(aLh^KhlPkeYN zL%f*jm_$F?M}J^XmlP|_gas2^Eu>>^(Q?HyLl$z4I>i!uk;o4pf55fe!j6{0Nw1lQ zdES-pfeM(6d3tv^T;lyfFO)FP5j>adhm?g;HDDQvb+5Bk%W&JSbKqNkR43H6Opj`E z29jx!c86vDiZ34@S)vm;WzvE_mgq2d@h$!-rscVWgT*hh!9|iczXLtMfEh{qx0>q_ ze9W!=Q?&U}{-*?hF6*;-k@P`+)dYQ1&3Ns!lH}>5%v5dhQJgd*r*PD*Jobg}@ZEZ2 zSvw*kfC>QsR$+~~ZQizqv^brV>ai&n3WQ++>o*mIY2gl=HH7ZmeKtO3Ps(`?+-5Az z*N9i-E?ugs6qPA~o`D`^byMt+@ZQ4w{=TKCeqh|wyZ*~~jz(D@0rMnJy5wB1D2d^q z{kD(ZOn~69aE*2K#YS8I8hbl@5YGSFTiT86Fz>0IRnG>c2_=*=yh(;%%(^hj1zZnl zEYOx_33+j>H+y1qM3}3(7NHqNw?zietS8#@iRmALcO>!``9T{k)oZeYnfs2k?>AP= zWf#P}ppkQBQidTw{}shb4s3WO$md7++Y#$X%}vq0@Tuks%c0EMtBakbx2igHyEU>mq&*vXh>3D6|= zY+*$Ad})`!&ZOB~LV4ZCw)2>#umGdX8pnOirC6_7hiQiigE^XdBOf!X?FVa`L!E53 zKYki8$?U(O6niP7`8i`bS%;nkmn(u4DCqw_4Qy-!pI5NBi$5AXVFMD61O9^j_s;OA z=%=&{7zoJCzhC~McFEDGb6{{MczXa(A%K(nB{$+};h_>FW^*8NGPA|~vgIRh(fjrK3E9Ws{@|!M zZX(XeL3n-~ALN$3Bh^qWZ9 zFpB+<(3SF=Nl^b(7e}C#BMetZ3ICB$&xf9^Ic_+Ipb)Bi$EAv3PYV-l{mvHwf!Spl zYQ2Yuaq}^7@wPyENsav8ae-e$l24;Tg^wW5$UTp9fq#YWKf<324bCXWLBYC=wH!RC z8PXrK!U~FGaFfu`!zW;FsH$=b9O`3Nx~@0RNS5KX=bCS68nEKX6+v1~1l)ID;V9>(Is z-n_+$=v8S?8w~`%e_H?h-I%(jB7^|1L2ay=d5tyb`z((%xbg!gdF~4rh*j&!`u=+= zW*(t(@pK$9w1=spz+omZ->)E1hBB6<&~jCv|5Xwn98%kb$BId}v^x`wDHKhtgnlXl zGoL=9`27#$)Yma`UFz)94o_)SI#V*+08>0G-4P;w%|2OGa}$fna;I2QqCELlQMM3k zTifr=p~fWnM*st@Kdl|PSGx;^9c}DNpcfY2#L;uOo19N9sJT7 zdV<=JuQJ+4Gv5cj682kQCE*o>GvN)fp;KBf#ZhB0l2s7&zr)Sqkt`np8U(}>6$FI; zf5MFvIIVf%fw_$NH~Z+%%(Q7A3R$wE5lwJ#CN?ai7aO~1(wJP`5EQ98?lmAGATynd zl@nBlXlX@4Cs{ys?j8+JyF4(#aOhpTvZ=Y!{cZSfU-KuvE}h#=dVB5BfZXd*s>{q} zqrpk*i@?X$#~J6pj(i^CAxp|WD6SG8l~HLFP}%ZWbbVMPD-;5m2e~ud?dO0YL`X0{ z3zkW36daisJ4S#ODE#2mV_X!^+UJ?1F2ht=9)<*Ow_|&HyN^LgOhbnm_Hn2UrCAC0@$<#YTu!48KfLH8;jP z@RCJt`&!mIrjQqmo_Uhc61T2dRM{b%GCD=x#!`|Moq2HSX2n*bHT7ts78~XR3&OrV zq>NEy3-gYy{#Td3PwA5w-XQNhK;%KOui?#jFo&tNL|uX ze?SNpi1PaKB6t$v((3J{)!@L5T+P>XR~HzXtQ)#G_w(0_HZ^a}u92f*W$7)O3lG)W zFQSKAiGcR?^Xoc0JHb>ghcBsqV6|pt9wH5birLEs!)! zii@VMgKA?tdN7{Xgd;Yw+bPw18{q3%dPiP062 zh$c_{N-Iyx6(jyeS$3A^Jf?}B^)ecXWy+bd~>DmI) zsk^c#V8exfU;#u+`q&c^u6EbaQ)lvy>P%0CdTkp!j2iq7QT@}SQK z^C;2QJwk=eZqo`n0xIUGI4djHy&#R5T)( z9#YzBPKA%==gB*=R|}ct$-;(!YMDAhBfN5O^x|wP=rajb+-aG@0}|5aYPlebn{!Bb5u{_Q7EbfUKLqhb1!I~XBULb{qjUi@XY1|g3AnRHAQmH zlkeQiD_#M0X0!63J@(}9?O3ZtsI;2mR`l9vZ{15z_!VWIi=4JRaURz1Ap(L1)7)T} zzoPDuXO4N9Gh-PU^0cFbiv2jMUL(K;Gx_!N(c<+51DZK9(y7rjc{9W1(#{UP2*l!l z#_zR;Ffu-)wGbEh^{)|%+r(5h6UK2Sn+04Vzo`TNocx>!8N4YN+0{aM!2FCOv^Z>A z*SSQytD55OHJO>b=d`j4vnVK3iQ+5DcEAA8ifJ(f4w5}Hwz3)-5F$I{T(#B!xcdP zJ9+{ot&5Op@q`6U6izdeVGV~^u&wIo@ckN=9pdfCbD8SMJeN1||ljm#t z=yN<+`B4{So3!Vza5Fo9*^eSls>?S2O_RZ{5&AldjE#TxL8xwkoA2tu4E7Bi9=;K| z_xSJXY5Q>2S^5vw9-%-$`2GWHj9CESuEL@s#%Qkx{`LwcE=`zVI=Y!)9HQt?Mf71J zW_h-L!$1Y>m8p#Dlr8tNyJ2jDM}s>dG(b4=H|V$0h|4C+s3wbMitEW%&I7mL=J(sj z1?Mjj`PeC-*HYm9&RnCmbUJh;^N0!ra#^FRNL_uDHqxWSU+yYwKbQG zZ|FL_m8s8o{?=I~P;~DRijAuQckTiD4ee#gD|}M+lW&M2RH^LAyZM<2K`~sv)=mRY z!LDjQs3od+j0IKC`+RRaCc8b-f zFXdf3pIB5Pln@e@fs&1o_?*@R^HmCGiySX}M_JHWBtAx9N=QBn1+|9c`ixY1YRkqn zYL&1j12=i<0cAq$N*!zs{B4Y0??9g;{?aed;?#sCF{qXGz}-Ynd_p~3iom4#8eoYI zK3q=GbOUHp5MV&ZX>kl9mY3p@LQP;a=7ZRUMVF;vI>xyP_P3v8UJsaYThk!2fCvF)K+G6OM!Ek*S12_2+~>}l5O0Uc*TQK#;Lw#&bC6*$ zUv!gRm=Qo{%$CIxmG&N(%nbJQMRSODrUfZU`ThUn!G3qt*hJ7=w8WQv`a2M(cm(0>1YJ4;Z*`4ZK7u&ZrT2Br$%VKS5#RD^so=Y+22!ZR>C zLN=B7$#k=kz{e~U-k|!(DfZyK!!FafxnFOUY)jZMC4EQsv1XhCsKY#twj&T?M5W_9 zZ1CV4wE5&aj-H}tFu`vDj7C#9@D+Q1`TmXI=*uwhMjdc&-P)Zvh6+9`UPi2 zUP@l^Cxbj%b@hz8yo@xUC}uHjaUK|}!eei&IouVaqp4V5W&%5j;1ZBt)paXdZw|Xk z+f3u1W>lA|Q?YHH#z%PK-(42qT}sVu`TR#=O(i58SY92`iD1(2l9O&V>$K#I+>wQZ z=X;JiLNCqAY*80&MRctp-ker*4e5 ziw8PMX9%S7_(_W3Bt0OKB|0CBqlXBKuz`fInqtDDmatnz-2~!Z(h83ZF%0B>Hs&>A zSeVRdV!@^iqP!_%6tXtuKyUDtqms$VHjKH89@(GBZhq;Z!e@ITz|h zo;v*ZF8gekiJl1#0wVQKI>h-u5+e&|BU9VNZhzFoyaNC*S#8^SQ5@rYC52RsYM3ir zWP#{Mu(q^u7KF5ARtfB%*=i?CIS~<^wCHN)f{3Gd(~|B}{97=;z#Yd${8ANj9^ID! z93FbWj5Lj$3F;!Q&+PU3&F6J%Wq8lB3obElW+s7;Ga!&14x|ZSL5ss<_+;Vo1K)WPKoe zNRz!Svm|D#84E$RR*cro^>x|~eUC{Zg@#M!*3Ll=`AWSq+_jE?hQ)^-Y{5+JlCGfz%-4}_7<*3wE0?lfJVcokLW&OI@`S*)iY(0LBa3+65 zQ;P(&pTcWb$G2a#$N4)~HmhEHp7^ZQx`IOtN)5q^)+1tFLZQ@<;(L#x1864t=JO#X|w>hW- zc3pjG>j*Qx!gFzc%{k(EAlsR!w)agl(R~ANe4cY_M4Jq8WDX$p()+VW^_!-DzzJjj zO|!o|)EqZDKj`l<8q3XGqY+(XBQV4ZShQlsNc4R!H-3-HM{E0gYbUGVswa7yhEfQO zfb{N-4KhmTK}S2+ftZ`F|{T(t1Kxt`IB zjQx}&;uo1&lplpy6Bppb#>1%!hoyk!q4lFl3OrTBjLs&r%oE=~1HPmbh7Dc=x?ya1 zh>iiPWabvP{+cJG7?vpmR6U_cLB5!V#wq4#e=LCr3-C*3RF68Pz4byO?m-VFm;3 ziaDdy35!X8A+BnNO{>Rz#5CNF1dL@spgu?IfQGeBtqzoad zgc{i-GpRhJfD*+{Ar66#5%ibgs)WwoBXfKBwD1+;`?u(i|1XLYfd z$x3g(%Iy^df~O5PvUwX>l9jNTDx#Tl|F%NpG^$9O&nqAk6$@L(xDH?A#za=-GYxa< z?T^y|?)=GZKXYs~s`=e>#qkF>L7%pXKQ#$*vw2V~WL(%nx3siv2Bp^9Ei&I>-MumN!Mq z#kTRBJ#(u%63wBVNYnq@RDeCsN^>8c*OL1acme02oK5@NxK-R|RapPyF{G6YfEkOU zoWI(mewViY^!r^P*FbDW{Edb5-}h^Ue2U%UczafxLkjh+7oDC;s7oM$3-is-hte@Krn*g;1Q@;2T|WRe%XNBUN;Q|9;0qC=0&7ix zs>5g^Z^~V`4S(-6I9sc=Jty2S*!{l|&Z@D8UYma$`Q!N34bq47Gi1{H7g5gY&`(yQ zZ`*?cYRW9|&eps{nZyNq5x!h8@hGPgnzC@1vtiHhLHJc0IL0F8*DVN0%w?}g?USDS zpH0v6WFx`p!nsu9&8bZ_@kEY@Y)XxQIIAG#;ViP&1#!YWcBC}ulK7fT{y%bL2!6aF z7WU@Z6OfQkvAy8}pyzr_j!p|smWCOQN6AWy`iwh{@>`uq2{}(Ih0{H27l_c&Z%9ZC z7pTF|M?fF953e^QzbNC-?24*RKi!kMq}>j|*3)PJ!t1<=HDj)Y0B1fF%)@!%pQ>B& z;HcV!=wW6mZIR81scDZRUW&Jqb{D=ifsjDa?YUFWkw;Z!cTg*4s zXFz7B8?$RD2@yji4>=0C+SsQEN?^QXDZ_LC?i%A%tk*m>xiwk5%?{^?r0-{}qRiCX z+TnU6SbG{mBcx{^&OL8=pKjVW9smIF2EjSAhN^n2_p~uEV3Cd&?6VFTat4>YDeI25 ziFFbK+o{tzu!41;TTjUo2->6(WoNcM?o{%@XE3c+BV*1UC5pwY`l{7r>mHyCt*Mg0 z;Jv;Fk%9VDL9mIE^L)!LZ;}|^MSZKTMh{E&f&b5axeg=12T6xUX8i3!EM%)U5BL4T zeG$`0=DhBXlB0UgeJc0B&ULm&s`#;E^&Wr4L?gbOI;KuVk}OJw{ulk zUqwg2F_gPyuI4tUaRaoldlm~*2m(;#-D3yA=C4;k4Mya!F;2HUeaJt#FoYi3sB`AN z(4*~XiQE%UkeIgz4-V96a>bsqW&{*9%Q#Czcsu;9$B`q#d`6O#z%RBpafCj^s01_R zoSFSuMJi-l?AiP>hrDu!e45OMUhzunXN>nW?+^$Fi`gQdh~SNHkSEB_p9Mh4Q`5`{ zDy2i%ciUg3Ok>dT$0BL_R!474(!LOrzH}r_Xq;Cl2|IFI5t8UQJ~4mj+qCp4`1u&8R<=I9@|+w3VIzz zQ|P~fe=3bUwAeNX1+rPqO5{Fdon*CseVv>zfKu4Op)xUhfaL-BiRD+_;ngmk^-_1hFO-@5rpgOZ6qk{7`6I)fmxG zDIac%UDZahjZW_;)j1VOEsBQbJhB6BxU&uUu$;?y$=sUD?>X|BungWABxrbeV!M8# zO*~zvzmgFcjKwcTCQ(XUjldFL{7#KaQY5W*hLX^PJ;KQR4V9nvy6T!cWyMl@b>L(U zY||29hzkwq!uT-X;gh+cj#G(ib+$B0ty3|Wdg!W--FW?sQv4ud>%WG?w%+S`cr34- zHq`dc;G;8zRsV8ZTXSHiXM0!^nI8}^a!6nIYyxg_pXas*g*n!JZon=N59-;Z5J1i{ zVa@NU0=tvN5X^rAs}UZ}`sZjt_OT>@NIJ%uJ71uO_`FcI{^qU;6Jzzc3Lv%`poz(O zIOxf16l8WaENpI#N$*Gx7l;{8Y3B3+WNh^w&>ljvnj>Fno&fwTO1?Jb)hLr52b#?+ zWpP+DAr*lPj2=T9*^vxt28A;zgEOf^=A0q3WSrjcOlGo zKtL$|=M^X*gNdz?i%Yham7&gZ^1s3O+4wADCORdmDXLc3l_zXK+K^T@B-4<5A924H zOvINhtvVU$I9W(t@XvK>nS43TOe|%pCc1tpM_4AabY(cRJe7eav$S*;nMqlr1yJFX zw`;!yx^*~?uY8Z2&X+8gS^i0nSwHW?wFhVr+0-wfm*rsT`CYpAXKlDQ0n4ohx;+8Q z9q@JQ=oTBQhs}|T2>LD=7F|O2XumALgaYc&v*#xnkq?;!zcZp!`Wl0Mt*0yk_8>}a zxKhFirb_ooWoR)KRQhRBzdmk(cu2)46T9+W^8S*TxM%TPTs#HEA&N$dQb-hsQm}~r zU41ezap}->m|2{Ega-65Y3uHMU&GtFN9F#mK~@o&*|Z>BI^A^46rJ^0Rip$*+0?iN zBeN_4O^j_hP8t2d3X+;tsoI>Tcq!qY6onpTcm z#k^vNPNd?#Uf0~mEQZ)c%_B$Ktw#fkYPk~F-Jsab$YNR_zMMoaBf6H@cnaCvxa{0O zY~gcE(Ap-ed`tHp5Qa|}i!k}BCvO?xC~L` zglFr_w-U0D5ux=rY3AU}(fv<0bBT+?fHu1^yc*9P*gq?9A!fMxlvGuSBgVQL>D4hU zr_|TQ9o+U3+4E_{*zn?~@r{A=nq566;7=PEFq}$#!kye`%|6li4FYDr&Zh&)vg@zO z13#kzK(J+7Qw(1lj%lq^maA(kYxEj`{$5WJm@*7y=&vdE2)bBhr(w_{m`a_)JIeKZ zD5dKA>#C+sa(+((#WE|DT&V_iM^$*<#eMs*kOTCXF|KIH+Cz53;QOx=Kg$N6C!qS{ z!W!3qXG;M>imKJ|Eh%;M{p!dG!aPK+^2yU1UEUcQ+0g9DEyJNQgx$qVs5Ik&b<+!m zYwjGpK7?jS@WI0I)6M<#?kWRYvMwFoZG^M8oE9Mp%JZ1Z4v|6ieIapjl%9Ve2K!(6 zgzS~>qyub}ipJI7U5YzmpQLPYy)u9T6o^o(phjoII`1Wm<+_J>Xwy!EE zxf(6ycE7M*Qu5X_7LF8!{Y_?pw5^F^QGL1%#q;tZ`h|w(N_c9BU)2~yYtAX^Tt-^` zxL@|p%DH^`7_k6*WBWN~c7#Al7UefW44jz{E3!zklyO9=1Jw1VlEF=%i}c~w^=D)2 z5z)Yum)^uF{-~)(KMS9Qzw1$%u__p7hK9NQlmWX9y` zfa~#SDKS3?vq)7Hck<7Q3na9o>2nF~7=? z*0|9E!i-|ZM7u~6?BA8Lq*3Q2&-$$skCuCXY)+|Sj6U}8a zDbjS81mQ3q*k;yQszY5$4*2|jWcksA6@_U@2YVo`X9aCm#kz{(Yl%~f60S=qwM;QWo1=p@fgRD%XBsrWQVJjs> z71wW^5}Q#}w^UD+WeU(5$ru1Bx)hn=RNdJY<5Mef`+Am79or_(yos)I##@QRD6Ku?Q^9wEgtGI-iTf2sU2^UA+VvqDP_Hp>IvEKS} zm0G^g9`%M&QOVV`j7D3fpc)M*I%v`21u0uaNrcOs^nv*l$;<DO;7IPtQ8Jnk`42_xvl0T87HQBeSfZ9VFJ9kCl5( zpz1&QIg!nP8-Vlr#e|Qe?;{HIHC+3~OtgT}DuTS*ofm)%VH`ATi!vY@iU*U0l}!2z z>l?PW@rbxx4n&49vX@DGu9p(eH@wX(`(pfCDvE8M(8znh#AVKdwk65tow&rs#LBg9lg9nSw zOBJ%k#@W`Hi?jz&)oj{o+j1mvkK@6n1wD8ewVJkDi$nKTFa0NeU1>Rv65}heihm)3 zzQA1O$52O;2|8y|MY@(KxA?O{Izi?EvNJHh3}AWw$a$xVyeW4q9hplN`n{A;s=A;? z4;Ks^jBgX1TS{7M8I&1>NN9QF(jj zi@F7=3K`7qva6wHek{iEa5XB*k;ouRHn=}P7|(1SMO9EK9bvxE@9=lnQl6X^9H0Z2 z{d&+^iE&n z!B5$=RR-c1m=?4Nq4sdD_KKW0mV92YbaWHS{x#~ka12*_`Ad;M&S24&9+~HMd;Ee* z{Y)zFO>%hF(NJ|XRTG;{35x=G?BIcwjkfy^?GzSYrYv0bX)F!jt}J#SFVFh9bWw(F z<2wZmw+!~>;_ZzTA1ktmLOh6&@Qv+%GHbGPxe|>}%57>W^H`HkN@v))f;!o%xH--$e^@!da3y`Imwk+Cb0e)m9Wr4dqa z#&xVCPf8k`@P;?68uPB;AW{gnG*>FXu{PRz{Sv=zTF=IdhklV=fl6ZDqS>)@ul?@G zx9ZaMFMjwZSgt__%xFaBM0x`|LO(!{9vSgX8p!Px=-M+y0QDwc}@Wf7$jhn(_&MK~nB~Xzu?u@`g4xwOen8SI-^&=pe6H7r_CxYAEZmJgXSS`RH%swr(IjH zm==hoVHCTe?@&&N%y)sq&mW)Lv3jae!Y;dk_-`18=i>SzoKqnQ{A26?4lC(v`Y@NZ z;0NJLOPeuT2OBull5l9^0jSov}w$y?k>RqR9Kz(V`Y1js<`(bM1OK24_xG@KXC4 zO(CD4=%tP8-N{`|8km_!u%VMoCym{AT-=+!+-bO* z2)M<&x}iUGGPetMW5k#1aa7yC)LWV9aaBK31BhvIa)hXJpKziv)574DqLaC>D_`AF z!7L3Ms>CT*_N=SStgB4=45B3J2z?x3^(lsH>p^=(NCkkR=mMe9hn6WqmhnoK$@MT1 zMEJ!x#N6naMTACLL1DH-#S1ZIy5VVCQEhw?NM3e3Gz=WJK2W4o@(78FCBGhnzKElg} z8wvP}#_$2Hn}ue*+wJuWG@^P(O^R5{f(9>+X9NZh2_Evab4Fv=T`Fy*&53-Fm1$Rw z?k)JjbD20PCnR2}bBw?Fvt>Qxo)COyolTKK2nSWcy`Wm~*IXc25fEN-na!3^G3q@q z*nRO%`Glj9Om>XK4^z3wPnh^FOU&BARcGsWhjoGOdzMfV7|J;0H79X8_o|E-9YGVj z=^?`6#`wZflQhEbVgF|G*V81%_|HbYq{3TUo&ELAa1PJL-d9T<4dBT&Thbo+opa5R z<+`Ui`p49Ae~!+$P5DWoD{EX>um37`5V1nInIXX#scL}*(O|M9yYEkJj|wuJg&)H{ zqFDkB7?m6eu2`e($nS1^y&WHSOUmnLOB zL803Yi;%P9vAGL;xln5k5yWBxIKUZkJ<}EPxqJGGNUdFGjiQJbclS?Xq?`?oor8_I z*P_!ARbGs-oLVD1`8oq`xh)v~tRxrz@)898naA2rQ`n?0b56E$QAPbkgYr^&Lc_Y_ zGOkEY`;AdZoTOM!MQzIbn~svwW^};E9RiwQIf4N^qv2ZX0Kp zRd3DX{k2fQp@03u5lJH-j$QiFW^A>=V}Ob)6`a8!XLc+0!5Q<5Ew?hS&anJp;#3h> zDp$SHyRcM9B4WcM|Adx-_uC%Q8S_I?EL3yXIDfS1c?x# zQlA6?l{tc(#WSPD5ky#?(Vt86KbPG=+4j&hc4(YXBBpEq*`3j-I)$<`qk>E3E)oiT z@|qq7fluL)Jw&Zv1{2C%)RVWg#_Ku_0EbCGPl=uW&U?b0#FsmKz(uPG(=p=+E!Br4x5i4zn=7 z<4t0suvJ+6Wg;tVJ5hsT8@-(yuKd7R-39=r83C_d5azqE;K?0-11NX`+lQ70xzb_0 zF-+KckY@SiN!xwu!LqQk`=*Y7LjTTRb$&9LQ$4aTQ(lR-yN6YWUbSy)PSR)$lj{+xgw0DE7j^XHT1-@Jr zYq`@Zkq)hNB7hVI^ePkTHhZ5xw` z&53O%GqEvoa`W3~*S_bRx^=6%s;jH<*W0VU@3YotJ-^?8?EV&I^{}21!UgQ1+gFe> z2zU^fE2&Mp`w)@;g*fD=@r+$^{P9~|%a=`8f_b9Xn)@3FH&DFlBhj0yY-(iiW#sx2 zx)X8EV+`ec=~5~|dYaBLjcd$i$Ye=K?Xj9Y{LO_Z_utcDa(IY9(dV|)2crRfwnj-6 z$NA*!7N2RsU~{vYREDMt*%@%3dELXkRlrGwlLlAyz7rGIMur`(l#qOXOj&4e&bv)I zN%O9tHrDyqJ+0OsFrW|0cWnMI>qK!K=3ZTOjDQ3yvp?-&?T|+FH7Vaq9Ex8oGZ0tS z$@Hz}IoZj@J${PRZ46H`hvhp;*~Ix>$ym#u3}d`t4MH*r#lA2202XRbzzY?O8^Fd& zMu~90CwP??k<=bkswy4F<`*Ao*iV`d!L{juS0@wc^{EarRESS5z`BE%*=LYL7mPH;CtH3BLaHU1j-Sq zWzwE6;+)&2$x5tZ5GibO#2IC@& z3I|IQsX#FbQhC134eZ#rX%ZffK0F>1_ZK~b#;UpyN*Pj$R{d1*%tI_wO(hA(4kn4# zHEp8Z_YDUsE;2mi6GyUv^*DXhu+v#m0CA3byC5@GT7-Agj+BS zb>KBIk)(R!@SUEdm#M+S`#4l4G9_=@;vS*RghU^9dl36LRZ|7t?mZJ48FbeUxO{ZC#Y1!i_8wcVD%(-$b=X*yj=xBXc+zkR z?BY#{GkB~UyMN6Yt$R?1U&Tkl%mNH)UKk#7$}MtnT-RUysGkdfHzwDgvpm9_dF~*Y z%`_(eQV`)*nHv#uEU8S@CI=B_QWN4H+>|?kL$9nW>c!XRe@-Wy#T?nL&mMOU#T#>9 zA@%!T=iegelp~f&o4~le|DuFM>1|OuA{<)fN!!NEgM)s~1U}_TS`}%vKmb({u(hl! zBBc>h%h=KgML!%kcUz|%VI}@C`vw%fFwF~+z2hMG%XS~ff#0*Z34a|3Y>(T;yLtLDHCL)M%WIzZApNFwG~v3{c6Ok>ETZ@d?sJ^@KRJF2inQ&kzPf`+q^qobL#sFjPWvz76u z5INYZIRmyJ2m4Q%_!OM~p2e%!eHxTV{>_ZKI&qleQ6wZK`ON|RgN(yCs6m<1<2`at7uM+s)}O3Cg8qJQkcRLI&cBVe zM3}?CF`_k_9Ji0Ya~EIFgeQhHhLDFA0Efy_Z$ZRbG|Sk^xWXz-(M!cBIynQO;aj(% z3c0@YSFHwz32g4u8FMddyQticB3CJm%<0$Jk8=8WgoO8}WfPJk~ zKJgbh_~wsWl8pM*H=;bxBmvv!{*87mQkT1?r!!5@9 z$TUE}R)sBBIhO0q5454^>8#*==_v|-kM^C=_0j?(vHNjMJIuHxW#|iH(tL7q^S9+uP*_!Y{eT zg1s#EHGA#>ysf7u>m&Sxa)BupYnBhX`AgP$P@Z94mEg6*Yvr8t*Fviv&hgCi;kTmZ zlyfI6xs?2zb0L7x;~171BC8f!BvHBSUVB=BBto;|+oO^xRR;{SIk=+kpKEYF=MTvl*0lBi7?Y)=@ib^YNTI>s ze63N{NFbW0P@NSUSMC#}8as(jHQSVOpIZryzjqM(R>J_cQ`#ry&en+ujhn$!-&tzn zx{wgB6!ZOdhapaYd$XVB6P3#zBYrDBv zz5;aku#Rb`HMdIv6nyWL3~_lj5n;DRt`Yj8w3cbS+eF=}(_b%BXjc2owszr!I>cor z%cn;rM3<$W2k2GQ>i%S)(}RCqvg%#GN45q{@F85`(4!t_H~16tDoz1r~@h*8V?y#WYE{& zY;rPIee$|`-p+qMj0%3dy<_!Kzmky#6h|kuQWHvYMR9#)dRtYo6Fq$mE`KWGcaam9D5Ct2sTX zluuL~o2Yzlw6@yoAi3i`#Q~neOJr&De(PAvA4d43YSTH>I`y&PuNTCLsj<$*T61q? z8bht@r5G`_C$<;amqY8Z-$XQ-Sc&_OC0Uy9C6?Y&W5!wkrS4Cl7=~-abe^I^N(H;m z!d~M$53)vnuD0Uxop+j-&#;b7Vmdo#YE5cwNUl_hn1m2HkHkV)9t7OQNSbCCoh>#e znC}*_G=1d`wJ3Lwf8S{GJLwG3c;&>{mr0oa?hbAp+tO2wLTB}IXC04M}ydT7LiU1A^4?A;mt_^K)os2Xs&KKu=IN!QTYvV|m+>P0H5-grYAsy$NZ)Ni=4 zL5Z4>^~AfmL2|a#k63v~9j?tIT}5pALp&FOXg{bP(eh@w(GP*ZayzPuplK(AeoUC| zK@F5{^(%PDDo2`El~d$5lDig|?g21}?ftLpi?II|c76mAUXc!5!P@8BuYt5wNjTr?^SkEb$E+O8rvljS!d`q_>L2}GPh`)I8}CoPZiJ3lNxj?FLWyX zUSPY6K^_NfNn1c8zJ9sGlVx?o=|AnLkBT>UkcrmA!q8r*W({73OCn zW~1S6863EnQ}(a3QB{yefdx!3wlopTIOhxu}J z3rCKt@z2)wlTB=E;b?v*wIQ5RGQDleV**S-fQk9p62GtxoFAJXjC9?wXHEuIzx3B4 zdMLAO)gCrcBo;rmIFqz`Q^q~05XeW{79LM&=$Y+;HK6$O@DV69jHz&$?}j^<*8ycN zxsZAtlL8Q@&C0`+M913UrQcod7_Jx$7t{;7wnopG65&DN6Q52+GrF?r4L6J~Inv(p z#m;#wPu72My0Svm`(vI#nQF(O4x(Cu7~hPKM$kwkm8YmXMFkllEiDoHiDyU(xDj2+ ziLWt6(z8sV_Xj0my=eB(y>Aopq-1BNi3GhOcL6qi@=ZI}T{wNxME$y%{o^g7O|3-m zzIU-a(L1?zENn06$gI--r)jd=+1m+*{)`00X^z-3@o}zeq~N6cQ)XoWh4tan;JXYYI^{SYjIv*C(vY1-`M}K*1_mmb;U;dv%s2ljL`@i? z;bposYgIWpxB6q$?S6!dS4gSjG$%Sd-)q|sxK?)d&m_s!uE zNQ;3RhId<;hbQZW1wD&hsJ_9Eo$&?xW9fb%(sQ z_e`o^dKTRU@?oW-Rw}qq$;0q2N2nZUTD2sL5I_H$^624qk?iGum%f|IM~_4L0@;;# zsU@F+U&MBCZNW3;prHVjY0_lkj7SQRB-8yRM0zkUc|CNSPWBkl+^ zy=^fA?;aVFn;N5bWRBT|Oej?YAdpRIv^AlWN(+KRpb_tq-m&`YJMB?X(neDNA%vMs z@1KDWs3La|=8!tMZvp@A7!}_`a|zDiE`&?2S6xIcS&Y=KSX3@O-y}59HD|z zNVM)jr0U3`nrP5Vu>=?+P%_5ZZpN8zQtnoBGL~}gtgX?>rkue_jgWt=Wpi=Me!-9< zpXS?ncjF`*a8ezbczYXKBGNMhn_KD1NhdD4B<6j^&!o@bhsEuPIhG^h`UUI(i>}Hg zblpPh(a*djHk&5|g+O=mj!JsyY`oJ~qr_PmsdEtH=?EEaFItBrN@%f0XekH6wSvNPzXi2oh(g}tAilz28OxjYIn@I3_GR4x0o|MMuW=F@p zDx87MBiolneuUR~StW=OmS;EACEaU6GCQCM3?j4sTT0dx^8XYUw*L_qnq{m{VB*CARRZb#pRMyhGr4G7NfjK)DA?wt6@(H*6#YKxUvX?4+}%!QAb2gU1L0|F!9Hpz1F%_1aSI0~woH3CmP@tD(y|*NE#}=O z)H&L{Ph zDOS2(Ru)z8JE|W%)WFFn_PgpPAl?wWlCM$toIr+)}=Gn zpB$aLl&Q!hb)VvZ>!2auB*6qa@3?iSA$l77d5yJ4`{!BW9hZ8&beNfk%3*5_+@+&$ zU)%+dTjm+cKBEQWlq*8_k(?a#X6Ymh=zq3Kf2FWsihP7(2j z4!%QpnAMrwb8?H4gb`Lri{yEdo101~owYR$B@iCBCBDPA!hy6rBZ0fZm7n&zA;MK9#?(Bx#z=lZQnQafV}nV1 z-$RC}L!8%m{`kM{ndiWWW_dol<=E(w@{uWlNo{Cf)x||Y%8Uu0j80oHQOK_n5O7*4 zG%`WRC_&I)3$<8c!puw1wiKJ;~D-| zQ^^N(G1LDP(HRr_jIC0kf?Zr|Q}txrYG+%QK(K971NR$5Q85H-!-w8Sw7$8+jn08n<9}U3CaROoQ`qF@*laoh?R{AOh2KBj>=UM=inWSvwV!Mk+vEfeeaZuu ztu|_Jy>l2-mBPYu59F;lejnqqU(B_xgKXMHKsKI9VY%q`(=aU-UO(B=Bu1b6}&RTWN8J0c6rs`%_lj-pRoJ+Kt z?F_GVm32+Wur=Stvf;~<< zCHA{mekmN%y7}jbZ!bRH6Ld$`Ej{6I@5AF5R9)k``6o>+A9orYp1O4l+uob+K4au; zSKh9>`gcrmp1dODILti-*mi0G`yST5ut~Gn2s*RP@z_yX%%!YLS_9@JXa<<8s0d;c z1(UPCB^M%x+JhQeAw(z`OaEQyWQE6R?|M4UL`yJfZEgQ-u$W)U#n)N$0n5qq7Fu!( zXvqwflILmzNSYDfn5zSr2+&Sb*Ttm+sS$@Uce+?ep9TbO>SPv^f>;Ptq|CRNe1m`0rS)h{Mt zty_t`Oym&D=;C3sfpjJ;6^EyaX$5e8l){>`V3^v!Y)dau7v^vPSkRZDPGIwNe)4Xq z%&f4JGG$)*P)xBG0~Q@`+>~j?37L>N7JR3Vm9J$3cVE8tOHesS|8(Fp%Rlfvw0QBJ zpQ5eq^Sr&ozIL-BvPZb+7jVlQzMOm9#OVpEcv(ObFjLgyFA9Fok>o;;Rp}(@e%k>Q z15}z4!@VYfIe8iY>f-Igfr|Xl7yQ)G5xm0Q8bS%XrCvLH%tYO@e1Ij)yJnf98tYrd z+*gi7T@%2eEGN+st$AX)+I4V$|E)`}oYCk93!d&Nt4d6fuT~-gyFVj~$g_|sxZiJ}fyVj>En=Re8ZnfPyvG~? zKH{&^RA{~_)7eTsT^brYnVYo*m%Z3PDO75>*6c6RR29(#XLpLwuo5A3TZf_9-9gPd za^vJdQYY30vk-~BA}vZSPzCkY7oV~dT^%xFy7Yqss$7#9R#ut7-#ZMn7pmEK1C=nU zDe9&wBm%iWI2d#)cj(_BL#`3(-HF2C7Hi+E;TD@$ftX84UNC=cE_5)Jw`L*>l6pow z&IfZDHHhGr%!ZvE)dl*=)2idKsAaz3W9Ctmrh7~kB&Z2^R z#mUjavE~>O-2|~Cbtd7%rfU3?(3KL5oeEy$G%APShSE4`$jcR+;jX&6ThCo2q29i*dijcgaTgm2Hfn0;gjzC7@OA5Sk^UVF;y0)X3Apy83znl`*O`2YBPBy? zw5L`h-J8zV`JI=iBuNey+;Q1~Emo)8_ZcMfyt&7(!Ew%W`35tL@VPrCkc5Zdk@*-6 z;1yYT)|P8oAHfIy^^|@D&5H(kL$HChAuYYI3EEys`48?$41Leroi3eHy*d>O672?L z!VvaMXgG9G`{E$U^1t#PQ2I8RSAwG#*y!^kU&Bn)1!LFxf5B%n5N&F(+9Q+I0t{|-O`D*F!DuXgXTecOK#S)Y_IZZ4Tk-t!ke!7M&| zcy`NI{@|WzL8iyBS5k_(#}P4a7!b{%x6SgTSa zJ9&|;0LA3A*g;vzLp0lTVW9RjF`qdVX8nuz5a^Y|UVN8;JM~?PaW^HO2(Z1neT6N3 z(^>xa*~PDWb{Q8Dj_>D}^;S9d=rSHH7$gz74L88YY=eYJ1e7L1C8=8dGfDa|Mu&eV z9@JoKWhG{Vf1e~CS7m}83Hp*Qm|%`&DKv)co?v+;T~^*^M-2B&-(`8l_@n{(k@@ur zX0}~;P6AX#qXqd9Y9K^q3cw%-xk^uQKDNAmUUO$%QFFXwXCe!j4Z*#;NqVtt?>T)v zhl0KSZ+@qz8aS^K?k)+B=|Mv)_lzlED z`>3Tz*c86M4C9cB1RcY#K0(*B*smDTPyflKreYDs1x&^hy1c{#r*F8;t^*hPye{lq z8RPO+YHdkbIWUwBZx+EH{b$M5p_}qwS+f&V(#OtsHOO&Q?uHtM zhnRu;J<-)SQr!Avy&n0B$yD3sviHEwS@-2zd*4Yc-Mb|$ z?SHtJgvy^t*=0HdT0h8dw}%>Ujk%)uV0rwCW`7gBwDD73qEle{oUDUUg){xe@V0kz z@0#{HI6aXG4k+28TvbiCo?=cZoDH@DQ~MiV21lt7r^LEsavoEaHp78dU61oeKX9&v zm(z69^6S1gAHF-!K{luGZtF(BhPuKwj~~V56Yj?}L5i~rz<`HLOE*d?uYZ6!=?j}> z?_rZOR3-6=W75!iAe~TRQWHFN>yk z-fOD#;=<*o3%Pebi`ea|nekR{i55`Ph&V?$y-N$MwZ4B|%1#UhXC>idanOQjl^2qx z!wz-4FS`o>oGy4KRgP{S-Duu?CD{g?CnruyO?0fPjhCYPUEFD;cxi7#-Q&)2V8l%_ z98ek!_PQr@r)1QY#*$el3Yw_Ld+8|uW~UC(zfjxsobN#Y5aPSva2H$r*;(%GQI3HL@eHJQ3$`xSOALl^pAIV&iAJ^+${&_?>bK5c9>_l4OY^^5@@VEtM^MT#j<0 z6;!c{Z@xrsW#1An&2GO1phXfPqQi%hFniheK?e3I$2w2BPSA5@jq!t#OZW;LaX;+wsyK50@tYXXtacb9GUzr>}*@$0Ek!6?u zX8~v16<|3ehbN7o&ECi85!orh3O7>8FqO;YUoSf!6);zDkT?z_AM;Q!iGJuTX?{sk8nJFtO#a3td~A1;$jk$6gz6Q6XYP*V;{ z-;yS{nU!<>@|G1*9`a80M4 z=P}Qp5A+m%d>QtnE;5L1^En1tA{sU2Z2U=F&D5@~5)_9RDR&IgeW;Qn6hG~woPAOi z$DEOvscINKF1lmB*BN&vhpftlQqK1#kuETH%^R@%!Irq~qHfNdxu2O|SW&I63{j(8 z4NSFg7Hg@M{?~)2x|s60&2h}=nQN&x8Mc9B&t5?IA`p76-8!+Du*|shqJ965QMwa1 z54mhy{H%%&kS(2&s2VEIJ-_eCPe3w2VEB(q4Q*}-loYp2(3inL?vj$|#D45bOkawz zCW)zpSfh0F(&xuaU!XAaCfz@ICj~sC3Aml)e@}LZtwe>vt0XHw`-Ny|_sz!ck9R~T z4*vYnBN;t;nmFPbX$%~V;-+8HN^*yyCF9QacD*^+&X1d6P_xmIw&#FdM_29E;SIW4 zuFCFXA=5bK>CQj*5}7Eu+~xD2mLRq-F!NvP14*dplrwP<-Zp3Iej}gGOIHJ7_zk(e zofIF7`Q|~L?7t+e)aBlkGWGUd@JqPay91Aww(bX(Ae!jq~DW)uU zu{ds_ljuo$^!h>I7S!8sUjS%n-+pO$xZ7vz`9f8tS_ENzhn13-9|FeCCv1U73W(RR zkc%)*mI+jr(o6eh?J7&WLPLxNJ&~us!TBvg2aYpQ1`*Wqi(60}S6>9Bwv*+&LD5?~ zKk04_NogyqoPvmQgO%82+t{S)IYn>Cp<$&elS;eIgvtGO87g^&;Q=tpa^zXp+J{au z`T?W5o7}jmATqrjy;%7~b=jG*q%cdjBpdS+3RhckOwX+I9FozKqz4cLVvGu0Mz4Ag zL@P1Qm+Tg!zsi|nX?;a$q(v9`Jl^n$Nm6o6s0o}<+lWS&RPKnR>#;--5c626etAXH z160u3Uu^_yU%j|u0)T-#h-Z@4Q=z}8cjQ>JU=IG+0t~8NCpBVT}j6{dr75I*}n*%|OU?H)%THm%$F}Vi|n@dc1CUVZ9F?bIO-R0&OS< zy3%E^9~#7Wb*1L*kXE-G*e#?UU>Gx?)~0_RUF5 zVr=N3E!bkoy=RW8`Ce|}?Sjj1CQ9IA50384WYGI}!C!ufbsT-a1JMMk7TuBFNf(S@ z5)Z@$HUO9v$bHwz#S;2SB4pkOB(pz}wR-9AP@k#MMIhb(VK}kAMf)Sbrd+e2i`t{} zC@7DTX{K1KR?Kq5~}&bU_wQwt^8R|hR~8Hb(H>7 zatg(!3F7PPD_Nz8n83F~M9CRhkPDk)N}20KVW#=3E>|;arp&bq zwm-wjG{S4AdC&x@ULrwP@UO%h)%=%)Y4-!N*EpjC0UlVSr*IbyE?8|r@gC*7dm5e9 zifuVt>lHns9xKP286z&?8yy*VPq_O9()G>DU)IDbiJ=apAc#SzZ-rC5nUTf$g9>lp zdPcwqLL#UXieB~pCTZuMI{o3RWMc7r@20|t(}x$+Y0yfdyb1j=+mcAnS0R{sA95nU z-qCWVCBX{t+?<@|LmH$v3@p`uf8t#<+K|oHQ;HQmay;myj2w!u=Gk(Km;Wtz6|uy& zF%eMR4TGiIIxn&=p-Qc7s*+*i(NRFc*mMCtiA|W`9fSpb67{!kjkou0ynYN*5_TG_ zmul`2LE$|1u4%nbT~IGJS61ugkg3FvV&Cr$zrDhj6I6XklgZa-3^GLf*9y7oLjO(j z%#E6k2@|cSXnX$$Bv00RKrSq+%W>QtrKckrNAqE=*ysoA8$_2rS!PcmB~}}=-6<}R zqF3U5Ue+_aOZ%EYl z5<h6X^v8 zc3+iRlI0R~rGd8!qa>M_I)%8Xg~!mlm2*FrklKKtkk!Di1$n4gUpBsh*&8Ss3f;DW zfqB~*=J)G`iB}=w6}8|=8GJjleCBTQ!FjXTiL*c!n=WwWi_;lnY_u*wY zY90yX_s^$N>Vf}k!hl`HPAWD*O$y=Y`roX~-69Vw&}SN?8urTEi?&pBQXeW0^@d}0j`aXc+`@0YbE)^?D6nK%TJw#NRB*hV68cKK`JxUz zJ+uaHJp;8|&7~|QNlJwGV2Z2+($$SDSAwf>o|uaIRTGqqs4Y87v+PQ97AB*_-Dj9e zg5W_K_cq=O^+nNyYW1;R%Au$5Sg}EJViU|L+|%_nP9wS~jm4Pwgi#4I;^u(N+7dcx zj*IJo%8Y<1@3H0DtV(J06puFtZO)Nt{lB!vMBf@tyH>kR7CbH)$XsZ(fq<9Vb*R}l}mVc0>Wkz%1i zx~Sxg_ETvQkGee%9mEhU5;-7wZ`ko=Yz&Ij@H8(~s|x-ecMrVh0gKO>Y!T2ouq`{hNMn=nu}!drG99D zh@Odf1$!d*NJ1*+IVI)FSi{Yge7%Ab?;)AljtX-#gLzSLUSneEIS!!it?51QEw%3iLoc0*!jR)kQA$<`jVp)`?_S@LD7F9UgnC z@{2|baDC%WSVq{+psa6oES@n|b^GvvoY$$n>z)!r9p5f@{Q?oM3L@jc1%@fV<*__` zW`>6_zZvY&qPKu|n;!!XS2evJtrdnZjkG4*^ck%5pw9Zij-#9 ztQC1JswZePj&{;O=3LVF7M`)g()%kNKi6Li8!vx%RYQV$3;Ow`ibXYz9+DCK;M{b_ zw$Xnnb-$>Fj=jCy4LSueXx;sp=LYbs4sl5CFRdN#CH~MQ&4?Hf)hNz{W)6$z&V8wQ zfuWtW21=aH>)6JQgDW%r^}-WXInSqxV16|=%;Vf4e>C5d3R~P{al`I@WCPsr*s|j+}p`yfi>UxhM zZO!_PXZRzKMG3p1b_a`IY>m;-B`Rf!%zLxaR$Uf?sI^Suo)Ej46lgM;)cwx8!a4+r zF>_OvCpgs)&4z?mj3+2(5L3qd18a{f7#2(X8>!?zUYCW_Mj;#!=kyv5{rW@dRT?j< z^^XN(5Yp&*FEZZ!t!GR82$O#=b7g_Z+-Au9zUa1P^ae`Sl*< z9@_H%c7+;D%jUg5v%Z+0`TzeF!TXQs!U>@RpK&2Ytl_+$ZnU)cJFmlx$_Zad4&c^0|6Sjxx$RBx za#q^rWvdCZTQB`#RN~q>AY5rd$eW7_@EfI{1>RXz%9|J2h0!1=_c`{rLuJ!T*s>JM z%sXJ;{0d+1IPFYfGjm*&a_Uw#N~h1kX3(mLOF=Lc{-zH3<&Gc*G*bv(g8;|lAB12u zp284?sHS|o9!PIGJ9V9z1cjRBxH2tdOz-NyBAS`MwkA?QmbG}0RF;strE8qw$hi`YFW5uV}){MZ~@tnyRA&BWKHo3pQT2C+;K zG+z&dO$3~)Ly-T;6H^*v4?Dpt0<6#$))ZNCvvIk;$_LmnH~QVL=xYu~Ym}D9e(muW zH#lxylaxDIchf}dugNj+yBKOQUh4hh@#ho%3ezzR@{ld$VS^q_ULvyQ-h`Tf6SBuk z_`C(`Ht*VX>?5yoS;Vb0pIg)Frm=e_*VbWTj6)kxx zqV?%!q10$HO6H$tX#F%H$~cx<_*SqX#q{pw86^iL}xjNr# zpNCDSi;NHMhseXNr#TbRCRN^XnIT=uIBzdD&x#z*Bj5Jm$G-q&=byb8uOs{95elzt z;y4OM{^?15``t->@8p)>`?5JYU2GZarnBlfEu-1zJeOC>$d_nq=Qk^VOB}B4ttxW1 zi#|)31tbn#+z`C27#yw~!#a8Y&i*x0+1k|49N=$kULGL!%A<6hPLt3i@Z*tijrFdG zeCbjh#r#c55!VWQI)aFvUWk|XR|1TPHz5Swzh%ZBjaQ#hav1Ng%tZcl5%}k&Sy#W0 z-yUQ7iV3_W)+LXq5%~AG8l3Oim|plJ8e~l`U*F$21@qb8U48GoBkYzsMD(r@d-RNP zNX^wLMo(J`>-41sR%DR7Teh2>$|cQinMN-7;GqK2HSQ%L9aI z2?|hPdC3uZH&?=pK&BumE}(w+(z!5z`)A)@>z+H~F(8a^;VFJ9jQ`aO5fB#dIVutG zmm~n`=S~gq5GFhf=;Q1#9`o&$_!$RC{CO+qYj^XX7>~O}z44rrNxK>%cyA2LySdSL ztnzwg69h$t*RW>6#{7pD~3 zO{oA=$`yDZ{Iyp+Sbrq9$II_<2r-Is(=4hnl$B3(S$3&*Cik!a>g+sI+>N+09C z+Ip=nPK>ilPLoABYa~;Cz1gk=N4AwAHp=C}VQ(K@%_Bq#Z<{{AKthvhdis~4%mE%< zCSY`N3Wqod@|l1ysMlIwwHn@^?2}ZyR?mqN8BoFu$o7$=LXoaEmz5^sw-m zb*HeD^dq!0DG^4Na43wMmrr_x zJpaYz2^LI$Yy5N$jyOoUQ87E8Q=_k?~_LsQ$3`GXnI`-}>zU=BfvJUL9DA3Hku1QvY@D;P9E|K!H|!4{9`2R8PRT>U(^u3V z6I{fs<=IZJ`bqT9g}R>$nD6e(*v>;;+@&<-6>4+^XEyDICu-H%N&3wcN72@f#++00 zg6@RC$CR2aGPCBzsh66|po*%T02hi~D?RfS+4RV%B}*WwZR7{z&>*Jth>DYIgba2> zbwm>D*&;ZHu$#3z9O6I9{S`s;i_A0rrKO`+)*Jxgy1l4D-X&P`#Bz^ZPZ2AtINRHX zX~~3w&Q3u--S186u(2J6xx|GC?#FMY$JYkqgGN$Pgbn;LP1&`J`x((XpbhbjSV*OX zr1rk=-drbY-~3RBE*Y!Z9(nP-Nd{LbKe5X}(IQX!eKm5nlT^8Y5-vYJNKr>o|?a z=t}-pw8yZ>8-^@bM>4A?K+l6)OF)w@_GI4TfJ6;ZHC$CW35? z+74ObsuQ0WnG_umcoY-)W)y{e3Olrqab&%Rdf{0}%M&lj9ai`YAjUa`r9gqf&Nd>G zmc6+A5@cp+Awx$)&3BA)HR@klc#UeU+*js}OG<=`dldH0vTGP**4=JtV8HY(jDv|9 z=jW#8p+-TNqOSy1P$Q%)uQcY@pPRFuGKv#97Df@$y!$g?sP~TnG@OQMQ~LF|th=9P z?nsulgH+o|lBykzj#Nta^V&cwkz!}u-ca~{bB6a3i@c!x&cZaiv% z^ou26IwJC0%b%XHfNzhx;C%FW^~w1lx)j8DrF{R{2kZ(K$@7Ftr9!p!;Jk9a^LkFA z4ebC|f?tUN2?N`!9?wwWy16>IXW~D5z^x!W4g|h;NOxR`1miTEcc8xPl;Zn550cc6 z=ZOWlAJa;W*o_t}O6hv<6MXxay8m!r3H{{=>PV~K3R(qG?k}N3L3;j<1*NLkuc7tN zpA)Ss9g-4#bd8Lyot7v3V2J|Wm<6;LVR8@bP!VE4#YmkpH9UfFfeqvm5Ojcsiut#E zDZc)+5Nwy>D($LDd43x=`r%n==Fx4^%+g-&yR^n}=E%&=qg*d$bGQWQ*Pa3|;mpIR z)F|f#n{w;9Vst)Zscxu~JIcbD_^3@ttZYL|R3j0)L=Nm9ClDzG7DsHMKd@sygAH`K z@Rl{e3F0tHsCqA};b!qav&vfZez0F8pe&Lfk!H==VYFfyYpQnIbFs~dEJ$NBr8WYf ztb)(2DOzi`dRZoxF6>M^3R#G^R+QLl-&QX-=2ITbbi9qEd<%MLt%p;>xkAW;3c>}k zuw|JMCu(mvS1JsOFT^=+vR>jp27=$ot%$3D{F){&4v*|Gdl2ocJV#TAc0~dG+yQIX zVY%#z&q#yV!uCUtlcA-Vc3Z6)mUaoGJ4aW?AWC>&I+EPz#dHHqa@DUP$hTB~3rm@% zl8LVMk_8wynuS}54wsr69m--a@`OZ5-g>&j?Cu?+SGTz1OQy+iLFBX3wBJ{k@Z{b= zl{5*Au8H5fr~^}A*s($SEnD-?gUEo_e8rXZHrxe-ohCg@4@A$u+CqEeob&mv}w6?406L4~K zkf1USrawt9TC~@C&!l_T%jxn{LNkt4qpdgV?XSfF=@jKyTiOhT_;FW)dI_$9xC`ZJDZ)U=ET2UWR2{IB{g*5S&; zMzU5tMzqTr9jiIopsb3sTEmG@pvbt|+DbXXJ=cWAsj>5MVS|U&yT?5BJU68?>Z71u z3wrFXDt@5yMCs*LXL?#YBG0wqDGAXT#aIR1JHw0~6KsAM;45cNppS1Oc0f~!QVzJ5@ zGdg@0he}Kw|20olslVjP;Y~`jZASZ5nZ2J^14n zDQar>U6m!Ci5}idgnA-fJJSm>aS(;urs&;{`Qa;9HuC+Ldu%dqTg^*wQMT>e%_Kel z(yXFaTidjV?vXso^b(bdfTuKM+E@hG zh7COq5gr-LQFq!Ms&QivQNEuw0?=bRL|4(0U0TxHneGenS-QC^Y-Q6{4 zu;A`GNN{Ixcb7nL3+}GL-2wy#NRZe!n_qS}?E5|co@eOkTj$)auBmEzy87NDQv6Ds z@=Lakfj4u-iWDfK_s3A-W@ybteb5hlIj?)r8%33;%x=wu@rvW6C6Fl`|3MK_5jEVB znCfQgnY&fX=Xo2b511FuvLu`7eF`#5dl4-p*K$EG;nF>WduvA1FmiLfhGKP3y$osi}qMq^#) zkLwvbv#-F8a)lU9jOUsi$qh5`jh7z)CT|)ph^7_9_m6F+9N=>T=V)3d@T6PC-Zj)N zxs^@Jv)9@c)^X$_S%3<0&@kg7EC~sknsU3Y0?zdyOxL+ajJ0&F8L7{C?`(pO*OB;n zZAo#ogfPwyOS(>-%sb&s3AbXe60HL=_P=7?jW69-RH{2I&9SB`@qF%0{G@jUn4O3A z!87|5<^exD_~6IZF&2Fv+GOUI9-maxGiNM5iwgXK?mIC-R@~hb6FFw6`-px-rYjUc zI!kak;*O(RU&!Er=%cUVPA^WUff5KwWreHqL@6R&YA}FRlkQShm41CBeua)wB3HR1 zdfGC*v+q-SO+^Kye96s7YoL za07ee(qr=n2me^TH%*vjo6sV~QQV|`H5%kDsU^droRcD}E1~C67h5roO2bp<8n&SuZnO*T zv_X4)RmOfV>E zhk%8obQY%JxE-SKF_1lU;DGQ5loO-QGkf~4<<4J&+zl(P~ z&7^92l}nmeAOc>fR8b~2%jVf_52ch2uDm*pyrUv&e-FtS>XtJRj8ws+C#>9}%#wzN z#R!6K#*7z)?J0H`t!~>oUTSXMuR;+*O%Qe0zXV3ycU^ZAdG*322e3JcuiHvjDA z`G73K<98`&rf6xPQmDH3>F%^#zH!|VR^=CL?5j{;Is&41Oi%A7`BE*x7r+kCy$%(n zsL{k<8mKxLLtUMn3tCV0jK@e$%}r ziEc5JyPwQHJ&C+jB93wkoADk5(gVtLtqG~!BzN{3J|w*P({eM9@dI4Ri&A~%TQ1AU zA3$R&t$;kfPueze9#UqD7-r>9P=g?d+Qy6r$o1c zMGpU{8Dah>Lm#Je2~H?h+XtgWsnS+lLk!46LcPYCn@0bt&R|)lSmQ}n5lKT9i1p*{ zoSVRz@z_Y4uc!rDoyS-03&U`7rb+RNs39E+uK?VIh34^ohIZ=-)o%*n`LNj$iVTCN zL`Wn=h|GE*5b47a(HCwqA&SG58s9D_D!y0HJGFU>&Ns52pb8>tT^Yq;{i*g zBmon-nQ>)Y=eZoOi}+9&vtq;H{1;oO2%QY!LV1ar{#_--m++T@l3i$Khs;ZFz0FQV zEFy`~7T2+AtW8ErsqQ2GXkZfzRd=cxxm)zF>4-GS6Q8Xo>AUS=uB=*_|0o? z_hGJ;QTWf~4}OM>L#2szsf=$w7+-V(GL9c}hd-5#eSJa?M@`Z=TO=#L;FO9+!p+%!OS)@}FhD)M;6SzYOz&tNUoH;NN%4t#W%7j%UDeaNCSBFEeJ*5R<~@Bq0Be zx#@h48J;|em85vG^q_|&O${i<1+edCGltWDdB9%EAgkelBB`|92EGKb_%yH=O5TgQ zCn6jY<3ovaYiTe7gS{(x+5!KHJ$&Y<%0pDGWb%WYUSmQ1UX};TY;n$9Z@Behop9u* z-3|}5*%GyzfG18i_125XWp8yH`uDY=Z{N_}Q0up3ytc^b+5=2hrXjrrVgca&Ve!n^ z@Qh3+C-$*ODnu_~2JxNIN?qa(6!6{y$=*SEFRx=b{7Krq}}^+fQKQt5bEEO8(g~w?O-RR5yRVjd=>XxD7jo@_aYW9^wx`3Q(tR$Vnx^ko81KCRYLp!8{j52lf8x*R#Wpw~@wM#-F#Likp zGq*lp&dH0%f8M>am;ioElJfWtf9Wj8+o5ZheLmz)R(?)XmATL zqf;S)(CP7k99_nI|FzFgcPbAg$rGtd(R=nS@Wbw?r&ej4XS@ZX%4EqO_+64{cXugR zh=oxTwj)TKGbAb12z!MA+U=?jzHRt;fbSpkBEzuJau zB1cya*cZgleV}=+&zh6@=2@MJotz}39Y&&S!(p$tM-5LYon+oL&x6@v_nzH6o_+L1 zyrKvidy+gFlQin(L`Ktlz&$oWP0dUt-{hOyb1lX9`I8sa-XeeuCb8KPrgo?im4m#N zripq4I|YCtJK+7yvhyN?;1>LQQgBFh5qa236zWcr`CVYr3xO2!^vxDH=DoNK4-VQc97 z*&>(#Cs_kF1qFZ+c(MoaWlOpgSIWvs^~87xr9WXqaI8TJVQG(y(;*IVxWM$CC0fIw zj+X<^tF&BI4^J<*QfKW=yI98I(4FjoiVw`EQD{nMf^elx5aWa<7Uz4+UAi}+mSwp- z&4U6}2BE%M+C2=_Ch9Fth}|wc=jDBq_RA^~j2afRo&h}BEV6wgq-{&qx&C5EcAHh- zH@^fCZtA;j_;qS!4TeA)anzp4V7C15$432zfAk&i*YhavLiB2&(EgoTI>UUGnE(_r zPy@`b_`GL&P_My9-@%r^mY`>(5AAi_DBB_gcB(ATYO22=183k=%-zCmWQ=0ta({h1 zmAe+`5AcO~oAAi2i9g%d|ArUHT5deW-mbHz$Z82Rd%LvDC!FN^mQAX0jpb5dIB7d2 zS-F+q7^z34$L2Ave=WWyltM2hncu-QEgT?tbdf*&o_;S?D1>e%a0{`b5VT?o4PpjkU_I4Jkz&H{k4&z?W7AX##0=%KTSyyI2a{KmqP(1 zZc^Hquw8|wu6qr(`lV{h^RoumEwC{GEK%JkvQJHxUlH=OB2`570$`cyh5H%nMf-!; zwP)vun>?FRY*3K*F`-jmp3cFeLDDW9WJTXe#+s82Zt+0+8Y|(DnQZ}3)p8D72u?i- zJD~|=gJ?E(#=YMsvBVJyMF{%_R)>)@ETla`JdZ!ts~YXZ0>>VUqyDAvP-KA%6gI*I zm=dkxh=iqMnCnwo2)%l1bwNmhfZgS~fj^3ZIW#7*+f?>J;aZ+>=)*!BXKZ{|g=d?G z%6h3v4)0dZr_y*Dx@OS*4;9Ct9`Dyl!BMo2H^;qv-U9dCUqAW(47$JchRE&z&aP@v zN8+05qmL#v{Fz;W&xih29is@;Gy|-T0$2~8_7Q?pW@l08e`^_p-=k&Q**B9Kx@7kQ zWwDFK&W3}0141s};}2vE_@J7i9uW3|)rB!kkFHh+@P}4?A0nchV|+y4IEQn*agMwu z(fz@Swqqf;V|@mL!4`21jSIjZP@?E29!S*xIZA1QaorbZk~9gdwk5FJZq+u%0+3tr zsBmyvt#RXM_3g#pVgb3dYLt+)Zfh3ZJF1q$haWF4WFV8X&Tmu%bkbWi?Lvrc%3LAy z2#mQ{UcO5|YN~@j?GzUCwq<+94^Ed`?*PeGkU!!~s2jGps>`R=)4I)>Cmx#yTm)9F*3^AJ zu{_mzrlk;P&&O*{$fS2#jV)K3m$FW-JiSO(r%(xV@yx)s=hLZa)b G^I3GVOfiq z>O7#jBHBCj{}Ot}d~ruvSeBCx3G?QrscLFs%C%D7$+&TF&a-?aFZx^9>wJKROdVoo zY>&5vm~=i%jAV2CO|wHiP@1@Np$b>SfY4hPdofjMqSQcBS*fqE#*z_cL%nXJYIA0% zlx%FLwcTZ-z8nTV^`M``q=FYwaruDGMv#IYoGTB{>F}^x4|^*@bKaRzizvM~3-vN+ z+DwVu>kYH(sZQwRUQ$MMxjvw(?D0Yro4rR#wnO7;WBssO(TaSZ4r<_#PbKHrVQlWl z3!d4Sg8NKlJdX`}`fmB~-kREx50V4?L5zD?KGFjM!j$_u2)5sp2XusK_7tWRGe@vI zzIbbzXFB9h(^Yyot*IDy zMOMq6z(=rQ3<+nj6dL^F_+xk7OFNl0kUM$F#*w-9V%@1=nv?c&bt{f%taV)AD!n)6 z$9B3smTnfa*#6$(z2YlChEPja4~p)97>KPJzrkIz$W0|TR&xuSoyg9fkNbPN)Vz@8 zmb7TbNqvXCZGVl6X`JD~HJtF!Ati59n;eI5O)JLtT? zhM{)g%O@{dIs+4kE@GB0xM;tu*!i4x{DkJ+S1G5==bVsOD!wX!mz>&=a)x9dX~`C5 z1U{oH73hyyzT4nW{8m7F#G6#>u7(T0d-nb8L)&C{yH0!j3>nd$E?#qu%o?S4$cJTa zAUd<(d}w2Bmm7P!V}~(Fm*jm%Q@hh?TRV^7rq|qLa35Y;dxSx*wBlR$fZ!mF7f3SrrPA3ZtqNGz$SVrjiq1#qeq{DcQ1BYN{9U(t-F0Tnda*S zUA}n-wKHJ43MmX*xFd`B&a}p?l;AtM74ig!_@hFq8QKwc5pj0c@{agiVg(3!7=D*r zH_trf)P)1LAgqjJ0Dytv8oxJZI23j(++nsqLr3|7{t;0U#5doX6&1((x>seJry-Zp zLR(f0w?l#i2$s(;Rd8SYAuSRkKVH?@aCHrM=ijmQ z^AlTJ#M2Xqk1eX_{=>`a43FHB^LNRF-aqxvXWZY|Ttm?zBj&7OxbhVb7EWR zTNkFHjJ5#c!?Nx5X~SCg8^361sch+Zw<0bg@5h5+rsoMf9t3ozYb$BuvT#JN;*Uu= zYyp^4lwIyH;6a5XuHqXU=;!eb5Cwz~~aSAa%@Snqoz@ zJ{3S{jCWL@?@&RdsQS9$Bu4S;=;Z3P_o9*0VBCVL4Shs)Pb|Vn?g*UNJ{}t74=E@r zqRlq|R|o!sH|`>oR!Db@BJ}GhU67R{LURY-sAMKSX=Le-SFc4rHA%R?ry=~rpH~Xy zU6|M(yel~;G$oV}6r(pf(%9fIeG;qmRj912?)&oeXBrs6A|$gH3!!K21~_I0Y+k1& zF4*#t8Bkl63#FGhHn%GsFI$?MpxO%MLQLB00OC-B*z(Dgw*`E7zHDq0$Nh~#rvv0a zAom~8qQ$XvhIFucLQjApYB0S**JpiHu_qXCfl&B)MC(BTg8hLJLDcso`t=90B&9}j zN+g!fB%qafBTB4>!RcIWxT6|9I|xUzF`F*&fe{V|!ckcU2Tvj*lp>O$%6+`Zu6F2l z0BMB3gawYsaJKtS;pfSnVwUaKfUx$*h6hngC=l~&J`FFYX4JY2c@Af9c%DI%@YDhv z?LwS95}p~#B~SEdxN&$1H+Dv-WS=CBrMU3mx$8<$Cc5;ogf_((G)L4_n6T_L5IxBf zf|K=y?SVu-qJ%bwJP{gae0COkk~YK*Kph@)PvZCudEyW`2B{?m&m(%$CkRVPc+4XS zU9feST!YjSg=ZK&$phl%1uYCYpO`y&j${%8F#*~_tSJ|orsT92Jp6ZwN)VS1D};tm zQk!HF9)BQY)IeCb)bv+$^rvu*0|K?%oBv2QW;n4!Um`%jLPX<2K+pplZAgIQ_UHhF z0BmcVpK49x4iO6EL@6owAJbvwc_}0&P|8#!lUO>YoI(-oaxYXuG zA`j@nJd#yWdQt6*iF%6k12xj!29gMX1bK89JS`Kd{g$9^)uD45;t?Y1)V+92+})@s zJ_Y?KDl2MVKEU==K}k1=^hbBN_YTuuoe$Au&sL)M^@Hm1*62I$N01Zg&S1g)lWW}Q zJ;&GY!e4{Q$PPh4KLW-Q(QY3weh}XuyhtRoT1y07K#Hl}@DHXk&%Txk*i3{2tZixq z1%w6)PESQXxEl-+Amm&t(26meVHWI*6r^9ni&E`r z_P}Q^8Si_P3&Qva|IR1a5?0+yb$@RkfB$Ct<~c)1&51d!YBM`K1M&Dv*O4Vm$L|7y zzQ!DMEmBHJ8#t|{x==S!7weaJakZseL#e9m*imyT-OIrVc;68XK7Ej_J^=n8A?m~ z(lHfwfPN}KYqS`ZvR~S6a_vyCm9pcRQSObO&v^osbu~p0zt-WG1MKwS_O#*4rU`Z?NU(M`9bO zYe&>+JGkoyT5R@N24L-&JMNU{dt~v@QH55K0vzm-T?uyjy=4N_M!++{ zakmeUwsBpA;*lx3R^O6n(DrEw#LQcKF~7$MFdU3BgRoxfc4Z|igtKOhnJD+`KB=}jG(rGwvt!3!@EN5Y$W7xQwq{yUxocJb4N zHXYWZI&wYSUWG@2{=ksX`P0Wz^XL?PN$b^f)*pbvLiHi}ZQe!2hsi*`=}CizPgkEI zD7qGeOROtS-0kyAikD5FMmov|@>_HT67 z#9eWFwde_Ein)jYxc32K{c>v-z` zEV0X6J}VqcpA9s+MiLCT>;G9Fg zN4UPJSWlL)+I_vgv>DP@OSV@>-Sr08r;xg4Qptv6E(qa4xfP?pN zQT9Qf1UkpK>zra^hL32=&IMmv!g*RpkJ@%XhT@o=@7_K7{%HsyDCS%IE}zyl>Mb~#~b)Q z@%07F!lj8h)%?p*?#r~X3utV1QvfT3eUzHB#%M^LG*c7Q9P>kE3}WC1YunmJD>uUL zKFP~__-C|mwr~_U8}ckB@}1}CCsd$|VQ!`-c4sek?_}=DjL7VBYgZASE9UhpHVD7b5TaaJIoDbx5Hd$VvZ#xQIh(3EH5wz>P8)h#4ZFMBXU_#1Plpt zPeB*FO)+Y{sBG_4!zU#rK|uH@ej`m;&9;-7_XUWF-phu8PX5u0ClP^`faP$dVscjR zPPbxFYo#8G*x(Gq8}Dy;>aa?XP}tDee`$LFO_wOZ@sS}*65zjoZGTuI{{0DYndmdtY>0sDv`$!arm|EF5gv)PGl5ZHo%Z0~xsM$pu8;h6Qu# z!G@oxU;_d0Vv7-Mz}u#RdW!|zOC<*CZ^)M+rX9QT(I zbq5oSq}ZW?x*!G{sDQRRD1RK%P&9>w68P8bdjtpwp}#8*UYCZflKg_d-y#14zQ&6r zSPTwvq6Obc{;L)KUP?p!DSpFYfM~HOIKPkTA8i!E&g5_3foi)rP)^jpfZyYZnEwkp zE)`c)0(-v#C*hU-+ckJy8Zu1(i*&oo^haf^@2HEA!4>hrfPfHr2KQhB!^MDVhp>OZ z9d6IMD!|_Fz~NcK&)^%Jzr3^M5@G+hO8s6Ki9pDGT&PW+Ul{QUSRi)+?tff=am>NW z0k@(8JOl*aGuM0k|Iq68aZ&&6OTD@o?}77R$MeGfAQZ|l{^JS8#J;eJ1 z{!C%|85~va7aY()`ky0trZD}CBCiOhPy!K;kpJrAM^sP*#=z?#dbqy_hCSFsYXwX? z;s%!wgEtgyfE07Wzq|VO{GS7k)DHN0Ug&obc+fNaCGhiq3p&K51jzo`@cSkA^Y?DR z=wEU_|Dq`z{ulkPhR^>E+kZOvf5m_P-fd}!!T;0EpHe_}&$NL4+ZF#SCGzhcUc3B1 zD*FE`EaCu!+{XFi3;iVm0ST5V0e9lR&TxM(r6JJnK+rM+uxAr_e!>4QNdM24eil>ujAByt z59MNw;E#iT7UB1dLRI^lf(5Q+h#mpZaUBuLc;uHcVIA{-rg9tBai9>!e-#TGp#V?U z|7_c56N=Avb2;&wg7r@u8E#NPNiX~|w^@+zU_L(p3)n6plO*r6;4c7k< lf8PcAznehMh%YvN6Y;QNz$bhN2!8M@7YlrTKKg6x{{#N5%QpZ3 delta 40255 zcmZ6yV{qV2^zRwlwrv{|+qP{xzlm+zww;M>+s4G4OlF_`->uzyx2j)sSD$wW-%r;$ zefa=BJO>V`EC&t&mja4_nS_T93YWy>0{TBEWC#!t5GPkFW^j=I&tenve_f_PfD&TE zfq=lk{AVNrl18~)-USK*f(s4;!knU#iIp<;@gh6OxJ_@w?YlCiNH`zc2M)v1`#LBlR*>wxjtqEW{AUv-^>%_Gy*^7-3w3s(%HY-OxkD8e)TeT2S z@O3PN4+8GfSf_}rnrSeG$6Xx%sO(R1s4Y^{OOacYVEg=r8$VFDUG`Ywv*;*rr};q@ zg~uCIr|C~BJSBa;D3@0?M=@1;DP>^QcImZsN5j6VX?$r!lZL}vtNty82GjkqK~*gd zXRl9nQfc0FjhmBbYLBps zZ4%8pB4)qoZ40a}R3w}fNz{BVcSTEl-Rb( zuUBnA8ES|jK|m-{NIkfKZ8dZ)oPUIFn~e;StaMSqO`%C|KtDgBmWq z#G;DI^Hu zd91CjSsA#&74B+YitO)blk^DRu^I;m+ZwwkEon<+9p`NlAv7kdQ+8vRvumS%aTi|c z9?ePWj6Io5Te^e5!DUZ-d-KrkGw-zP6jI-eb$6Br$M)eXk60l?Jpy>t^%di7d^#6L zOXeJ3yCc@PV6B=%oSBhb#8ost@mw2TC+HgG7K9fu*))($?20ch1Ts!3FYz9KU*Ah_zg%>xq zqeEGKuXN3(+Hi$Te~fF|FTs+!PE#~@SFWb)bNYD4EDP9J(kq(Y!Qww&`)mVw~&!ZFlJziS5}PF0l@2J^%Hjy40SL0iM{4_3n5 z84j3YYV(@9E>|bCn*ygrD?VWNSFEGc4OZP&)qn(y4&)$>4(+Z=eV5q7HO`9r;ra)S z3H9snIAYWhKu`1__YZ@D?;d`Z-(W`AA4CQd-;)n7(9^Lz3pD^XkL}usr#CivlDZUf z=>|*I%}P}Hd8=a&FISpQi)T@LtCCu^K|jqHXB3k5#hYEME5>rJ`7~103zF2s9@3{) z_{jm)6GhLun|swKUugXJsIf(0@s2t4G; zw%iQ^BjDmCX-3D*^^XiB5u?obH$ z&HRJeF8QYOE&jfbryDX0vL@+GDJADM^44mP-ZdMvPV~W&x(JwGt^CLQTrU>?35cbN z{Cw>xRJ$m3V;0$sKzc4J2;_++k4KPbQ2pX|L7|N96J6XVM?~Ez#s0y_~`M*hI8912? z|9_IY0sWs~{wI+{DZYL*z^)p;2FAZ#doK8CC{<~i)b^k4oDj0rnysaE4nfw|G-=8x zb$l5oT=qRTN0#7!@jnmLj6RE%6pj2ZV_{aaUKOl9vEN^c+4)M2Lx_*ZW7*@+4Tq#E zelD|S<@&wl`pw;W3B8^T3KQ>x-y`g?p^n49SP#O|LX}NqQYfw+0;y5U-c6vexk=eA zRC6Ykpu;$L86b0{vot~&1sgg*1k71Kh@ykvbR zPhpUU6;D%{CYAKCQmH;9IPs2N&Kr8Jgb5i;pN5;*X|j9u5JMXEe%Ss^)_$u~W4MRd zVfZYK1cwE!2K+p;fU{5+e9(CCO_nJPvJd6aR%(ZVOA((i{g;f;bz(X19cCB%Xn>y3 zdg`I^Ts@0BQVf0X6$HP8Wuq%oofuMsIs|X-R@{2gzeve4nN-_$(SZDc(GTm(b9Nf3lM&NRJoUH z4BHl$nnKH~53`p6&M;jq*w+=YrcL`Lpjlvx{jwLz$?tOKed4898^(T~63an-({#0n z)@MXvw9Jzm!f+tZBfCi<`kJogKx2~HPA+}%h37BY!cd@o>q2xN*4Bcf2{9i7frN0= z759B~7%T<@Krn_HvzKFqD6iWYN(;Wc^hlTHfxm_DCv~l8se-!N(Re-vu|zzV^*%dn z-DPtKztjFeA$;cF1s`Q!6t|F{21XTMUjpkMg08A(Wx#kxm|=C>Z#IG&#AMNuhe!CM z+iK?+vgMXhXU)9ykR+c-L(+SP4*8IdiM(o@U!r+Rz*#$AJt0ZOyXRn}nX9!_ZhPGd z)w#cu46eCtTuwMEQ-o;F`T8lssjF*vt543>T9e%Df<%W2!3Z{9_UXvN%Q{0u_*!Bv zzV5L3egZfJ^3pQHC8zFj6=tLQ9h+!XzlAle1MVUJR85LGy?b&&${lv)c!u?eR_HV5 zVNl={K)lOSTEE>nWMNC4B-UE7S$o)*022^2SpS)GXR351W?e8S@6i^nRhZK21FxbQ zo=r|Xn3;a2gqkA9jC)ti1U4zFR*N)5@_}gZx{tQzmAd;D`V9VgPp)`CJ<24J3+oWF zOOh|D+JrBTtRrT-UNiTyXc&Q&(3Y6J*MN5lKyyxQW@cU87>WeUxSv5ihX%q+Me6Vr z{fYojb`v!UlW8@JxGN?Ny;K*ipxcvNF8qcqX21P}!@Jv8IRF=5s4jbexRU;sm-rio z_e39m$ld%;hB{CR3NVHMs?_7ryClg9%EdjJGu)cCVf%af}^xSZ$o zf3E)USwvKswhL}f-h0rNx$a-|8ICEr+~Tj>KAIQF_kl(O0r zIVZTf@}DIRHP$InO6BDni!j2SAp_m?6`<1U8Z5(s$q&gfR@Wg!ck)qZqQb6mq9um{tEdfcjs^@n%3_>4 zi^arbE7}gniM%9h@bYJQ`r4`a+ayE@f&%Smtm=C?;7B3oUtQ1Y?h}xt^{B^NNo#rU zj$+|#>AgqJ%{&w>Gp$R9!;PpRhdLobqNa3V6K)ItD^nx#7rWzB)Ow5SShdCghgiki z3>lP^543|GIKu5Y2<}K{K0BJM_Gy4SQ5RTlK`0c5taqdo7?E7&AUdoPDk=-T3DOfn z+^L2w&cHh;i{E=EYB`TS*cFDp;wb zia0w`7S@*Ejt+mcrE2?(Yt^S{C)NEO;{a03;FOEZM9nNI4Rhk5DJFtGAN3vy-N(w!5RUCP#D3L`r-jq{U9sIA zA$|IQzdrg~VSW+s`g=_mu0jsa-rz>0NBleQpu~a2#LzIu*hlXU56|csEV-TGiqWoS zXa=RML!XNZ*>UWQ>Mpz0k$**YAg{*c;zUKrDICHa8<%?)ondHB4zn{94@?5#_hU4Z zXGaFa5bDv6iICiQFZQd54x`F}|1+m3Kqdo^kwHMTNkBkI|L>dvn9S@=+}!GPVZHIk zJpvOTn&g~)M9?TNLM;d}kQb6YlGE*ziYcUf#S>F$b&|CPl0zX)4@X5Y@_6EJC!%g? zJngAna?2fa{#!grxiF~`+p-B0b-P@bsBhBS&(aC43QFsJ$&LRIutL0^aX)1TrG@UZU%F~?7G*7x>p!i-v(Qu~i5qOqhQro;W3Db~1a227|+9+`ji)df$P+z-0kzG`; z(r3))6jiMoGR&Nf5pU7vkP}y<&Mqs~p~5Q|n#MFNdXz=JJ=e7l)vD^<5~KEsn+i;G zQuV1T+yf9Q9{G?FAAQrfy)UkNRZe}wxM5X8rsC+hX`gY!as&wuu+p4R*|_L?B@Xp8 z_NpJb(mHB-#ZL2v#tcOLYNj0M_RAj~)7~omd#1c9d$kzswK~NP1LSpCh`4LxGxO!~ zWXd`J#G(pfw!CGbKV()(eKNSMuq98{TQ6}9OaLd4mpdnWse+axx7OMn3Me(uen@Z6 zM7O-0E1Se{udhGru8IEE?x8IomoSoUM~_KuXVUS{crUFTza|pN;nI1rX|y8$-rwH@ z=r9DrQK99cuA-`{8-Bh00IX=-tB*;{Gom90yW{ur^XKA0t$8?6Zhqeo67Z}N-dw?j z^8u_a%%P+BcA5Tv^Zed0EsR~qXBJhO5-<(QIk(tsFOxDC*-S2@LQUG-CuOv&jdw~C z@a2h~!x89lIgjNzqkO)tnW)Yse}|aAIV^gw>(oX2LFnMyQ}O zwsVv0$XtglpGK;OTyVLDKIga+S%MX%QjmnteUm=;U06bC+kTTUhEOH4NRDcPr&^PU zNsGgp?8))_qMA-W2I4{hn+wepEyk{yFT`cL@yHheUR7pzi{F+pyJ1%l#Du={EkAFHQR{9PN_~}eUEsfo9^U^4M*!38m7{i zSoB=Jd6|eSWVQjm=rSz7$$LDg70s$<;26?J%b(PY3MEE7?kFDPMI1Yq6<+(!xX$O>xl^)-raJjjR%T-g+_T z5a4F#!bJS?r;ft74|Ox6NQl&B5i$h>Q@WNh`?EIZt-ZDs{z=BGi!f^|iOAnFam97R zicV^nKW>Ff&T4HpITK{WPT`iWHHlCsT6-fHfQ%K?BfHT4qMO%^83R{O=>zD05GBX* zKjQ4N)hy^_cZibtXXO5v=+3kSMLtxQ?}!`BrC!5I&^&A}J3m6hUxf%&%*66MW<;T$ z4zh6xP=O^9!Dl-{b#YfWhe8@yn^Qcsc4W^AI&x*tQrfW#Q{l)@%xWGAr_uZ&juiza z8ZVi!0J$hovkoIK|B$a2rF z*LsWQ8!H`X1J3_Q$_U6#2vcPr+ggxM%9(kj*+(p$_60@pksE!8R&L-o9>^aV-Kh zgTh7Be|_M=hi*cL-fZn%RLycwHC5kh$Ix>Z-g6^ovb{hhRwj17?3E;X_T9v3`9>0W00{cmPirBX-p9fVL5l1M zc6uR*eWstmKht!`|G3coFxfjP{=0OT{X#BUB*zSD~w^}!7g*&^qx|Z~f z+r2);2Rj}h3K9fyF`xro&uMis;Ot?^BP6FXV@~462Y4^glU$=UYSk*W*D8HpuTyWI z>?`;f#0gIpfaPL}WFPeJI5@3}l62#~73nooUi=_ZEH?Ebvj6q&K}sBZ~uT(Sm~N)Xn#K?}ATq_$@(5 zr1oB0A@EaasuIK21AZj7#;!Ty`v!AMFpvtZE%}iQK(MgLSps z_4DGu%@yQ*V*UsKi*QY6pc4%bgw@p6xG|0G0Dlx5URW&l)*j9MA7KqUy>R>MdW|T zPxca`dbruCXj9rc`lDyi zL>N5}Lx0VWB`cDI*>dOd8+93P{gzh~bMp%^r69|LOI0t91) z8%GxYe#FC{$FaNd_wU{ZXqLc2;~UHdvkSjb{49T=8-WMaunOqjgoTL3K!_3%I)EHI z{}eH9XGK85Unbf|oh`l4fi%srXnetLf@SIWS>+?IL!Zuc6TMp2T#1H0jgEO1@c7yZPqp~ zwVb3Exa)OA=uP7_EEIDvI(jHACm-5Wu zeWr5MJ$Bi04=r%cE#JA7U6!vkZ~6L4IB1Mo-+C&2#7938ruDNGWS8eebYx@*D2-w2 zW|Y4alv6SFr~A6EG# zr^%K#mGls=>}ftPt(>WqU$ooRt&WD#h(o?9Tam9M0)a5J-Z=WZ(i=h)mcpDWFgE-@IdH`}B3S$|R`_jjI00_L z3YJ|7a(6Hf0Ikg*&c>H}i8a<*^1^4vKTOgld+Y*{4;&xunXo&fUk)n(nZ7>(A~0v{ zk}!HW8=|4a&j(!xARx)

$|chPVR@j{Ne$@@WnWOc#pdglpYbnqRa^G=aT%hc%Yu zeaQ7WQv&S z-Bq<`n10M5tTIoGCSRX*XE}4X-yKG@*&4QX9KS>QdOcc?HyX#d?b+Z|_!H3wjaPATz^QW< zXl!5w`X~SaObxeUZBT*fLl4?DUC)zRKmhCkn4pu!i8AUm!+V1NwN#1|2$6y|u52x5h~<_a*4PTB zwZbROhRfpidY0V55XOH=QZt*L?wXbvb}pSCneNmv;npvM38FTjLG&fWlf3`s2_+t2 zKQ4g+yu+0h>84C@U-5smdKRU|7b<_M;F!_GK`Ub+7qf)^`W+0N9%Pnn7!(Qucc<~J zU&v6het}2E14V3QjeK5XAc$d3d=;ndIDGong1O7+?_HxZ$c3abZz2~p>E#B72eu(E86|crO)*r{Ah21 z(zfHUdORg-wmUIpGP^qQ2|xwyh1fO{oeh9=_Tgn#<2tY1XK2C2X43w$dkicBO%4>y zpv4>!E~T=$lacQiapLm~#FrH}&A*Qy8e+Q3Y~`Y>ec20XUp*BhC$iYf^zQ6C=B!2l zSRVH=@jMSzu<#_aL&JB4o-qpeIcmAW!|iqytW(bxFr$rf-IRQAJq^RcmOHKcg5`E= zDudUZrS((%_%m52HgoWyhnyxRtYJo+ruuwbaG}#iv3P1 zp7+Gi#wUe)DwfkAFQ?y%y7IW4zO~N#aEW}r4(UNOqafk(i%i+`t3*dzPVVh_cj^v! z>F6lBz~(jX0RhPQw`0h_US+ho8gEp?n{l}>@2X%w^%dDMUH!xuX0->`UeQ5%jT!gJ z2Gs}K9eR_ylwrG*dtJ=8V-GmPyK($4?-IBmZd&h_=rHe?Xh`px;EpP72GHN*;BZ9G z$G3Dt-VxDWM+T4AyRO~|1bf%x62eSXl_P&nzW&k)0Y8zeCycd6VTe>8SR^t1r3WoA zuU#ZY4LYyJBTmB;-XByTiBk%QGhzyqA7uQi;R?pAFa*eWh3QFUz6pewBbY1S$@)u= zrr)E38>%hhN_Bg^d3xNT!H6qfRJ@dT<`Y<7HPvam z8ix$50GjMs%`c^WMhO*&LCTY_?XP?3_0oQNNEJ-e%~nQQeopax4L^08t4z%pa9g-83$>rZi^^|%#3g6NL7ql&Rc+~6FalP)DK7jz`tEUQX1x+mEgZN-oNrz%T| z0Ja@*+ARlqYYUkp5`whFxvvE25reCdLi$qRT4cFH%2!P9J2Hl=Oh-pS99}&yT>sp` z#oxc9jwqe9`Z$S0S+R9jvaV@{$|HNq1an)pq91JKVR9Q^E|z60j2Wmh!;V`W9Wi#n zu4mXNesh!#f9>ap9z!3|95OcX*43)Gfa7;A_PiUX4uUi6zYCWp9OG#37znNA{&YkCc9oK$M=^%M<v3Et~jFb@I2<1=rHpGJtC`s#4w7Y4Np)7 z-FsX3{y_(ro50Lf@+l9|`JpHFobqYfQqeE^=L4L7j=MzmGG(z4En~_4zcPl2A+7{7 zJDN4i>=jFYWjfc303!tutzQDgfXweX%;QtVp>Lf*BaSajVENt)cLzAg4hN3#rib%p z;O&xrXbh$Uhx@MkW^msnhb~`QMI@vn7!s*AL)254Dn+mo?^#ORJR;94-ikL0)VJD0 z6O3p^>b9b3y6^F7J__ov3dU|V`SRJGmHUNBu;DBiY3GiS-*AN7b;@f1HR;;Ng3Gjg zXtBM__;V_1wNY-hkxF93?zke3iXOU}L>q=yNu*77CFXz6VjEMwrCJVdp@ZzqAiL(E_PK2Ojap$H%gcM8Dvq220xmznGc4jW41^Al2d-gwOQ{Sffi;Tw#nfQ!8Ky6 zFnp@zRJs|43%>a^AMi-vw|-SlWCSf+Wrc2Sko%DI7J60saN6HTZ+j94R$lCkl}=SN zb7mSZzDM)A2m36a?cAdQQ96qYjX5zB$jt?14(!a|l#+Y= zOP(>cI6=;=5CM(ON5AFpy-AQTyhJ-tYH4kXQf$w|ps-&umyErE{bk!2ixkiI@Bu?e zk6L=4daP6>sh_4inhVcjhBn8vLv@?^c7~MeNp3Oc8s!_1aYTuu4%I2R7#UhEeC1~& zUgb+8uBy5n-UPduT4!hS-A&I-y_EFkn`P7d>6W-+E(UwpwHP1k5!9Fl%rl>p4rN-l zV^xZE9tstUT+&u$TWJ>iq4ae7yFfmc~TVJAM#{A_aUhJdSDmCKmN zAwt!d(uc4Pf=rRD>da&AFnULfIzvv&Dfh%5$2Lq=k`AVRgkk_JS{4X12%+PnTqJh0J4+ z%8IL1VV8h5)7u(kKpd{TQ$5aLtR-b-qAqK6mU$MCHh6;&EK)yX^9ucUT8c$W@r+Z8 z34id*lCzR4-c-b>(G?@u?4bOIH4b-zsfp2oaI9W?A=2^! zl)4$Mr3vnt8Sk1gBwthVUT<2w_U!qrE>0(+RTGht82j%r$y}>gCS&;e!c~{u#A_mg zp*%(4M)E^|Pu@$DEQI_kTNE}U(jCVl^@+rtfP9^Z0#!oTATU)QDxRGHDo^OA2u-R7 zbVGau?)cNn5riVzE!ay8`JgieAukx!uaDOWNnY7n+9ftVSB%5{u^+=Mcv6k2LNm$f zXGvp(stTh&9V*43(--`0R^+kau+n}$d91JkvT4lywF7ONt<|Pq>0SSruqfB#drzue zzraK{cq7vp_8FuO5z?QWBnoL8*+TRpnyPW?`H>wpk>VQ`8FotC^HzGe3oRS@LO5}2 zXAjy5k&SK5F|PllBOSliU@Q`BBo2=KVbMba&+*S_>T0NMvVzbHcNy2yo7}_Nc>eh#g0{O-4XX!=z*)2Et{SB?BSwEe%vwK$G`Qbz9<&(MQ&LuI2SU`y zKOy6Ssu9|EV=f&}crPak)v5)9nJ&i!ntPSs)M|rxXWCr6n4Db~Fm<6=BTV0mXQOor zFx3R3Z^avmDot)^;^!s>IFZAE&lY_w>55!`XQW7Mg4n>BRu$h9OcVYcNgLn)XKg4SU!o z|JjXVIN!WSavbN4-q71c@OH!~|E`(eUq_(Q+eg6K8_A_( zkjHA95%U#rsF9~u-Zt5MklxWW3&+B3S~XW~ArCOz2eOr9zYa|~1;wta+pc|=V1s0p zvWl`Fq>)iGT})y4#C&Z>WrI%3T3d5yr8p7Fw@Y)nTOfKG1Tiz-|2qLDCkfse+*L?B~o}XwTQ$3d{9>TL_Z8-XD(^G1# z%f=XR^t8ALob2v@$((%a0K!DJ!s|K4_=^g&q9UiAD=V-w1s^y0ckXpf$0xv zly=VvX*A9Yxj(>7DNuZ%=dC{2!Ag6`57!@a2Mdv%TzyOPE)@7f@)YDpca6>=GUb=_ zU_#b4^?Oxl0qr|)V9|jxrkH87j4*5BIYjKU)0~i0NPW)_ z`%CK{`b%Xn_?TH-A1pJpQj^|cq*`IRN-?M7deT<5(0067kpnigo0HQbi;?1` z!T;db;T>H5Q0c&u&7DVuf|QcAn&_sMduZOx$!QBEy$$nN>_A#eu;js~ocy9bu+UN# zGv#T*r@WYDXzj&8r=Onplx(MxpOJ2;Pg}%gYgc`IRzDD)oYrn0m#b3XywKF(>C zF;(&U_@me-BYPpb#rc!Vc#|qEX)GJf!fQ+w>udzamBC5oU@KeI;#X&2#&uOY!GgY9 zl_TU!s@1t@v)i@t6x&jKyPQWjFu`ieQC)UXtSh6X;XkLPe8_sHoYi8RqvJ4aZwt@+ z!NI$yF{8(qUgi^HmKAZ6Z$>LsQnORB>G=)W6r*^y@WH{EWc6aZ*6TBu4Nuxs8HyyT znrsDi=;K0Ls{AvAm5Byp#)5K1XK>x z|6tM}?DI|jM>OTPG#k1O__kZTQEntByvx!0@IvBi503r&gL@lY4DON4z^MqUDP&N3 zb|ukI-b-I0hkr<^zMP>5KOqD`Pxnp>q5O+-dpTs{_EO>G^_jud&zF0VyEq|`|K9(| zv0@QqibMr4F!+ljZZM29b%i&6Py_#G{Gb6IdJLr!9(o+57C+({08vRlw6qNwL9QKP zT+v*_llcMN4dOMDeIYWa1hz#k*sq6bENJnl6Z&~gB(4MXG$;C-SgMO#jV;rt>t{9s zR{U~LhGqb+K3DY13$A*6aTXQ?voC%Om9vl4Fa%ZtnYh7f)v~teUrgN4s6d+n>efdg z>2LJ=KU~W@!a)`Wz_b*rKn?74g}n7c#9tj1Q!p({8TtmY;4y@Hs$zudzF9kM{|x|Y z{(7YIRN74mM)H8!QaF|BlSH;Zlz@(fx-X6_J z7FJUMGZd6dDD)^L2pNie9&TP`#~4>b)fj%%)IOh=%NOJESD@RJfLmTPGK7pY`I+_3 zi`9d>-sN9}O2}&H9cO4o+eH!bp8yVgir#V9ee%%9P*j;Ma{R-IK1hjr)@)<#y z%0RqZQ&>kV;Myf-BOIxT(BO!~GX~-{x!lpDL~18N@QA>7lzfAFuEa310+nIm4XD^JKvg{)=65vsWo z3uX8gX@=prNe6NG;crUg;uOiW)^^Z6BksD_AK%3P=j_S`LNbLv*nj^rpg_Pt82?`! z(SJn;(ozkS&_yu9_iZ{1x_3nx14)Yg<@D(E;IdIhab#ktB$!zg?j5zmn;ZX5IM#fV zJ9RFI7cY*;F@LFyvA4+S$s%$n%+GA*z46{{X6*_Cz!#YE5IMNZiG{YJGR?&Ok8*mx zXjgsC#2+%_cp)k;@BQ?KT(-d`t^OnXZqqh^HZy^iKsh}0j>~rb23G%kO)D9Ct+P*` z?QN?-g<+Y7Z)fzNzs8&1jz|FU8#9LL=TnFcwvbe{$V5(DVOC+O zVTO3Ci|u%S)Xi&eRz|Nq9hAJCKJshyIqiRIcAifN^j5CV$zKOBS@HL}k zVx)c+o#qlkSUo?JA?y)AFNE=|3OQl72=Ls$At>j!R0BNNES5HGS_Sncns>q5$w;Xj zkJ6)5^w~|wEQWq8jbQw~(zep>E+$6@&^sB2#lqd!w{!Z)O*(L>{w1j7s1G9aslfU^ zkWENKb4*L~b5PMxdljO~Zt`(tgN`YUc09>~+LRWGsohDpjy;;j?dTx(O8|tV6ZUkXK@JT> zZ_SCAq}vS{qxoaOTpUZvh!MBUUnErQf06AQy+LEZM;2?M?z}vE>A&MAERIsqm_4|9 zv}Tylq5tG+utv0Q1$>&LhH_mI{Qn~L#1qW91Oo(wi4g>Z)FNb3D^n@EK~S*-k&u|;REyj=RNGtUeDW(+x(;OdA{Fy#J{dP z98|``U(hzp=W=Q!vjFard{VhHL3Y&=#^iY`Nt&zl@g>nwfdEb^$$Vl{*3t~zqrH$? zwsYe7{SFD?K}%^?g^NpK`MrOUQK5^>Pq`3x>`xm@PmKD|m0>`U=-v)ZL)Y#Xds zaDczm%qr3L!(gcu;?ifY?7=Z^pRoZO;?h4*DUs_j49^Iobap6!93Rv%ErH8M({_ib z^w!>X2lYhpH;_z)R+_iu=91{?Ml;}df}3V(k!VJM>`XSX>p#iU&O=ML392~xq>5T8 zb-YL75v9@7=_JrM=U3*_Fm?y88kL$MG~rzkqc5g5eNxDl9RYg)l)W_XwiF zQtzOa^%rVfgZUEvk<50aBT};WXS(;t8jmthmMTALnsTLba;{G00!11$mv8+8=z4bJq6`i1k=0YXmv|iF$ zs=rf5u{=8AtIKlzR(~5PMOYWbtif3FDSfsYYx!4YWj~XZ@^Q_=E>Cxk&8AG9fYS^^ zZSCaLHJPSnrAeMg+k3rqhyQT;K-4DVax$I~Vux`fBW9S78$`YyTe4i0-ZRU{DU@*y zz`43e+BmaqFnw~#=C?>34p$Cvpg=TT2qEB-myKdT`(usF^oN~Ve!2LFF@xw zfmNYzrIm~@pbKj!TN*^?JYmVVcB$SQkU4fYbaV`ck?1nkwxZgumF_q;bMhMrZcicn z#!1lRluX49M!H6f!a?BnFdumKunMLUuszC7GHo!Zdl-*cm5*pZqouiRU@4R(~ZV0xwMs+!D!D zFOqAQ@-E?W-=v0(V&{df>(se{*nBy*K~Pl#GA#C^NMS;8Sb9PaJR|rN$z*Voj{T^IS%3WQiSJ0w#`Knt;)g$_aHAoKz^Z_BW4!!()kl%QJ@t71x z-y{nkvg%#ZuR#lNJL>vt(Nlw1+u(F+4J9e+2EjK8NC%Tmnt3aX*h(6KXqe_`*UZ&% zHCFbVEkRiZryklrG40$bbTMP~zkehP7d=peuC|MN87Y>V>S`Zl5AImF6+*T6U}OrY zu$n9=m*;g@FOrojuGcZOFn+~i@`benv%!`59ax^ADb zuGf_a4VcvD9!vHqhi$5Ww?;lvgTZjheEQ^_K-gqOj?I&A22w+_tfo%Dmh=Q-#e{tw0l1g<+S$E;?Hh7(edMt zsmUvEp3|XTk!XE*v(0V>33~j(VL=MzVw6)PsdJzIr(j9d^q!ENK>w-MRJ+KeVd}hJM@6@_dofMi8l4 zPTI{Ph!hfD1_mdUth|kOJ$QP{Mrp5&!k7mg#MGwm>)SajJ7P?{ElW9yuE^T1i~)a+ z)oHR~wR#8~nY#$2C=aU|OeHSoy;$gVE7ocng625K(Y=l#TznDsqrS|t^tYEEc~V$f zUZcQvM<`<=SncCYvwc!PUVj<*s+`|F4D$g-dqhFtmyl6W#>@n$CX;Od~%)rFFU z{BCsjZ62d&G(H0K8O-Y+5s{qEKI-S=IEQ~iK>~qlKZ|h;*UjEM);wTD39h7~^y2}h ztU0Y@2etcIpbP%DN|- zAhj!UP(Ba;HxZNjFd=LWAH&BvHlA?B)6)?SW0F3O)M&*6Jm0SgW}C0(xrX~1zJJL; z*dahvA+++b{)L|hO#c#-xza_we75@Tn*&g!zLWl?Hr;17E1a)Wy!_SK5pZio=SrwN zFF!3m+#zlHXEZ_xtX>j7E9LzgGXjHC%Kgg1$~7enZRTZX7>rGJnY<((V;9n@pYlzy z8Pg;9>E@EGr+DVPwPr!-n|r)JlC+9o`wXx?unwv4wlOVZbf~K5ft21b*;pr5wuM(lo95(A4bRL&~AJ zZ(gU-?|Bw+E!kGo=K4WiaxYQ0;;px&4?%ir{X~W4?x{u^g6)*lf95#_!yrJ0Oaq`E zxU4%jPCpBuDc1Q73u_JT+j`p79b;8@Z^Ieeu=xlkKDLUZD15(eFC*{MQ>Q#szb6=~ z>V?O*qY#HXeuPmX*5f=L3#{6B(b`XEoAUF*&C^uj%N6wTRP!`>I-Y>?Cnbr+P+Xhs zaw*n*BejuNrYz%F_KfRpXnfhv_5<3suWtIId@oOV+_;5N2~6sLwINzo-Vja+yaS+{}o>;#lL0qLdlsU;Ii2H3xRV6RXoT_~B_ zQ)3X$zlSCjIqN3HIV^I}?n=r}#$qZe!Q8-a>NB=J0t zM?WzJR@|W#+y`-jHk*|sOWUaFu&C(pQf=LlS&x2ki{Xl-#r3(lfsWj3QFc6UmXlofPpfP|R<3@|+11l}Q~QL; z+0X4&sxmidl`e;q$~SQhaT3VlbhXi6UqA`6ygQ3WH|`eM6{R9X=rWuRlXdOmd=#}; z%}ClwZJhb6#0}9yfj>UBY{>g2xGk^;TQp`mhg&4xKGt`Q2v6cX10HMWwANAA{iuT* z8=$viWZbNo)6kL>DdhCp>8NP>`)e|8UduR61 zML^KwJ5GV0ZEFyMX+evgDV2bb6c9!oACHSyQ*#XdFinxL*fVVIADNS*6j=YUkCsro zV3?#!G?ru8-=As$qLaD#PEjAENFFIz>b+3Q?-sL04~4E>UHH93GYiqk;Aff-KiMo% zGsk32pJzoo57fOyw*6?zp2qg0tpwgEgFk}Uii_zE5MOD=X(7w%@=AV5in+%oHlp#Q z1~`M8R2N}4Atf>@IoUa=O^p9dwfiG4L_%0y@cCfr06otFXh(i}G_b?=4Ydn3WBqe% ze(L-uQ=0V@qx1DtZSu+J$TmG_zpW5)C#D-n{0UQr_jkT*5L;KVkG~n4r<%t-37V@1ZO#VStkVsF(Md=!(RPED*^ys&sm_Ux^C4P~^ z1khCZlc(AX0QQskx_-k_@fUnZXUJDEA=hu`%I5fGd2>(u!dv2<1F=swd-G9B-67uE zoBO_eN|V2@?!u!|E*v?qz%#`-j}KIhmw$wt@D(ai(U1j?joLgAbEFit1evi|Vm&dc z^U2IKRpO2zek-Cr&dQw?tDP0v0X4;K!wPm2)}4n$02tLNuKlH8fszKZ)R~=NPo)^!v)%>;TK`@28baZ2d6&`h~T$YqdopE|4a61@|Yo|MrH?tWUFC zC|{s8(h@kpTKr<3tW=8TbaA$(aJEDqD5msk=Ms7WRD?S?A+KChD`i)*nN0mDpKS4= zM@SxT0MRcNkJ%L!PeytJ9zkW8-<{9OmQkezuT&}c#do~SN&%D3w4pQ-h@Mx)A)a92 zFqv^mOV2`07HA1@blu8hMBVA~`?G#vUi#26&&2;~AdqVFm$3K|F}C2mb%K%F)lMtP zCfBP(`jVG66jwPAbr=e~Pk*gm@M-uV73#fV0ES&nHL*Jgjg2~_4!GqEV`60mGko=_tdba<+QR)ffC7QeWEy zS&Zyo>K4*kL%D;WT|>m1-kX{86iDqz7$!X_>76BRm&!Mz&NT;RZSEayrZM?^L6~pN z2jn3x(w_2qBt0mnHH+Z$7bz8WO0^x8w_aD&{i;f&`i6ybX8$1I&vy06jogh1YJyQz zr?<3x1l9@~$)vF8YEsJfv@7W5L6>_}TaND|NvSF8=n2B~c9_2ivt@qwTJdkpk?!K=~V;S)UO_VfY0<8o3M0M-(a1mJ2z zoPJ=u+Ts0?1zl8$>FmaC*#^OVdq2&gUkV5-rz%3XaWx`Gv$!ff${CF_+Ow5~v@98L zgVd{6#w&JzRE~1FKtT+tSGNdi!o}Osbr2Hhk}wFD5YSzf$HWii2!X1rwCM2K_9xrx zb-?T>xc{Veo*$EDuSID-;5>w zd*br{0DFodG}QNi>HTCj`x5nR!gbh+*gAoZmbyU?`l7B{7HbrA#a`C=t$k{#;9bA{ z`k?%V?c)q@k(ZxWXfMF`4#!{F`=x*ZidbGJE(8nrDICy+ROZD1`{V@!1_-UQBic9q zSh7^9oV&-dU5r;a;hGZ91M16?7XA6G$#^M)`<}qPm~};6cBPH1yaF7PwXO?V{H*Nh z7@6M7Nw1?0?g{Sj#)sVkP@b{Fzns&bHG4m~O{2>Z!kTb+WQ)>NCL>3Ig}rhqP!7hf zX-`$-`jHZ^)lw^&w8JHi0TeUqn&_(t$H~-!YLi+Zq6qQoEz4P>$J{OEP13HqrUVphfZ_p+TWLz)-`$MFKuWU>X&u z8#ATZ9%Pwha%FrR*y4GqU2y+GkPGzQs1-Idhu|1+gCc!M=X?sxE98k%M0suyTVF&? zZv0bkU%vcULDxLCf_*;FU40ru@3g%TPn69gTtB6f%+&xx6Qgx6g@4QmBi1LbY{|D! zjUWE-D`fPuJWtpcAZ=Ud8>AEvw1Pyg(FTumVw+2Fd z-iY$AbG9VPe60+bdoBU<8OCX?0<5QQ5zPWD)oE+18Fwo>L?Ug`@6xlH0h-~vSZQ0A z8AqA}!+c6ez`yE!%lva@X}ao^6k~ftIQ3<}=0P}e;Z@>*Abe!DH~DpJ96Wkc2{-c` zJcGc69H1H!HI-juGgnovVZDYiW1bg|85aW0V|s!U89F&~8h)yie`nlK5(O$#cIIGw zK5n{T39s`P4p9F&TC&;)xRTLB7?@=n^M&bhbC*^KDyAv}WoI`~0P*sg%K8V4oSw4mFm7+V`3j zz}zD_vxLDZ`Tnk#zQMyQTMLBF!u#ox=_?;)&uzXvYd0=R)c!#ZSZJ%RD1iOwCfCk9 zCJquq1a;sq+HKb`qWaJ$fM%u31J%EJV7w#A_EM6 z$Jb5sVo1ATAweW()rD24RRPjN}~VD_`<{Ai=?!*21RcZQzR z2dkO735OA1Zs?I2VY!%$4^ou08UZ%S6WlFkCm;vWHI+vyQuTC8C=M_E{jU#`59@b( z5B=*ye=i=^_vVGoo&xI2%^o32Z)X|jpn|rY9R@jaBS&Y+%lFeyc2UIvXR9M+-SI>{fDp@QuO-=-DYAsuq zl~pdgZZ)Es`@J@^#x`iR=9tl!`FY=J)Z%(b|KT-$*r5T_8*1U8Ax%@K@>Dty4S)we z4$3VsjlwTzM|?n5`NYD+zydOSg?o2(Iiw#8 zw&y5r;AudS1<;6)ugJ)!WJgE8fUR`GfsWG=7;s`U)IF0T0rHwL_t4m=9+Jb@+32^V z*p?p}!$}^$hiQ&X`6B7IF1JQm`~uZY4ix`rZ%-P{&;15pO1@QIe#Q2a6OtNx0k5UF zk;d*ZI#ul?`M3Da=mi*lX%62ReWCZG+zovJY{4Y0Jf$)=_bE$*&#dSDxn)_neL}BAx~N zXrK(5?P6WaxZLnBD`gEpGE?GGQBnWw^7*N>Z)S$e`wP$dY>M7rt+PY)a&rHKkq_ay ziLa+)VP}ivwP8;csV6qGM0IXMvB?H_+wA zTmPm&=M`pnjMFzPH!k=PMVrCJ9a#qk&C9ZIeRS&r;Y5>+LFbbBpZdloI~>k7{dVN@ zB2M6hpD-wAb*u((_q(0}CnsLnX9c>2bp`;*hmm5QV=^FdDfn3Rd2LSG8`fu{VW|Og z&~xEW^qTfNl4d^VG!_50zZ=}YATD@d!U9#?y{5058rMX>MOG<<1%hS;oSC^ZzfADV zpj({a6`iHHS*kfWI8uL7k94v%<$h0@`AHzT~F)C5A+TBIx|=54q4+Cj_g7xNC*yzsH92XE_jR5WpaX*&kHTw&6%bjp05N zuJVBh#RCiC2PuYiW*EG(&vUnmR&|Ktcy8!E-7^6SUjK+hlz4OK7h2EQ#LOZe2n(UW zpe2Ukq=@H>uG0x&qtt*i(k`*R=UK>$4Xqa#{|$}<7LYxHg~i#H{lQ|4Y1>#^6L%pr(AHv z)`$bdsnkcV+D0X)PZj&EgRl8wl1|84y{UIelkbd8a$flbiJ|81zY8^p-gD3j#OUVM zjL8^{haSy3r~UBaIxYmnouGu}$arl(AZ|4Ei<5MGd?TO~JD&6N(~xCUP%cGOH`N`l zVVxt}a{0w0vWRIlT@rQ>JIK#-tF_Mu$X5WFk~nF%V48QAUy!;FeEX2$_RpR?W9dO? zrKoFUrAOP&115Z$QV5W_H6+V*e&Ku&p4empra#E@Cq2)JR6EEOB1mIk!Gtv2kIIgD z%%v+`x?`dkv>$+soM6oJuzGviDawS`=0bu}OX3K-`*LnkNk$^&zBJKF%HoE*&n{6! zlg-~#MMC(;$;tZsV7i&hwKU=d)#QgGxkW3sf**-c+xIIyA6!s4k04>#`h56CZK>z$AB0>b|W{U7P%#Pff-W>6bl=l8+>fBMM^{&K{+AH{;e&*1$Z!9w>7WK#4B z8X(E`N3Vc1VxIr7zW-Y~56lMy-4b!P2nL1(T2fU8T?8CuC!Rk0Q1WkLMwVtm<<;ZNj(!jDACL*2ALZ6RLy)6H13|GM31|MVwlw+6L}>4Y)G9cxgp39&A>hP&po z#(A@@3$b$!=GpH0ei`8zPb=+2AiXbLxPA8x*uEL7Xqx3Aa;5T|n^L?H3&b80KDp^Q|ow<{tXRRiT~p8`=Xb8vmr+pCdW0d@R=pXtcSm z*8=tA2iTNf`+0!r=>GVMGyJc^V-$Y!h*4Cw=&WF(T)(@&}+Xn0RXP z(LZo3wP4icLJ+3$VvBT-K=NbI@eL?s#6f)Of$3K9!Eg^CU{d2ms^p`f z?2<|lYl2f*1VrG#ET~py-~WU8{})h7e3T)g{}{mVesm60{|zX+U(f+5>dyewW9;u- z`qzVf4HgI+IOJjfcpEq{DB7ac^u1+~W}9&0YHn%scfn=qQq+HFnRD|lMYOh=@mDUh z8R-}{IGp*Y>n_(_@8$;!PoCSnMM+##pF-DOxzFzx$NXJ)*O>Ycb>QELx8czeA|5hA z=-V{=wlINQrGot%uLl4}>}#mqpV325%i{fEiKk!g&&6l7t;~S8d;Fl5T5=yH zNKcI^NE2NB<`GFRdA6>Hmz!&LiqOoK9u7eo>KSiE&gv4Io_9O9 ziJp|VTf6^5jy0>bxyn~^0?h?F#uNzuJyDk+*vZIf=bsRwqbD}Ar^C)@s_lkEqDU7? zD*mZlG#TVOWIKQcnLinZi`+bed#eGSpV6?q(5sJwh z=5lgy^_wc{FHlY{u$Tvchww75S(Ucu-F`YtbdhVD{H zQBmoYc@V%nUIU8@v9Z-@FeSaPcq)qK3PqG#{M^=>PM=$>`@~CVbec)0%oX8^ZLL=k zZcZ||o-p6rw@E}5EMokRL{!3_fkB|ij-f?nIBnT5ljF4X(2KoAy3u9}#SzA0nM+gq zm^3Jv2~QGQwiT7iaI6gRi+;Rc9UUfqz->00EDLa)@V;rFU|SWnU9|}z;H%ndRQkpy zzP9UpEtfF=maaCsd7{I64RspMs4_ZFNT-lrT22)!36*OiiLFjuOI0sBam9Y;X+*zP zNhXHD+uT-EK*G@g1wHlM;Wi3mU;jH??S^-Q!@Z+^@k#}5FNFvxlSSS0aaH7W-wmUuK0lX^Jd#B_NqMCGvXD zo9+^aJ&(7F0KInLTotd^S`|;U6(+`&Kd_LdX8)ax?2>v3fxfo#1z1lpVMGdDz(mRv z4|*zB;gNKBemM0FAyoX7llYzhYXf+_Pt zj(X zR}OAm3u&lmR-r7vblaP51$vpeCXe7GGNKEK+9aU6%gmT@NMHY4!oB{6qCR32I3pww3N+)PNqM8MZKIo-jws?#V@Em_{ zcQ{fZv`IU1)Ni!z7!`$JT0v7}WX`^Vr_WqN`SP0BmV#mkVE^86cocgoO3I>c7c_)h zFDVNeN+C4+uy7(zOi|oH1U-T(VWHSq^f)(9vXMdVq5owgy1se3(kILD;tCM&F;9IM z-{^10*oljT5vkAoBAzS+2sc~w>TODNtjyNHWLfmgH0q1LBh2`LU-I(5t2XUiuW>GP zPc-UBF|}H2h5a>-%JAZvx|ec8^onSVbIU2qN1tVawDdqw9jJGBqyuq=LYOHq!?7`@_Ig$?}vM?Q&L6H8tzm^1WINk^x~ zP^dMkA;^kE8qJkCdz7$rmYIOose~%~V8A0>{C+CzFIQsRs3F)33+*vyN*CL#C(eb@ z6Wz{b=}aI$tX*p$b%CO2rYI0pY=o^hya1OvQ(y=YGrb0LTqTuV?E;uq<2H9s2qR(D zxWwb&4YLL_j&g2U=GLa1Ue*^h&T|-m7=d?m6WO3MQfEy3LgouGM{>oV4G?3qBe7nd z{T`aq5dO}?`p0)Q1dH|^>|p5sB<%O z)hpcgROSr%b`Z8M4GB)>5SI(LN|FO4EIGk#gdfmzGIyx4qQg#)FnbJq{+x+=RkBd? zl@_UESDbSUf~BN`zEx#opnGs6V7oUZ*f!k=*mV9EKOH}3>d&k8%rJqiFSh%!baE_=<~y{ws~EUA1|Ze>Hc3?u%=X#CCtN` zg2e-s>S6^tA}PZ}Re5L9DcJ*^Wl|Cs?Nc+ZS}vyOCa^+DPZ5c+(T zVc?Mn;V3!3x^+OG+SYI)hl+vFZHnQ!`Qp|!vQfOWXviH|4Fj0a zWE9;!!hIY=>A0c}J<=0TkqZQlZjGfC(^3l<=xZ1{GfBXnj7hg;%z+b3U@G**G=?(_ z=pA$Dy+l}rEGJttMM*n2PdFNOfmXg^TJ(0)M)(QrXwK#j&PaCY1HX5_LH<+Nyl5H) zOZXE#kN@+K0ww)BB2SuvMMXZKp_!r`o0M%n1o_|4dddHjSg#L<{j>UWjNOKw(kZ?ofWMAjK>_JH96g`D2^_i3UpOTS4Ms@nW~W8>TzHLqL(B&}uV1}aH0Za{ zN9k=wwBxj0fRT0!7Rq<_#ALR8H#aY6m5cxUJThoHNEBp zg{rJ(YD}Qf;Fy=rl8SSpVav+ehdr!xHhq26b2W1ts+XFf1#)0k4C4tH zb!7r*fJjnJb!LNMNsFxN3Kt4o_0zhW*zcq|y$1@;gB2$-M(e+$6_#aM40;Tw&SrX{ zvUq1Eq?8ObaBc5(H0fC5qO-_8bh7gT-&c7!2sYTKjmYAZs zQ9NsGt$xToVnUwEa-X(H>%dhK@`l2o5SknOCA3d=iu4>o6|G`zA!{i(>d;+4MZK0$ z1Hatmc&HOgiB)7@BPRS|w=+ggCRhvdVMg{CRfwS8NrLIM3 zz2?a(-Psymrwsu<**OvZ+CEAR&~oG(0AUQPCW#aG5xp!X5_>c)Jr;|4yr z`0Lt&7f2s5p@ew!X|By3$nq0t`%xjirTa@nY#~=nZPo(Szy`V62KtgN1W3ES49u2N zLWRNsc1u*K%5Gs?3^)wA7r+0M*b;P=5sZt^FJMiZEQ_SNcUSGs|act?V7|^Q)odHAqA>j=OS~SZaAva>6H^@HHOSFpfHxiUP@X%&w!)RkiOeiM7%%p!wCdjV%WpyN@$W;H zc<5LCJndJiHUlQR^-@}F8GW=p6M(F(s{CLb1KW!aS?DC)^u&66s;ucm86FpZ6yInF zb8cAe_&Vg(oUeW_LSV_{Yuun-+4lCfAi+h)SmRee{)n-8;ICP?k|jZ1PM>6YxZ#Rc zdfF!uiN_(qteNBrrYN`utF~M*PB?r{tRv%7>%Hci?Fa;QPLI{ZNaoUgGXO>_(+rbm z6@*DT*Yq0eBtZ}R$$gA~YUo@GF8@V0jH4eMArJc-z#`p(@XNa0*75ZIaOo@vU;mE9 zz4cN=&z}Y6L8s&tzF0!=5lu>W_9sxkIIKyc$db)mrUi0}&QHiFO$EM-?TJK)H?J_N zdcXj8G{N@IX)K={NI+3tG{CQPmQeWELQPL=&p0ZD1a~zGO2nF(tsxr$D~Jn|gRZQ7-})a}y%lDG7b4tiCvwZlN0_u2(x5I~|Q>_A6)?-vbTn zNz%?}MecwpXLsiB#aiS0WhsB<=Y5{OA1G5;7>k_oEf~BsOK9C_LK3l|rZ`60KwDrX z9%1AZ%t(bo2ZhLwd?Xf^c=Mo*e4pc2BD241Y-cnT2Nw*UJN8?SeYBTPs3D#GT8hk& zT5F}3cqL8-d!?H4)McmPnY(I7%?9_p9*4}p-+l+@dHqjUc=gV$g0!r4llbK-+nn8G zBpWs>)2;5()Jn35BYN3tyNVX#C)s?me=Km-XNdILJ%+0Q*V0ugPFohLR$1lNl?tn_ znxypt#!(M-5j0B;UWH3xIdeKV&{Rzql?`e>H@Jy|mtezLZSU@rSz>MNq*sZvR;!YV z%oLfqdich~^JJMuATNCbs-hP3nPka z2d7Z|P|Ym>X9?d6Kb=^Tfoa?^+HWMYtxZ_I9OQv2tRt+wu1(|kD7ArQDsxd`1osme z*emqxq3}S%?A^AJ_+J>Mdw0IzSue@^tl;D}%!3~r#oMyc!9L z*wVqeZDp~uN5!#2|>p34D$ED)02JcXpBdsOPcakgDRE|h3X5b>kn_BccB{*|Z ze|aCsYkKPO2mJl+DU-$@p)p$I{YfVuB0*N{v_uybTy$dUlM2gvIk^tMrclJ%+X+ zwj;hL0hU`R@W|=`#E3lpn{@s<{c(`8Tfzm=iCSvIA@Cu^+#8EZO#XMzo(gq3!!HRF z%pk@mB>G~BB6Tf$erHe=g&oo~18FeUD8tQuUAW2{V z&8iX$bis5#CFr8jBdQwW7)z_)takAMJqi2qT*9TKL?Gr_`52Pw1sNTi^`KX8A%+~s zJaQg1@3Gv?z2-V2c=rt6M$P`PS1W%{*4u)gE%n60yA4wNVTt7K+sNJy=n@wZW}uW4 zkVNx3A?Co%9U%+yruU4g{TVI3loG%3{-;{$fBC;Ano2F%A8z~lrv^ei$q*es$^SP* z5-2qT!2P{mp;c)jERrN#)j|lvgSjNQOjagyF|H{1IUoP*pIh3bT?An0yElq4{l&oN zi4gmCfBFg{NX&XqvZdg$4^XfCZljJ1Ng`B|F|pDJjUKdyw>ww%3^;9%Wq12WB! zsAoP8SC{Ml*_O~W1qEDE@K%P557w?qg$rz18yuY0QzSo>D zB8d7I#Ui1i3b#mPO0G>PEuKCEr5Ex5Oul_t%#0=yBRZG-Rqmbj3J2`=i4Wjup4VhRGJhr$qC+g}&0JEAJxw3MGA{qNj!xlc`97sL zW~7(fAU&Xa@`wd=_vI5ZTho`zXinMTusW8q)Z9()VdLoxxE^K5Qt%w^%^P1C0!S~v z{jXW@qMB3WN2~9y!Cv=!!l@`Oe;Ys^DJ6#CRWAa!uLfj*IdE7b{0!u0Y`Vdh4UOo1 ze4U8n*3~N-_lzM~P{x=~u>V9+J{L;Uvp-b;6v#=tLX=5u=XiiAjZ=5jpUROgj;W#r zVCe)JF-OspM3;a-UNvj6swS~&3|a=bv3P_cR#&t6K-{a2@JLBT2N6e1KBcOEUYm&D zp~o+r9$aT#tVu<-AeOHOY0ul6?$3|pfRFpfRv@k0kZ7+>@{z9KmEPVmJ0LnVu{v?^VJNF{CkvaT;RE7z;7BXAbq-dJq8K-4S z;YJkYygoJ36FC$e4}7`2$SV3RUL8;bB?)styyQ5Zy0a_v3~F<&Fe4~fX4E+kaGomu zvXW&>LxXiAM^$r?F6q*|DHp?5$}^6XvhxB5vmW1}SMhhw{G^Grfje%awq<(g28F{P zzfe8et8&0zY(~Z{ye~*T0T3J80aidPRhSZwclo3=_qfgk{_JJ5P&t)| z9v5q#=V=n=B@r!ICy`-TFebR)`}eVqCXCVojEkOYNJkQnmKpVmY+5yUK!-s`^GjWoEfqVrzz$GK1%e z-DcH@RAbsLOl7NdU*#%&UBi~jV;`}*cB%~i9G>fFOK41Rt^%iK3ywg@i5YY)^=gnJ zxbBHc9i}x}XDmC)Hd0$rS!)OUNWRY9eF#7XL94Gb&|%q=(DAZsSl!G3OB^s-^jmm4_te6(0uw4zR~ie zUUUTM)%ai#cI$eJ%~w&uwMsRolERPB{Mo0<=%LuAi%P()N>?h%;EyY+7M5(Mnr#3$ zFGH|eKhcxbQ`dNl4wmrBRgmmwJ!zQfWak|v7-;ZmAfQHi`9J@|l-o00Ao(neYlK&*oU{BN3>@1X|*q8RcSw6qAT6Upp@zwB7@0rr3 zDj{B_pUP05jFpQYnnLlnj9O;!{p|qw??=s4bQ=0rBuF7*kF>>^Dp9=!KI^OcihRM= zQQ%g}IA=+S2kjP5)!d zVvX>wod#>901h8qhOFMTDW>PvU1j+?3;Nx|g>y0@gI(bAEfF zjHDv(!qA5fweWjCiAWvUg!1!+y0D9bCbodg3$FN60+}bU!Quj{e{PsGzCcz2DPo$^ z;MFir0=F8L7}$t$e2_pTa)nvGGXSR^5i|T#gJgSfDY&u!INI8Q{$GxU@@|gC3d;51 zda4)YGNejCH=6@6mA2LBv@dDOf99~RA9W%4X%`jY-n6z1-BEz>*I^cw?5==kJg z_J=i3+R(6~YM|?&#TD_M#+jy~$hN-+W+InhW>1`!Ba-c&h)ZM~A8dv1sV1yf9n4CS zUF9jB@EADksShX*s4b_*I;gZ{E?a1$1alsFT#_?Wq~?gi){Ne-<5?2`xmn}up0i4n zh{6zNuECHw8kFAUE=-F5g9~&~^Zc}Ag5Wyk+G;SiT%c1l2{36NB6yyj#lZ$rpIn{2 zgd(Sq>Q2Hjh6`B~EZ|U6T*pt`7kCzFVUsD9s+<&B^Mk{3&OEYQFl{1DLPpJ6=?4z}w?GinK>U z-BDHn^z!dXM2F|qNqWD4G(_FCWbNrh?jQUm7+0B| zK@C9Mr~|cjRE`ISMT*Tipj?@vRAksq?NM|_iFD`cK~b@2h1dnGi^@>15lI-w$li-c z5F^M#uhQm%*#1)EI5gSBK#Pg){$pWM1sf?oe5p5gQ%>j}AB|G={IVTEF#~Tn`0r1` zmHMooWB7N4!>rs+*JL+~u+$Y1{1@k7UnB9Wz<*9Zvcc|x;vcy6@G}AVet5$F>atAw zWa0VY6c!ZFM!wx~x0cbdX~N@VMAtwY;1h_;pr^yIC^HS1`qVL(Co``w?0E}rW9%Om zUW8FX1~L7B1d?wzTPA^}Atn;9vNxRlj_WV;dV2go(}xmc!JK#!M=7Ofs9d!qU^ti7 zq7x$>llRk2XS3;NoJ8?ju|oA*};!&P&54q1!f)U~GImAm(FIdZaV zxU)9(_UDznJh1M!wUVz!ohMxB=b+*z8j#hRXL+M)a#en}j|teN7fCU;NhmfnyZZpL zFl`xdhE(MfH-M>U_Gdol589E?ur6H~i_+kNKp|4-5;f8NypQh>jo}kziUadifXIKN!I5~Bj zpWySKmiB8UFv{b(9@;KF=+!0Ee4#Ro<|ZeXDMimX{8CmpWR~G&&~sxr7V{%Gts&UiyJ|oB zJS7@Y&ddKpiK&1||4O=IS0XBM+-oCC=Fk}@FQS&+l3o|2?sA|;7emh{0vDsP#~n#B z;GhQ#c5$JMmd`TLxUZ;qMVF5n>x9HYgD26T$n)6k z$x^vugVgD&1$$+Q$8aV59b7VA5GRd}#{3f?2RVa5!_s z$SSC#Myf5Om(IB><3v|k_N&Dzk-XCvZa|^?A+qNv1fumkq=AyIqnqt3n|M-8mtqsW zD3$9e)R+*7ESAi>2UFK!SYqL#G^YMB-Tob2X+lmK>nM{v#%1Nyvb>BqA~|#+ePI?5 zr;KA~q|w(Is;!|=S7r!30p}c$QPp`PQ*Q>nLfcy5mu^^>rd_dRmd-7Bsa+!IyalVh5uf;&Fi~wUZ(l6m z-DHwknVOoKr6=GY?n*}Oc+|hTcC-dGZWp^b)z~mGB<9Z)ixbWxK^*#kmM3R>+yx`& z6XO64U^n~@hFZv+r*!Lcc|s@lb;8`0|I(b*jBKP+;Rqy~FbwyxjGV*PngPAcS%gA9 z28Vl}j53i{QOSD=91RocrW)$I!{?h5$)#f0Lm9$mAl<*e_){B0bC!opQSl3)wZI(2}Zau4vj_+YRzq) zluM#g&XVlJlLMt7J(d>v^?Qz4ES#&FmCUJ7H){3&p}Nw^|4nxM9I+KYM=a<6IbzM7 z3{7m3Y|)Yb`*usnjRjEo?*rHGYI#nP2d@^U+aGQVCWu84DH4idj!v`JBy=#&l&!JI zT51Cs5GoMN=m$(1vD^4PT&5p$+yXDhLCv5$GvPb!e8qqK;P?6X3hOVHOm4zNnxEJ6 z#zbo*7YL-<5AvG?LyS&J(wR4gl0=QmM|Dsc*_vb-+lxa6u<^i&od|9kCq%^y2{BMz zVTsFIebl|%J@-t12d9?PZg+WFGj=&j{cocnUP62s_?=hXr6>cY+`jyh9aM`l$`;V>InWff;f39@tRFTG|-t?rsP&$%95E%NGlL>rc zaiR$sK$+EC(ua&ZfY|HVf$}}naQ+aS{GF%}pP8rpNQY2ro#804}PpqTucq|f{f88*j19PhW{j%g^34=`k zv&x5WlgLKgA=}}Nb!nHP7LJ*bu?G8qehPqj)jG%|HS0Ig{5l{>WKWDJ`&H%bD=yM| zD5so0OsXZn=jcCEh$IQ#DkY~l#X_aD$aVTKQ8K1H$hT&hIDz#I|DUMhz)U2)^rz~& z@TX>v>wifcM1Dz77+<_bEq)K+|DV01VE9?AGHLghAmCf>N4)s;A@Fnw<8z zpPIb-e7pao^#AdtiV4W%3^v8GMGDgwGZpUR(7`wIu%U%e!7``y+wSt#?$(5Q!$A`) zV>L`{06s`t`L0%~nz>v)*Fi+&XT!I8OQ#CXJ8pk=Y4=v`mXe0K0GOUZG#Ou$r^D?z)kJ@%5vL=0B6YDOKj$QkU8dw=9e;b^|HH8+&C8vTLlOufxa zGmTK!^k;?SZDv>k>XF>AGVp08s(^E0=!ifq;D+b$Z#tt3O%s6r=qXISllau4Z6-c4 z=%_vv5{_|3#ogV{bPe}#p$f^A_z26%Ji_>7zvWU?v4&4TdN<{RyJN22!Iyp&+V=P_ zZ79=bC=;nLoQ~kIAV!cd9~+ZD95Z7I9GyXe;Q?T?l($CRRTwm`&g37@FcucKeqVYh zU<9t%`POXoV?cjv)9vCV`E=B}z#H+j=2-0gk?P10ugiI#J~SU8iN3Rxb_N%Iq!wjM z4#BoWZEA7;)=rd3ZiZ1-UOnGUiP16*oxX&f+BWD<)bDi&OK2^~NfENiQ{OT(M?xF< zP=qlibb|-4^gz8-!OU_jigyoIIMOyaz-W%-z=0f@l7;+&MR7zC0$t|LAG0LLlh?p{ z!XFiM0*V#m8a6%TY>&~y$)D@RK87JmvQmP8A-1sri@g>Po#Gw{)4OVMLJEp2u_%AB zN(Y%tNG7+qN^25q%J@XtqUf>@aaxa*y9$uCYz6}1HD3JK9hOa-c05ke0ntigAsoB$ z&~ROZBuNvcwvciTGnG?2i4#&YR1_^Cy>SrnLm#xC5?q}?Io5oAibu@<-16o^jt$94 zn?k<99o=>ACST(C;LQNE$j3kMgNTDiYCHcUSEUT&GHg=WzQrkP0 zm8RDzSP(H+2}ok@UaO(PsJ@-`6gbLy?tXSP>+$jaM(!n1b9pcp4`aZD_x#zvDwAV} z389{UWtSK0{^SqF>$K|f{;0$5LUbXT_bvh2a3bs*&ABbHPjugZSDmR?b?$Nc*U-D^ z_qobLA>Df8*SHaEXR5=xFF9zp=jw07PF~@}mt5(4_QHwkpjy@LKT6gfhPsV2;72&1 zy~#Fx*Df+{KqqE&^~)#!uor}9P9Io@?TMzxI%JtaYFfvUe6b}D!*&J>3a-qH=LSe)H^&qNBskm1IX#DJtphcl8nW` z)Ry4sIO{~-2hX~ZQTdS?_KN}(O|Ss-J@;lBpEIy7#TpWHp$X@UM(Jmt^0VZQbgkF~ zqBEg(>n63V8h_kNgAD!k%3&BniY?+vlITdY(z}2F5(pzm)lwM;F!Kkv_&|0B!E{M? zgJA+9`FwS%d|?IM0VUlb6*iNfIMroq$|r?q*eIPj{7F~TC|2*Fi;$ zR1mOZKd*rHB}a`0>+HX=$c>K7iG{n=g&j?SA}cd$7PvOB%`jWXaJanbCjL#S?=v?D z`3>|)u`xk}K5m5L%)`iVL^vqkdsm9l zOKOxYa|EmrH(ICPY9{Gw_toTI1)|YE=Mum?Y-qm##`wZ5o27WEo+MQ#CXI`#017f? z)OC@I>I$ae$=!q-qk^${)!?XmPX0CbmH`X0QxPwj>!XTim_lYaBWM~aI=*jory$BQ zZWrsV6jyh=aVa6Sd@S!2s_-@}BN2A~u+|}5Y#qudT2=@}e)fyHOWvd#vNGYEsf1pt2Ty~*hRjLVP0M9qz&JC&m|uG^roRGmxkYE@cQ0v4V!dqpm}<@ zg-1ot_8AF8<9Lr6!drvE|JT-4fJM1AVOT){32By;Sfmk`kQTUr(jna3PRIkzN75w#pa!^;HBKjUt(o{nb z-wop8MI{9<^5m3Tvkea?Lrt4Y*k|NevjWSrS$CALr&sXhm=2P}t9g{idz8ER20Q5R zb&0nrRwwtMl5GnU__b^n`DZ9N@wkzH5{K*uweb))WdpHesf?}**v+nTR}{&ngGhc8 zdv0WjULymlH`}lxcnnAZ5)k3f3qMnJtc>+LqtE1$5(PYfYNFHSqQ*A!S2p5!s!NgT zVrXD_{J@zAvb^@QojnN~c8{WPXDf4N??3M#4&z03Zq`;mu)oXc2#EG6svZ2fLW2+B5bDIUi|nr&Pz z)~H~d3##E%&sDL6%a>Hto8na%N7<5+->c7;l3QJP(C_v72nK55c-TU2Rjw@y#q1}d zM&4g{!{{qC2bc7!wQ#6EU!gWwH+#*s(#O`qt3sR>%)4H$J8_H@ zsjAgPF#D;}g(Q@j%^Qo@bzv@Qx(fC2oH(I{`_k zO0m$cOdLKjD4f&HsBl{; zux*^DVs2KWi85F>_%a{f z*rI>Yk~ZBM-zqb8oNX`dskI!O+;JvP;3nhe&<#lj4FlgZhN zIx*(R_7O&;{U!VSWv*9HeRV~CVU2tQhDDqWrOi{TYK*WVK1F=UQVs5DwjkG|=MUJQ zRVDPkn`TJRdnuza{6#I4;HhxC+SG2L@nMvV5)}z-C1wH2SQKtcs~{S1Gbx-GsX~4L zVR~ni`M#IRQ9N^!;dI`m}>MO$OjBT!)8KlkZfVA2R2pl9u z|E2KV(Bw!uF-mYSNmGAhJ1|sQ3op^W@#Zsa*xgjtg~BD^6ftK}L^hh71bS~re&%W& zvk|YC*{kFTP`bzeX%JW7)D@Wq-EW$2%k7m;!r+^hY1|HnQ`ldZ8^z!ZgSVT9k)ql0 zY=P7aGn<9BoH6v8iV%_{A9ccZ#}Xg!v_eCY^VQmGiW-U(X@&wNs5q-M$DY})`wut5 z{H|eev8bo%Y}!TZQs<}|3BOiP%)h3mJK*N^Ate!t`Cc9_np8gng(BaL$9*=nqCsMp(P#)(Z1Y+uhfGMnM#v zM{nTBLkRhX!VST0znxn?8Wre#oh^8lrwR3t%0P0esBqSKzKs(J-;AlHZ^-VBl1JW= z;)-X-qJe}hzQ*rtE4U-oOs~b3`IOQzR$tMra$>w(x6`&ZNFyAoRrk6e+#&s{KCE}$ zMw){x0_+%}=5hMD5-UhgqYG=RUb7gwr03W~FTf%@%c4c$i13<;N=81BvTNOf&$88k z_h=w&-)66NmebetyXt7yz0D4dAip!@Vlcq#UhMxqSceQx=#vd=}z*E5f-H zT0Upv0(zk%s4zeMfiFPz2FDRsU7anyQ_q4Nh zcGa1tGJBGK7t_SBg4`%86s0i7o^A?oeN@nBW@VaeC}Qg2CF8(iNR8V)U<|WXc3|K6 z@O)bLb>(rH;}=Hw>0hrUx5|x~h!jb#>FI@KSv5-R$-IPe@+*oEhC@PK;Y2i@P&SK) z;A67l$)#Ml2-^#*J!mYxYHN;(97m)~n`kHJ$bANiP?eG5NaMie4oS{VP8yLiGPrii zZvJ6;eG#;v`Ht~c`{a^?)FF&rnmNwK(Ch1RasPT-jAv)gSf1lXT)CQ5TGXwzF?!Pw z$k9vs5V)7vFqK+Ih~a2^i0hGSweiFxEEV@!pfXA(9V)^>v;UaRPRv4l7L(Ly#r+O- z>9E&+e0su1$N|nZ-&T)I?G-VGETzXho0HwN0j}y$hwYG_0G)vAQ zw0N|&vvQa%t5+~1d;c#N?avq*uL?H08^n|A%DpMf`rZ*#WY8t&>NSw!PxzZDu^_)V zfR`b|lA`fK{<|_xT5TuAtsecvWj^7YtS;=j*Pmf{R_Djtb3}W^kjB==1W=88o-J$} z-%XQ_62T@KBXE3YWY-MqnyGm$m1=6(=&3gwGM@R;W0L4uAkGReF@JpmDqcj-pv5}e znO|M0y7}nY~tdBcPG$iNfeKviaVVplR;x*UwC3S|yr`Y4! ziN7YCNI>5#{S{Ug1&krd<20_eK&*UDp)?JwVpLTR=sHB)$0h&PnLarpcn#yzvx;uX zrRXbRcoIn5l28Fy{oGS;+fvKZS)Zowcx~MoG&F}=fqubGC)fn&J!?jk%=M7%dmQdF zZF9SkOP$e3k&nLZxQZ*&B0JV=N#Kg&&)vimMdi2cWYu)X({?39F!gvgRE2L^g5{f- z+j7BHJW#L46#`QVUksQ8n2-^2h@7)&i5^S7#f*gMBo9$oKE}?n|3uqrWm=0-^n0%K zFAi)%Wn{kOxAF_(v#1Yb;GdbTPi@b3>ue&PYIwI|9F#Ba5N6L)C2hHWwI*~FTyUI5 zck4Tuw-rPC1nqHeTWAa@8lp|OLa@A`6p5Qm>pE|DsI^=hYpC;8!mY^?F)L$0-{pf4AfCy>UyIBFtM`E3BC()C$1Wk3DR!jTz zM)qi3=;4;D-95|YID)>a5lC;A&)3_CQTry9#x;$_GC}?=Z3((h&EC$0l{FyCd}~Vc z$QPewy`o!8Cfx|^@^+-lz0!2oNhB72I*IphX28VkzlAS4fUwI{+HrS(6C z;fyO6!Va#THs#GmwE2o#acQ(FKB+Gl(L-p(baFkB!9_MZjYwzQ z%{FaQ_-sLpBZuo{adAa6!TaD*dBU}c=s}xVR~vIPZl#i`r_#?ub8o4(9*QU!6Ddd& zub1MpJBZC3U_H80y$ITW1=f1R_}-Y<)D}wHMFtazxV}3%6>7A|&?w(`REn3Lh1osA z#%SE)z&F9g{WmTbG{e> zP1=Ipr3tsNM(MO`iG9)^b*h>}A1kFr2Z#*}wZg5N!oPje*f)uMRW^E+KD@;FcAgA9 zOkJ9LXx8;KpxjS8txX;Deg4+6;zIu5W25%kyDwH6{Z^WzEpql#6$fu+yb~P!ay%)I zyU!x3u3Znl#>sI2B|brMa4Mx`h`t{NyTH}w1&37jtyafSDe#qPoVi`h92(V%Zv>_c ziTLxFGmyGrd*Qay(*ioD%mlo1~buh55B4xd*6NDhd6`29F8tGjG(reBt3cPN&7a& z_Y+>qi9K1+R{N44GPAY6`{?RvkOf_b;A{}v7<(Bv=uHGGuw}NB z#BeN^_Chs&_AM_qN{%h&{OGJy%_WVun%+0?_zb&(A6ZckjK)6FDQbKd%tzKx^|hBY zXvICP`@^z+)jKB3^-dv5-Vz3@;jg@}pIg>7+XvXj2m~}vFW#>NzxXt8xAAkxLtMkY z9<|k&Za3`P@8!Xeic&i3gmj5zi$K^~6$0!i;I!n^HAmky{S<8UclZhlJ*~StMR34a z5S|_uX>>#0CGRWkj-V*hsQ%;`2 zkMlcsE&5lLdyhRm)XgUGDBP*5l%6%cHYtuZZZXmIb87^he8$A%n>e-&Tg4(Hk|J1q z%&@GgP>FI@*me-=P42{@HXDSQLO7tVfkE9%2Hq4-Bp=q-iObc~yt_Vj`J)Fej8~ zM}>OY-G?7l94uAsB6542`U0kORF@JpHmdH;ZNw=1`PkTUHTFCZefnMkgTR<7><%V3 zXYawp=D{r!wx?AGncgp?-ov65or;28J0rg5S!s^%p$Ag3aZJg#2r+Bq-0Lu1L+0Oq zH0-I#7h~<-0+$v=(RVE{eq^SrQ2AR_^a$JfmGTH&e8I68xSyS;U(6yBCb9JOrMu@{ z7aY?OlQ}lS;>gmy`*Uo;YBhcIE1Gq&7WsRe?!lJbpKG`x8S~72mBe7-`9^O&Nu)J- zp-j1C$Gbbn1S{sn<|X(_b$5?O3Ts+ZDut)}ZB~XJpDCZlUw2YEY;Q~b+G5}uXRS+QofUJwn+3c zP8;=}C2yAOEukuf9q`sl%wRNYn#8PzyU6eV@KP#h4REo5G_uAW;F4G~oGU=SnX={k zANgiJC~$?ylR9*!-~WXAJ|&(>3ItS%f!`l_Zs$Q&Gfq<*D+Fqp6v%bMCPe<9TsKmD z$Yrp^3KjMhAQcWBL~;cOfsRXxP)E|E<3w|T5s^q1!1oW)0FwIWr!yqu&rbr&>=&wX z#6sTZ)B!;+Fc9?OMz}9CA%^xyc$s*(Ol?e@oPL`Bm*;GS&hds06AkUh^8nX5{QJuG zW4wYe9wh~oZvt+1_837CSm%Nl9yd7twDS52!vkS}DLn;L0+IOF1{zwnpFQ?ZC2WMJ zC*(hhBlSv~96(3k0zqlsONu!7|0-VdrTC8`6I!p&A^{qj_DwW2`b&z>34bbL;az%U zgz-KjsDS=gBjRZS8Nk~3XRup>F&8p7Q_S)s7ufb7sLGV6^)4_?j7=7uzKlcj!RaP zB>}6{e~d`SAtT63>%7BfheQ`*q5qV+qdOu6vFM&R)Ar*bw2x>nxVltv?UJkO`ae~O z{~dzX&MATvCX(M%tnmC?R&Fc!l(8=VaMAu*)7-$C=KeKjUac^KI$RJ@xKPCH zy&pNJe**$#H$VVJh_12$0?SoK5Slk)o`o8bze)oL`$xXtYKIAa|+3h_E#rkO&+QG9v2N@GcD8k91afV9~Sy^+|+(bsl)n_PZ5)4!^N} z^FsFPd48VQIvJ=x^k*w3qJK1B z3*G$9Xh%a6y#(!yIk#WC!EgcoCk61AMz$X+`5aCOr9y~pUcI35gJx9#P+B^G-Q%){ zoiqgcHY)u0B#Lz$l{ma_e##;JKIbb;J@Q2Kmx)gxJNkvXF%xf-~zLf*5Kk|8S6mI z?=T=r&YK!{7(w#`fPfdkDO-XO+$bCn<~xKiN)izGpcp~ZBM6}y^*>3m+I#>2 diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 05679dc3c..ac72c34e8 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,7 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.1.1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip +networkTimeout=10000 +validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew index 4f906e0c8..0adc8e1a5 100755 --- a/gradlew +++ b/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,99 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` - -# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +119,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,88 +130,120 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" - which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." + fi fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index ac1b06f93..6689b85be 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto execute +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/tools/docker-compose.yaml b/tools/docker-compose.yaml index 63606a60e..b7e8183c1 100644 --- a/tools/docker-compose.yaml +++ b/tools/docker-compose.yaml @@ -3,7 +3,7 @@ version: '3' services: consul: container_name: consul - image: consul:1.5.3 + image: hashicorp/consul:1.11.11 ports: - "18500:8500" - "18300:8300" diff --git a/tools/envoy-control/Dockerfile b/tools/envoy-control/Dockerfile index 790daa9f0..71152037f 100644 --- a/tools/envoy-control/Dockerfile +++ b/tools/envoy-control/Dockerfile @@ -1,4 +1,4 @@ -FROM gradle:6.6.1-jdk11 AS builder +FROM gradle:8.3-jdk17 AS builder COPY --chown=gradle:gradle settings.gradle build.gradle gradle.properties /home/gradle/src/ COPY --chown=gradle:gradle envoy-control-core/ /home/gradle/src/envoy-control-core/ COPY --chown=gradle:gradle envoy-control-runner/ /home/gradle/src/envoy-control-runner/ @@ -8,7 +8,7 @@ COPY --chown=gradle:gradle envoy-control-source-consul/ /home/gradle/src/envoy-c WORKDIR /home/gradle/src RUN gradle :envoy-control-runner:assemble --parallel --no-daemon -FROM adoptopenjdk/openjdk11:alpine-jre +FROM eclipse-temurin:17-jre RUN mkdir /tmp/envoy-control-dist /tmp/envoy-control /bin/envoy-control /etc/envoy-control /var/tmp/config COPY --from=builder /home/gradle/src/envoy-control-runner/build/distributions/ /tmp/envoy-control-dist diff --git a/tools/service/Dockerfile b/tools/service/Dockerfile index 2930ea82e..f75d4f753 100644 --- a/tools/service/Dockerfile +++ b/tools/service/Dockerfile @@ -1,4 +1,5 @@ FROM mendhak/http-https-echo +USER root RUN apk add --update \ curl \ && rm -rf /var/cache/apk/* From 2b63f78bf61937c9431a114e9b06a29eb96e5027 Mon Sep 17 00:00:00 2001 From: Nastassia Dailidava <133115055+nastassia-dailidava@users.noreply.github.com> Date: Wed, 4 Oct 2023 10:34:26 +0200 Subject: [PATCH 2/6] Implemented possibility of traffic splitting configuration (#397) * Implemented possibility for configuring traffic splitting, and fallback using aggregate cluster #292 --------- Co-authored-by: nastassia.dailidava Co-authored-by: Kamil Smigielski --- CHANGELOG.md | 8 +- .../snapshot/EnvoySnapshotFactory.kt | 108 ++++++++--- .../snapshot/SnapshotProperties.kt | 13 ++ .../resource/clusters/EnvoyClustersFactory.kt | 138 ++++++++++++-- .../endpoints/EnvoyEndpointsFactory.kt | 24 +++ .../routes/EnvoyEgressRoutesFactory.kt | 43 ++++- .../routes/EnvoyIngressRoutesFactory.kt | 2 +- .../envoycontrol/EnvoySnapshotFactoryTest.kt | 173 ++++++++++++++---- .../clusters/EnvoyClustersFactoryTest.kt | 138 ++++++++++++++ .../endpoints/EnvoyEndpointsFactoryTest.kt | 153 +++++++++++++++- .../routes/EnvoyEgressRoutesFactoryTest.kt | 14 +- .../envoycontrol/utils/ClusterOperations.kt | 38 ++++ .../envoycontrol/utils/EndpointsOperations.kt | 33 ++++ .../envoycontrol/utils/GroupsOperations.kt | 78 ++++++++ .../envoycontrol/utils/TestData.kt | 26 +++ .../EnvoyControlSynchronizationTest.kt | 16 -- .../config/consul/ConsulOperations.kt | 15 ++ .../envoycontrol/config/envoy/EnvoyAdmin.kt | 6 +- .../trafficsplitting/TrafficSplitting.kt | 67 +++++++ .../WeightedClustersRoutingTest.kt | 114 ++++++++++++ 20 files changed, 1092 insertions(+), 115 deletions(-) create mode 100644 envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactoryTest.kt create mode 100644 envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/ClusterOperations.kt create mode 100644 envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/EndpointsOperations.kt create mode 100644 envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/GroupsOperations.kt create mode 100644 envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/TestData.kt create mode 100644 envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/TrafficSplitting.kt create mode 100644 envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/WeightedClustersRoutingTest.kt diff --git a/CHANGELOG.md b/CHANGELOG.md index e48184e43..70baf6fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,13 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). -## [0.20.00] + +## [0.20.1] + +### Changed +- Implemented configuring traffic splitting and fallback using aggregate cluster functionality + +## [0.20.0] ### Changed - Spring Boot upgraded to 3.1.2 diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/EnvoySnapshotFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/EnvoySnapshotFactory.kt index 86875d9ff..ae160ef02 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/EnvoySnapshotFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/EnvoySnapshotFactory.kt @@ -15,6 +15,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.groups.Group import pl.allegro.tech.servicemesh.envoycontrol.groups.IncomingRateLimitEndpoint import pl.allegro.tech.servicemesh.envoycontrol.groups.ServicesGroup import pl.allegro.tech.servicemesh.envoycontrol.groups.orDefault +import pl.allegro.tech.servicemesh.envoycontrol.logger import pl.allegro.tech.servicemesh.envoycontrol.services.MultiClusterState import pl.allegro.tech.servicemesh.envoycontrol.services.ServiceInstance import pl.allegro.tech.servicemesh.envoycontrol.services.ServiceInstances @@ -38,6 +39,7 @@ class EnvoySnapshotFactory( companion object { const val DEFAULT_HTTP_PORT = 80 + private val logger by logger() } fun newSnapshot( @@ -111,6 +113,7 @@ class EnvoySnapshotFactory( val removedClusters = previous - current.keys current + removedClusters } + false -> current } } @@ -156,24 +159,26 @@ class EnvoySnapshotFactory( return newSnapshotForGroup } - private fun getDomainRouteSpecifications(group: Group): Map> { + private fun getDomainRouteSpecifications( + group: Group + ): Map> { return group.proxySettings.outgoing.getDomainDependencies().groupBy( { DomainRoutesGrouper(it.getPort(), it.useSsl()) }, { - RouteSpecification( + StandardRouteSpecification( clusterName = it.getClusterName(), routeDomains = listOf(it.getRouteDomain()), - settings = it.settings + settings = it.settings, ) } ) } private fun getDomainPatternRouteSpecifications(group: Group): RouteSpecification { - return RouteSpecification( + return StandardRouteSpecification( clusterName = properties.dynamicForwardProxy.clusterName, routeDomains = group.proxySettings.outgoing.getDomainPatternDependencies().map { it.domainPattern }, - settings = group.proxySettings.outgoing.defaultServiceSettings + settings = group.proxySettings.outgoing.defaultServiceSettings, ) } @@ -182,23 +187,28 @@ class EnvoySnapshotFactory( globalSnapshot: GlobalSnapshot ): Collection { val definedServicesRoutes = group.proxySettings.outgoing.getServiceDependencies().map { - RouteSpecification( + buildRouteSpecification( clusterName = it.service, routeDomains = listOf(it.service) + getServiceWithCustomDomain(it.service), - settings = it.settings + settings = it.settings, + group.serviceName, + globalSnapshot ) } return when (group) { is ServicesGroup -> { definedServicesRoutes } + is AllServicesGroup -> { val servicesNames = group.proxySettings.outgoing.getServiceDependencies().map { it.service }.toSet() val allServicesRoutes = globalSnapshot.allServicesNames.subtract(servicesNames).map { - RouteSpecification( + buildRouteSpecification( clusterName = it, routeDomains = listOf(it) + getServiceWithCustomDomain(it), - settings = group.proxySettings.outgoing.defaultServiceSettings + settings = group.proxySettings.outgoing.defaultServiceSettings, + group.serviceName, + globalSnapshot ) } allServicesRoutes + definedServicesRoutes @@ -206,6 +216,38 @@ class EnvoySnapshotFactory( } } + private fun buildRouteSpecification( + clusterName: String, + routeDomains: List, + settings: DependencySettings, + serviceName: String, + globalSnapshot: GlobalSnapshot, + ): RouteSpecification { + val trafficSplitting = properties.loadBalancing.trafficSplitting + val weights = trafficSplitting.serviceByWeightsProperties[serviceName] + val enabledForDependency = globalSnapshot.endpoints[clusterName]?.endpointsList + ?.any { e -> trafficSplitting.zoneName == e.locality.zone } + ?: false + return if (weights != null && enabledForDependency) { + logger.debug( + "Building traffic splitting route spec, weights: $weights, " + + "serviceName: $serviceName, clusterName: $clusterName, " + ) + WeightRouteSpecification( + clusterName, + routeDomains, + settings, + weights + ) + } else { + StandardRouteSpecification( + clusterName, + routeDomains, + settings + ) + } + } + private fun getServiceWithCustomDomain(it: String): List { return if (properties.egress.domains.isNotEmpty()) { properties.egress.domains.map { domain -> "$it$domain" } @@ -217,7 +259,7 @@ class EnvoySnapshotFactory( private fun getServicesEndpointsForGroup( rateLimitEndpoints: List, globalSnapshot: GlobalSnapshot, - egressRouteSpecifications: Collection + egressRouteSpecifications: List ): List { val egressLoadAssignments = egressRouteSpecifications.mapNotNull { routeSpec -> globalSnapshot.endpoints[routeSpec.clusterName]?.let { endpoints -> @@ -226,27 +268,30 @@ class EnvoySnapshotFactory( // endpointsFactory.filterEndpoints() can use this cache to prevent computing the same // ClusterLoadAssignments many times - it may reduce MEM, CPU and latency if some serviceTags are // commonly used - endpointsFactory.filterEndpoints(endpoints, routeSpec.settings.routingPolicy) + routeSpec.clusterName to endpointsFactory.filterEndpoints(endpoints, routeSpec.settings.routingPolicy) } - } + }.toMap() val rateLimitClusters = if (rateLimitEndpoints.isNotEmpty()) listOf(properties.rateLimit.serviceName) else emptyList() val rateLimitLoadAssignments = rateLimitClusters.mapNotNull { name -> globalSnapshot.endpoints[name] } - - return egressLoadAssignments + rateLimitLoadAssignments + val secondaryLoadAssignments = endpointsFactory.getSecondaryClusterEndpoints( + egressLoadAssignments, + egressRouteSpecifications + ) + return egressLoadAssignments.values.toList() + rateLimitLoadAssignments + secondaryLoadAssignments } private fun newSnapshotForGroup( group: Group, globalSnapshot: GlobalSnapshot ): Snapshot { - // TODO(dj): This is where serious refactoring needs to be done val egressDomainRouteSpecifications = getDomainRouteSpecifications(group) val egressServiceRouteSpecification = getServiceRouteSpecifications(group, globalSnapshot) val egressRouteSpecification = egressServiceRouteSpecification + - egressDomainRouteSpecifications.values.flatten().toSet() + getDomainPatternRouteSpecifications(group) + egressDomainRouteSpecifications.values.flatten().toSet() + + getDomainPatternRouteSpecifications(group) val clusters: List = clustersFactory.getClustersForGroup(group, globalSnapshot) @@ -272,7 +317,6 @@ class EnvoySnapshotFactory( ) ) } - val listeners = if (properties.dynamicListeners.enabled) { listenersFactory.createListeners(group, globalSnapshot) } else { @@ -281,11 +325,12 @@ class EnvoySnapshotFactory( // TODO(dj): endpoints depends on prerequisite of routes -> but only to extract clusterName, // which is present only in services (not domains) so it could be implemented differently. - val endpoints = getServicesEndpointsForGroup(group.proxySettings.incoming.rateLimitEndpoints, globalSnapshot, - egressRouteSpecification) + val endpoints = getServicesEndpointsForGroup( + group.proxySettings.incoming.rateLimitEndpoints, globalSnapshot, + egressRouteSpecification + ) val version = snapshotsVersions.version(group, clusters, endpoints, listeners, routes) - return createSnapshot( clusters = clusters, clustersVersion = version.clusters, @@ -372,8 +417,21 @@ data class ClusterConfiguration( val http2Enabled: Boolean ) -class RouteSpecification( - val clusterName: String, - val routeDomains: List, - val settings: DependencySettings -) +sealed class RouteSpecification { + abstract val clusterName: String + abstract val routeDomains: List + abstract val settings: DependencySettings +} + +data class StandardRouteSpecification( + override val clusterName: String, + override val routeDomains: List, + override val settings: DependencySettings, +) : RouteSpecification() + +data class WeightRouteSpecification( + override val clusterName: String, + override val routeDomains: List, + override val settings: DependencySettings, + val clusterWeights: ZoneWeights, +) : RouteSpecification() diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index fc4f93155..f30895f24 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -143,6 +143,7 @@ class LoadBalancingProperties { var regularMetadataKey = "lb_regular" var localityMetadataKey = "locality" var weights = LoadBalancingWeightsProperties() + var trafficSplitting = TrafficSplittingProperties() var policy = Cluster.LbPolicy.LEAST_REQUEST var useKeysSubsetFallbackPolicy = true var priorities = LoadBalancingPriorityProperties() @@ -154,6 +155,18 @@ class CanaryProperties { var headerValue = "1" } +class TrafficSplittingProperties { + var zoneName = "" + var serviceByWeightsProperties: Map = mapOf() + var secondaryClusterPostfix = "secondary" + var aggregateClusterPostfix = "aggregate" +} + +class ZoneWeights { + var main = 100 + var secondary = 0 +} + class LoadBalancingWeightsProperties { var enabled = false } diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt index b53b2c785..6b0d210e3 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt @@ -43,6 +43,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.groups.CommunicationMode.XDS import pl.allegro.tech.servicemesh.envoycontrol.groups.DependencySettings import pl.allegro.tech.servicemesh.envoycontrol.groups.DomainDependency import pl.allegro.tech.servicemesh.envoycontrol.groups.Group +import pl.allegro.tech.servicemesh.envoycontrol.groups.ServiceDependency import pl.allegro.tech.servicemesh.envoycontrol.groups.ServicesGroup import pl.allegro.tech.servicemesh.envoycontrol.groups.containsGlobalRateLimits import pl.allegro.tech.servicemesh.envoycontrol.logger @@ -51,8 +52,11 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.GlobalSnapshot import pl.allegro.tech.servicemesh.envoycontrol.snapshot.OAuthProvider import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.Threshold +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.TrafficSplittingProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filters.SanUriMatcherFactory +typealias EnvoyClusterConfig = io.envoyproxy.envoy.extensions.clusters.aggregate.v3.ClusterConfig + class EnvoyClustersFactory( private val properties: SnapshotProperties ) { @@ -75,6 +79,16 @@ class EnvoyClustersFactory( companion object { private val logger by logger() + + @JvmStatic + fun getSecondaryClusterName(serviceName: String, snapshotProperties: SnapshotProperties): String { + return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.secondaryClusterPostfix}" + } + + @JvmStatic + fun getAggregateClusterName(serviceName: String, snapshotProperties: SnapshotProperties): String { + return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.aggregateClusterPostfix}" + } } fun getClustersForServices( @@ -191,20 +205,26 @@ class EnvoyClustersFactory( globalSnapshot.clusters } - val serviceDependencies = group.proxySettings.outgoing.getServiceDependencies().associateBy { it.service } - + val dependencies = group.proxySettings.outgoing.getServiceDependencies().associateBy { it.service } val clustersForGroup = when (group) { - is ServicesGroup -> serviceDependencies.mapNotNull { - createClusterForGroup(it.value.settings, clusters[it.key]) + is ServicesGroup -> dependencies.flatMap { + createClusters( + group.serviceName, + it.value.settings, + clusters[it.key], + globalSnapshot.endpoints[it.key] + ) } + is AllServicesGroup -> { - globalSnapshot.allServicesNames.mapNotNull { - val dependency = serviceDependencies[it] - if (dependency != null && dependency.settings.timeoutPolicy.connectionIdleTimeout != null) { - createClusterForGroup(dependency.settings, clusters[it]) - } else { - createClusterForGroup(group.proxySettings.outgoing.defaultServiceSettings, clusters[it]) - } + globalSnapshot.allServicesNames.flatMap { + val dependency = dependencies[it] + createClusters( + group.serviceName, + getDependencySettings(dependency, group), + clusters[it], + globalSnapshot.endpoints[it] + ) } } } @@ -215,17 +235,77 @@ class EnvoyClustersFactory( return clustersForGroup } - private fun createClusterForGroup(dependencySettings: DependencySettings, cluster: Cluster?): Cluster? { + private fun getDependencySettings(dependency: ServiceDependency?, group: Group): DependencySettings { + return if (dependency != null && dependency.settings.timeoutPolicy.connectionIdleTimeout != null) { + dependency.settings + } else group.proxySettings.outgoing.defaultServiceSettings + } + + private fun createClusterForGroup( + dependencySettings: DependencySettings, + cluster: Cluster, + clusterName: String? = cluster.name + ): Cluster { + val idleTimeoutPolicy = + dependencySettings.timeoutPolicy.connectionIdleTimeout ?: cluster.commonHttpProtocolOptions.idleTimeout + return Cluster.newBuilder(cluster) + .setCommonHttpProtocolOptions(HttpProtocolOptions.newBuilder().setIdleTimeout(idleTimeoutPolicy)) + .setName(clusterName) + .setEdsClusterConfig( + Cluster.EdsClusterConfig.newBuilder(cluster.edsClusterConfig) + .setServiceName(clusterName) + ) + .build() + } + + private fun createSetOfClustersForGroup( + dependencySettings: DependencySettings, + cluster: Cluster + ): Collection { + val mainCluster = createClusterForGroup(dependencySettings, cluster) + val secondaryCluster = createClusterForGroup( + dependencySettings, + cluster, + getSecondaryClusterName(cluster.name, properties) + ) + val aggregateCluster = + createAggregateCluster(mainCluster.name, linkedSetOf(secondaryCluster.name, mainCluster.name)) + return listOf(mainCluster, secondaryCluster, aggregateCluster) + .onEach { + logger.debug("Created set of cluster configs for traffic splitting: {}", it.toString()) + } + } + + private fun createClusters( + serviceName: String, + dependencySettings: DependencySettings, + cluster: Cluster?, + clusterLoadAssignment: ClusterLoadAssignment? + ): Collection { return cluster?.let { - val idleTimeoutPolicy = - dependencySettings.timeoutPolicy.connectionIdleTimeout ?: cluster.commonHttpProtocolOptions.idleTimeout - Cluster.newBuilder(cluster) - .setCommonHttpProtocolOptions( - HttpProtocolOptions.newBuilder().setIdleTimeout(idleTimeoutPolicy) - ).build() - } + if (enableTrafficSplitting(serviceName, clusterLoadAssignment)) { + createSetOfClustersForGroup(dependencySettings, cluster) + } else { + listOf(createClusterForGroup(dependencySettings, cluster)) + } + } ?: listOf() + } + + private fun enableTrafficSplitting( + serviceName: String, + clusterLoadAssignment: ClusterLoadAssignment? + ): Boolean { + val trafficSplitting = properties.loadBalancing.trafficSplitting + val trafficSplitEnabled = trafficSplitting.serviceByWeightsProperties.containsKey(serviceName) + return trafficSplitEnabled && hasEndpointsInZone(clusterLoadAssignment, trafficSplitting) } + private fun hasEndpointsInZone( + clusterLoadAssignment: ClusterLoadAssignment?, + trafficSplitting: TrafficSplittingProperties + ) = clusterLoadAssignment?.endpointsList + ?.any { e -> trafficSplitting.zoneName == e.locality.zone } ?: false + private fun shouldAddDynamicForwardProxyCluster(group: Group) = group.proxySettings.outgoing.getDomainPatternDependencies().isNotEmpty() @@ -277,6 +357,25 @@ class EnvoyClustersFactory( } } + private fun createAggregateCluster(clusterName: String, aggregatedClusters: Collection): Cluster { + return Cluster.newBuilder() + .setName(getAggregateClusterName(clusterName, properties)) + .setConnectTimeout(Durations.fromMillis(properties.edsConnectionTimeout.toMillis())) + .setLbPolicy(Cluster.LbPolicy.CLUSTER_PROVIDED) + .setClusterType( + Cluster.CustomClusterType.newBuilder() + .setName("envoy.clusters.aggregate") + .setTypedConfig( + Any.pack( + EnvoyClusterConfig.newBuilder() + .addAllClusters(aggregatedClusters) + .build() + ) + ) + ) + .build() + } + private fun strictDnsCluster( domainDependency: DomainDependency, useTransparentProxy: Boolean @@ -372,6 +471,7 @@ class EnvoyClustersFactory( ADS -> ConfigSource.newBuilder() .setResourceApiVersion(ApiVersion.V3) .setAds(AggregatedConfigSource.newBuilder()) + XDS -> ConfigSource.newBuilder() .setResourceApiVersion(ApiVersion.V3) diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactory.kt index 98e371bf8..0472e0718 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactory.kt @@ -17,7 +17,10 @@ import pl.allegro.tech.servicemesh.envoycontrol.services.Locality import pl.allegro.tech.servicemesh.envoycontrol.services.MultiClusterState import pl.allegro.tech.servicemesh.envoycontrol.services.ServiceInstance import pl.allegro.tech.servicemesh.envoycontrol.services.ServiceInstances +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.RouteSpecification import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.WeightRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.clusters.EnvoyClustersFactory.Companion.getSecondaryClusterName import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.routes.ServiceTagMetadataGenerator typealias EnvoyProxyLocality = io.envoyproxy.envoy.config.core.v3.Locality @@ -74,6 +77,27 @@ class EnvoyEndpointsFactory( } } + fun getSecondaryClusterEndpoints( + clusterLoadAssignments: Map, + egressRouteSpecifications: List + ): List { + return egressRouteSpecifications + .filterIsInstance() + .onEach { logger.debug("Traffic splitting is enabled for cluster: ${it.clusterName}") } + .mapNotNull { routeSpec -> + clusterLoadAssignments[routeSpec.clusterName]?.let { assignment -> + ClusterLoadAssignment.newBuilder(assignment) + .clearEndpoints() + .addAllEndpoints(assignment.endpointsList?.filter { e -> + e.locality.zone == properties.loadBalancing.trafficSplitting.zoneName + }) + .setClusterName(getSecondaryClusterName(routeSpec.clusterName, properties)) + .build() + } + } + .filter { it.endpointsList.isNotEmpty() } + } + private fun filterEndpoints(loadAssignment: ClusterLoadAssignment, tag: String): ClusterLoadAssignment? { var allEndpointMatched = true val filteredEndpoints = loadAssignment.endpointsList.mapNotNull { localityLbEndpoint -> diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt index 0d2a39185..bb09953f2 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt @@ -20,6 +20,7 @@ import io.envoyproxy.envoy.config.route.v3.RouteAction import io.envoyproxy.envoy.config.route.v3.RouteConfiguration import io.envoyproxy.envoy.config.route.v3.RouteMatch import io.envoyproxy.envoy.config.route.v3.VirtualHost +import io.envoyproxy.envoy.config.route.v3.WeightedCluster import io.envoyproxy.envoy.extensions.retry.host.omit_canary_hosts.v3.OmitCanaryHostsPredicate import io.envoyproxy.envoy.extensions.retry.host.omit_host_metadata.v3.OmitHostMetadataConfig import io.envoyproxy.envoy.extensions.retry.host.previous_hosts.v3.PreviousHostsPredicate @@ -28,14 +29,21 @@ import pl.allegro.tech.servicemesh.envoycontrol.groups.ListenersConfig.AddUpstre import pl.allegro.tech.servicemesh.envoycontrol.groups.RateLimitedRetryBackOff import pl.allegro.tech.servicemesh.envoycontrol.groups.RetryBackOff import pl.allegro.tech.servicemesh.envoycontrol.groups.RetryHostPredicate +import pl.allegro.tech.servicemesh.envoycontrol.logger import pl.allegro.tech.servicemesh.envoycontrol.snapshot.RouteSpecification import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.StandardRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.WeightRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.clusters.EnvoyClustersFactory.Companion.getAggregateClusterName import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filters.ServiceTagFilterFactory import pl.allegro.tech.servicemesh.envoycontrol.groups.RetryPolicy as EnvoyControlRetryPolicy class EnvoyEgressRoutesFactory( private val properties: SnapshotProperties ) { + companion object { + private val logger by logger() + } /** * By default envoy doesn't proxy requests to provided IP address. We created cluster: envoy-original-destination @@ -314,7 +322,7 @@ class EnvoyEgressRoutesFactory( shouldAddRetryPolicy: Boolean = false ): RouteAction.Builder { val routeAction = RouteAction.newBuilder() - .setCluster(routeSpecification.clusterName) + .setCluster(routeSpecification) routeSpecification.settings.timeoutPolicy.let { timeoutPolicy -> timeoutPolicy.idleTimeout?.let { routeAction.setIdleTimeout(it) } @@ -337,6 +345,39 @@ class EnvoyEgressRoutesFactory( return routeAction } + + private fun RouteAction.Builder.setCluster(routeSpec: RouteSpecification): RouteAction.Builder { + return when (routeSpec) { + is WeightRouteSpecification -> { + logger.debug( + "Creating weighted cluster configuration for route spec {}, {}", + routeSpec.clusterName, + routeSpec.clusterWeights + ) + this.setWeightedClusters( + WeightedCluster.newBuilder() + .withClusterWeight(routeSpec.clusterName, routeSpec.clusterWeights.main) + .withClusterWeight( + getAggregateClusterName(routeSpec.clusterName, properties), + routeSpec.clusterWeights.secondary + ) + ) + } + is StandardRouteSpecification -> { + this.setCluster(routeSpec.clusterName) + } + } + } + + private fun WeightedCluster.Builder.withClusterWeight(clusterName: String, weight: Int): WeightedCluster.Builder { + this.addClusters( + WeightedCluster.ClusterWeight.newBuilder() + .setName(clusterName) + .setWeight(UInt32Value.of(weight)) + .build() + ) + return this + } } class RequestPolicyMapper private constructor() { diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyIngressRoutesFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyIngressRoutesFactory.kt index f293b9ad6..40b076417 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyIngressRoutesFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyIngressRoutesFactory.kt @@ -19,8 +19,8 @@ import io.envoyproxy.envoy.config.route.v3.VirtualHost import io.envoyproxy.envoy.type.matcher.v3.RegexMatcher import io.envoyproxy.envoy.type.metadata.v3.MetadataKey import pl.allegro.tech.servicemesh.envoycontrol.groups.ClientWithSelector -import pl.allegro.tech.servicemesh.envoycontrol.groups.IncomingRateLimitEndpoint import pl.allegro.tech.servicemesh.envoycontrol.groups.Group +import pl.allegro.tech.servicemesh.envoycontrol.groups.IncomingRateLimitEndpoint import pl.allegro.tech.servicemesh.envoycontrol.groups.PathMatchingType import pl.allegro.tech.servicemesh.envoycontrol.groups.ProxySettings import pl.allegro.tech.servicemesh.envoycontrol.protocol.HttpMethod diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoySnapshotFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoySnapshotFactoryTest.kt index b5e326057..4165fe57d 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoySnapshotFactoryTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoySnapshotFactoryTest.kt @@ -1,12 +1,7 @@ package pl.allegro.tech.servicemesh.envoycontrol -import com.google.protobuf.Duration -import com.google.protobuf.util.Durations import io.envoyproxy.controlplane.cache.SnapshotResources import io.envoyproxy.envoy.config.cluster.v3.Cluster -import io.envoyproxy.envoy.config.core.v3.AggregatedConfigSource -import io.envoyproxy.envoy.config.core.v3.ConfigSource -import io.envoyproxy.envoy.config.core.v3.HttpProtocolOptions import io.envoyproxy.envoy.config.core.v3.Metadata import io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment import io.envoyproxy.envoy.config.listener.v3.Listener @@ -38,18 +33,34 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.routes.EnvoyEg import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.routes.EnvoyIngressRoutesFactory import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.routes.ServiceTagMetadataGenerator import pl.allegro.tech.servicemesh.envoycontrol.snapshot.serviceDependencies +import pl.allegro.tech.servicemesh.envoycontrol.utils.CLUSTER_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.CURRENT_ZONE +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_CLUSTER_WEIGHTS +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_DISCOVERY_SERVICE_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_IDLE_TIMEOUT +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_SERVICE_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.EGRESS_HOST +import pl.allegro.tech.servicemesh.envoycontrol.utils.EGRESS_PORT +import pl.allegro.tech.servicemesh.envoycontrol.utils.INGRESS_HOST +import pl.allegro.tech.servicemesh.envoycontrol.utils.INGRESS_PORT +import pl.allegro.tech.servicemesh.envoycontrol.utils.TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE +import pl.allegro.tech.servicemesh.envoycontrol.utils.createCluster +import pl.allegro.tech.servicemesh.envoycontrol.utils.createClusterConfigurations +import pl.allegro.tech.servicemesh.envoycontrol.utils.createEndpoints class EnvoySnapshotFactoryTest { companion object { - const val INGRESS_HOST = "ingress-host" - const val INGRESS_PORT = 3380 - const val EGRESS_HOST = "egress-host" - const val EGRESS_PORT = 3380 - const val CLUSTER_NAME = "cluster-name" - const val DEFAULT_SERVICE_NAME = "service-name" - const val DEFAULT_DISCOVERY_SERVICE_NAME = "discovery-service-name" - const val DEFAULT_IDLE_TIMEOUT = 100L - const val currentZone = "dc1" + const val MAIN_CLUSTER_NAME = "service-name-2" + const val SECONDARY_CLUSTER_NAME = "service-name-2-secondary" + const val AGGREGATE_CLUSTER_NAME = "service-name-2-aggregate" + const val SERVICE_NAME_2 = "service-name-2" + } + + private val snapshotPropertiesWithWeights = SnapshotProperties().also { + it.loadBalancing.trafficSplitting.serviceByWeightsProperties = mapOf( + DEFAULT_SERVICE_NAME to DEFAULT_CLUSTER_WEIGHTS + ) + it.loadBalancing.trafficSplitting.zoneName = TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE } @Test @@ -217,6 +228,96 @@ class EnvoySnapshotFactoryTest { assertThat(actualCluster2.commonHttpProtocolOptions.idleTimeout.seconds).isEqualTo(12) } + @Test + fun `should create weighted snapshot clusters`() { + // given + val envoySnapshotFactory = createSnapshotFactory(snapshotPropertiesWithWeights) + val cluster1 = createCluster(snapshotPropertiesWithWeights, clusterName = DEFAULT_SERVICE_NAME) + val cluster2 = + createCluster(snapshotPropertiesWithWeights, clusterName = SERVICE_NAME_2) + val group: Group = createServicesGroup( + dependencies = arrayOf(cluster2.name to null), + snapshotProperties = snapshotPropertiesWithWeights + ) + val globalSnapshot = createGlobalSnapshot(cluster1, cluster2) + + // when + val snapshot = envoySnapshotFactory.getSnapshotForGroup(group, globalSnapshot) + + // then + assertThat(snapshot.clusters().resources()) + .containsKey(MAIN_CLUSTER_NAME) + .containsKey(SECONDARY_CLUSTER_NAME) + .containsKey(AGGREGATE_CLUSTER_NAME) + assertThat(snapshot.endpoints().resources().values) + .anySatisfy { + assertThat(it.clusterName).isEqualTo(MAIN_CLUSTER_NAME) + assertThat(it.endpointsList) + .anyMatch { e -> e.locality.zone == CURRENT_ZONE } + .anyMatch { e -> e.locality.zone == TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE } + } + assertThat(snapshot.endpoints().resources().values) + .anySatisfy { + assertThat(it.clusterName).isEqualTo(SECONDARY_CLUSTER_NAME) + assertThat(it.endpointsList) + .allMatch { e -> e.locality.zone == TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE } + } + } + + @Test + fun `should get regular snapshot clusters when traffic splitting zone condition isn't complied`() { + // given + val defaultProperties = SnapshotProperties().also { + it.dynamicListeners.enabled = false + it.loadBalancing.trafficSplitting.serviceByWeightsProperties = mapOf( + DEFAULT_SERVICE_NAME to DEFAULT_CLUSTER_WEIGHTS + ) + it.loadBalancing.trafficSplitting.zoneName = "not-matching-dc" + } + val envoySnapshotFactory = createSnapshotFactory(defaultProperties) + val cluster1 = createCluster(defaultProperties, clusterName = DEFAULT_SERVICE_NAME) + val cluster2 = createCluster(defaultProperties, clusterName = SERVICE_NAME_2) + val group: Group = createServicesGroup( + dependencies = arrayOf(cluster2.name to null), + snapshotProperties = defaultProperties + ) + val globalSnapshot = createGlobalSnapshot(cluster1, cluster2) + + // when + val snapshot = envoySnapshotFactory.getSnapshotForGroup(group, globalSnapshot) + + // then + assertThat(snapshot.clusters().resources()) + .containsKey(MAIN_CLUSTER_NAME) + .doesNotContainKey(SECONDARY_CLUSTER_NAME) + .doesNotContainKey(AGGREGATE_CLUSTER_NAME) + } + + @Test + fun `should create weighted snapshot clusters for wildcard dependencies`() { + // given + val envoySnapshotFactory = createSnapshotFactory(snapshotPropertiesWithWeights) + val cluster1 = createCluster(snapshotPropertiesWithWeights, clusterName = DEFAULT_SERVICE_NAME) + val cluster2 = createCluster(snapshotPropertiesWithWeights, clusterName = SERVICE_NAME_2) + val wildcardTimeoutPolicy = outgoingTimeoutPolicy(connectionIdleTimeout = 12) + + val group: Group = createAllServicesGroup( + dependencies = arrayOf("*" to wildcardTimeoutPolicy), + snapshotProperties = snapshotPropertiesWithWeights, + defaultServiceSettings = DependencySettings(), + ) + val globalSnapshot = createGlobalSnapshot(cluster1, cluster2) + + // when + val snapshot = envoySnapshotFactory.getSnapshotForGroup(group, globalSnapshot) + + // then + assertThat(snapshot.clusters().resources()) + .containsKey(MAIN_CLUSTER_NAME) + .containsKey(SECONDARY_CLUSTER_NAME) + .containsKey(AGGREGATE_CLUSTER_NAME) + } + @Test fun `should fetch ratelimit service endpoint if there are global rate limits`() { // given @@ -274,10 +375,14 @@ class EnvoySnapshotFactoryTest { } private fun GlobalSnapshot.withEndpoint(clusterName: String): GlobalSnapshot = copy( - endpoints = SnapshotResources.create(listOf(ClusterLoadAssignment.newBuilder() + endpoints = SnapshotResources.create( + listOf( + ClusterLoadAssignment.newBuilder() .setClusterName(clusterName) .build() - ), "v1").resources()) + ), "v1" + ).resources() + ) private fun createServicesGroup( mode: CommunicationMode = CommunicationMode.XDS, @@ -351,7 +456,7 @@ class EnvoySnapshotFactoryTest { ) val egressRoutesFactory = EnvoyEgressRoutesFactory(properties) val clustersFactory = EnvoyClustersFactory(properties) - val endpointsFactory = EnvoyEndpointsFactory(properties, ServiceTagMetadataGenerator(), currentZone) + val endpointsFactory = EnvoyEndpointsFactory(properties, ServiceTagMetadataGenerator(), CURRENT_ZONE) val envoyHttpFilters = EnvoyHttpFilters.defaultFilters(properties) val listenersFactory = EnvoyListenersFactory(properties, envoyHttpFilters) val snapshotsVersions = SnapshotsVersions() @@ -371,33 +476,21 @@ class EnvoySnapshotFactoryTest { private fun createGlobalSnapshot(vararg clusters: Cluster): GlobalSnapshot { return GlobalSnapshot( - SnapshotResources.create(clusters.toList(), "pl/allegro/tech/servicemesh/envoycontrol/v3").resources(), + SnapshotResources.create(clusters.toList(), "pl/allegro/tech/servicemesh/envoycontrol/v3") + .resources(), clusters.map { it.name }.toSet(), - SnapshotResources.create(emptyList(), "v1").resources(), - emptyMap(), + SnapshotResources.create(createLoadAssignments(clusters.toList()), "v1").resources(), + createClusterConfigurations(), SnapshotResources.create(clusters.toList(), "v3").resources() ) } - private fun createCluster( - defaultProperties: SnapshotProperties, - clusterName: String = CLUSTER_NAME, - serviceName: String = DEFAULT_SERVICE_NAME, - idleTimeout: Long = DEFAULT_IDLE_TIMEOUT - ): Cluster { - return Cluster.newBuilder().setName(clusterName) - .setType(Cluster.DiscoveryType.EDS) - .setConnectTimeout(Durations.fromMillis(defaultProperties.edsConnectionTimeout.toMillis())) - .setEdsClusterConfig( - Cluster.EdsClusterConfig.newBuilder().setEdsConfig( - ConfigSource.newBuilder().setAds(AggregatedConfigSource.newBuilder()) - ).setServiceName(serviceName) - ) - .setLbPolicy(defaultProperties.loadBalancing.policy) - .setCommonHttpProtocolOptions( - HttpProtocolOptions.newBuilder() - .setIdleTimeout(Duration.newBuilder().setSeconds(idleTimeout).build()) - ) - .build() + private fun createLoadAssignments(clusters: List): List { + return clusters.map { + ClusterLoadAssignment.newBuilder() + .setClusterName(it.name) + .addAllEndpoints(createEndpoints()) + .build() + } } } diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactoryTest.kt new file mode 100644 index 000000000..2a1d8917a --- /dev/null +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactoryTest.kt @@ -0,0 +1,138 @@ +package pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.clusters + +import io.envoyproxy.controlplane.cache.SnapshotResources +import io.envoyproxy.envoy.config.cluster.v3.Cluster +import io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment +import org.assertj.core.api.Assertions.assertThat +import org.junit.jupiter.api.Test +import pl.allegro.tech.servicemesh.envoycontrol.groups.DependencySettings +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.GlobalSnapshot +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.utils.AGGREGATE_CLUSTER_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.CLUSTER_NAME1 +import pl.allegro.tech.servicemesh.envoycontrol.utils.CLUSTER_NAME2 +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_CLUSTER_WEIGHTS +import pl.allegro.tech.servicemesh.envoycontrol.utils.DEFAULT_SERVICE_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.MAIN_CLUSTER_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.SECONDARY_CLUSTER_NAME +import pl.allegro.tech.servicemesh.envoycontrol.utils.TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE +import pl.allegro.tech.servicemesh.envoycontrol.utils.createAllServicesGroup +import pl.allegro.tech.servicemesh.envoycontrol.utils.createCluster +import pl.allegro.tech.servicemesh.envoycontrol.utils.createClusterConfigurations +import pl.allegro.tech.servicemesh.envoycontrol.utils.createListenersConfig +import pl.allegro.tech.servicemesh.envoycontrol.utils.createLoadAssignments +import pl.allegro.tech.servicemesh.envoycontrol.utils.createServicesGroup + +internal class EnvoyClustersFactoryTest { + + companion object { + private val factory = EnvoyClustersFactory(SnapshotProperties()) + private val snapshotPropertiesWithWeights = SnapshotProperties().apply { + loadBalancing.trafficSplitting.serviceByWeightsProperties = mapOf( + DEFAULT_SERVICE_NAME to DEFAULT_CLUSTER_WEIGHTS + ) + loadBalancing.trafficSplitting.zoneName = TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE + } + } + + @Test + fun `should get clusters for group`() { + val snapshotProperties = SnapshotProperties() + val cluster1 = createCluster(snapshotProperties, CLUSTER_NAME1) + val result = factory.getClustersForGroup( + createServicesGroup( + snapshotProperties = snapshotProperties, + dependencies = arrayOf(CLUSTER_NAME1 to null), + ), + createGlobalSnapshot( + cluster1, + createCluster(snapshotProperties, CLUSTER_NAME2), + ) + ) + assertThat(result) + .allSatisfy { + assertThat(it).isEqualTo(cluster1) + } + } + + @Test + fun `should get wildcard clusters for group`() { + val snapshotProperties = SnapshotProperties() + val cluster1 = createCluster(clusterName = CLUSTER_NAME1) + val cluster2 = createCluster(clusterName = CLUSTER_NAME2) + val result = factory.getClustersForGroup( + createAllServicesGroup( + snapshotProperties = snapshotProperties, + defaultServiceSettings = DependencySettings() + ), + createGlobalSnapshot(cluster1, cluster2) + ) + assertThat(result) + .anySatisfy { + assertThat(it).isEqualTo(cluster1) + }.anySatisfy { + assertThat(it).isEqualTo(cluster2) + } + } + + @Test + fun `should get secured eds clusters for group`() { + val snapshotProperties = SnapshotProperties() + val cluster = createCluster(snapshotProperties, CLUSTER_NAME1) + val securedCluster = createCluster(snapshotProperties, CLUSTER_NAME1, idleTimeout = 100) + val result = factory.getClustersForGroup( + createServicesGroup( + snapshotProperties = snapshotProperties, + listenersConfig = createListenersConfig(snapshotProperties, true), + dependencies = arrayOf(CLUSTER_NAME1 to null), + ), + createGlobalSnapshot( + cluster, + securedClusters = listOf(securedCluster) + ) + ) + assertThat(result).allSatisfy { + assertThat(it).isEqualTo(securedCluster) + } + } + + @Test + fun `should get clusters for group with weighted and aggregate clusters`() { + val cluster1 = createCluster(snapshotPropertiesWithWeights, CLUSTER_NAME1) + val factory = EnvoyClustersFactory(snapshotPropertiesWithWeights) + val result = factory.getClustersForGroup( + createServicesGroup( + snapshotProperties = snapshotPropertiesWithWeights, + listenersConfig = createListenersConfig(snapshotPropertiesWithWeights, true), + dependencies = arrayOf(CLUSTER_NAME1 to null), + ), + createGlobalSnapshot(cluster1) + ) + assertThat(result) + .anySatisfy { + assertThat(it.name).isEqualTo(MAIN_CLUSTER_NAME) + assertThat(it.edsClusterConfig).isEqualTo(cluster1.edsClusterConfig) + } + .anySatisfy { + assertThat(it.name).isEqualTo(SECONDARY_CLUSTER_NAME) + } + .anySatisfy { + assertThat(it.name).isEqualTo(AGGREGATE_CLUSTER_NAME) + assertThat(it.clusterType.typedConfig.isInitialized).isTrue() + } + } + + private fun createGlobalSnapshot( + vararg clusters: Cluster, + securedClusters: List = clusters.asList() + ): GlobalSnapshot { + return GlobalSnapshot( + SnapshotResources.create(clusters.toList(), "pl/allegro/tech/servicemesh/envoycontrol/v3") + .resources(), + clusters.map { it.name }.toSet(), + SnapshotResources.create(createLoadAssignments(clusters.toList()), "v1").resources(), + createClusterConfigurations(), + SnapshotResources.create(securedClusters, "v3").resources() + ) + } +} diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactoryTest.kt index 1bc564e9d..78fef6122 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactoryTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/endpoints/EnvoyEndpointsFactoryTest.kt @@ -8,6 +8,7 @@ import org.junit.jupiter.api.Test import org.junit.jupiter.params.ParameterizedTest import org.junit.jupiter.params.provider.Arguments import org.junit.jupiter.params.provider.MethodSource +import pl.allegro.tech.servicemesh.envoycontrol.groups.DependencySettings import pl.allegro.tech.servicemesh.envoycontrol.groups.RoutingPolicy import pl.allegro.tech.servicemesh.envoycontrol.services.ClusterState import pl.allegro.tech.servicemesh.envoycontrol.services.Locality @@ -18,7 +19,12 @@ import pl.allegro.tech.servicemesh.envoycontrol.services.ServiceName import pl.allegro.tech.servicemesh.envoycontrol.services.ServicesState import pl.allegro.tech.servicemesh.envoycontrol.snapshot.LoadBalancingPriorityProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.LoadBalancingProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.RouteSpecification import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.TrafficSplittingProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.WeightRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ZoneWeights +import pl.allegro.tech.servicemesh.envoycontrol.utils.zoneWeights import java.util.concurrent.ConcurrentHashMap import java.util.stream.Stream @@ -51,12 +57,20 @@ internal class EnvoyEndpointsFactoryTest { private val serviceName = "service-one" + private val secondaryClusterName = "service-one-secondary" + + private val serviceName2 = "service-two" + + private val defaultWeights = zoneWeights(50, 50) + + private val defaultZone = "DC1" + private val endpointsFactory = EnvoyEndpointsFactory( SnapshotProperties().apply { routing.serviceTags.enabled = true routing.serviceTags.autoServiceTagEnabled = true }, - currentZone = "DC1" + currentZone = defaultZone ) private val multiClusterStateDC1Local = MultiClusterState( @@ -352,6 +366,122 @@ internal class EnvoyEndpointsFactoryTest { ) } + @Test + fun `should create secondary cluster endpoints`() { + val multiClusterState = MultiClusterState( + listOf( + clusterState(cluster = "DC1"), + clusterState(cluster = "DC2"), + clusterState(cluster = "DC1", serviceName = serviceName2), + clusterState(cluster = "DC2", serviceName = serviceName2), + ) + ) + + val services = setOf(serviceName, serviceName2) + val envoyEndpointsFactory = EnvoyEndpointsFactory( + snapshotPropertiesWithTrafficSplitting( + mapOf(serviceName to defaultWeights) + ), + currentZone = defaultZone + ) + val loadAssignments = envoyEndpointsFactory + .createLoadAssignment(services, multiClusterState) + .associateBy { it.clusterName } + + val result = envoyEndpointsFactory.getSecondaryClusterEndpoints( + loadAssignments, + services.map { it.toRouteSpecification() } + ) + assertThat(result).hasSize(2) + .anySatisfy { x -> assertThat(x.clusterName).isEqualTo(secondaryClusterName) } + .allSatisfy { x -> assertThat(x.endpointsList).allMatch { it.locality.zone == defaultZone } } + } + + @Test + fun `should get empty secondary cluster endpoints for route spec with no weights`() { + val multiClusterState = MultiClusterState( + listOf( + clusterState(cluster = defaultZone), + clusterState(cluster = defaultZone, serviceName = serviceName2), + ) + ) + val services = setOf(serviceName, serviceName2) + val envoyEndpointsFactory = EnvoyEndpointsFactory( + snapshotPropertiesWithTrafficSplitting( + mapOf(serviceName to defaultWeights) + ), + currentZone = defaultZone + ) + val loadAssignments = envoyEndpointsFactory.createLoadAssignment( + services, + multiClusterState + ).associateBy { it.clusterName } + + val result = envoyEndpointsFactory.getSecondaryClusterEndpoints( + loadAssignments, + listOf(serviceName.toRouteSpecification()) + ) + assertThat(result).allSatisfy { x -> + assertThat(x.clusterName) + .isEqualTo(secondaryClusterName) + } + } + + @Test + fun `should get empty secondary cluster endpoints for route spec with no such cluster`() { + val multiClusterState = MultiClusterState( + listOf( + clusterState(cluster = defaultZone), + clusterState(cluster = defaultZone, serviceName = serviceName2), + ) + ) + val services = setOf(serviceName, serviceName2) + val envoyEndpointsFactory = EnvoyEndpointsFactory( + snapshotPropertiesWithTrafficSplitting( + mapOf(serviceName to defaultWeights) + ), + currentZone = defaultZone + ) + val loadAssignments = envoyEndpointsFactory.createLoadAssignment( + services, + multiClusterState + ).associateBy { it.clusterName } + + val result = envoyEndpointsFactory.getSecondaryClusterEndpoints( + loadAssignments, + listOf("some-other-service-name".toRouteSpecification()) + ) + assertThat(result).isEmpty() + } + + @Test + fun `should get empty secondary cluster endpoints when none comply zone condition`() { + val multiClusterState = MultiClusterState( + listOf( + clusterState(cluster = defaultZone), + clusterState(cluster = defaultZone, serviceName = serviceName2), + ) + ) + val services = setOf(serviceName, serviceName2) + val envoyEndpointsFactory = EnvoyEndpointsFactory( + snapshotPropertiesWithTrafficSplitting( + mapOf(serviceName to defaultWeights), + zone = "DC2" + ), + currentZone = defaultZone + ) + val loadAssignments = envoyEndpointsFactory.createLoadAssignment( + services, + multiClusterState + ).associateBy { it.clusterName } + + val result = envoyEndpointsFactory.getSecondaryClusterEndpoints( + loadAssignments, + listOf(serviceName.toRouteSpecification()) + ) + assertThat(result).isEmpty() + } + private fun List.assertHasLoadAssignment(map: Map) { assertThat(this) .isNotEmpty() @@ -364,7 +494,11 @@ internal class EnvoyEndpointsFactoryTest { } } - private fun clusterState(locality: Locality, cluster: String): ClusterState { + private fun clusterState( + locality: Locality = Locality.LOCAL, + cluster: String, + serviceName: String = this.serviceName + ): ClusterState { return ClusterState( ServicesState( serviceNameToInstances = concurrentMapOf( @@ -405,6 +539,21 @@ internal class EnvoyEndpointsFactoryTest { } } + private fun snapshotPropertiesWithTrafficSplitting( + serviceByWeights: Map, + zone: String = defaultZone + ) = + SnapshotProperties().apply { + loadBalancing.trafficSplitting = TrafficSplittingProperties().apply { + zoneName = zone + serviceByWeightsProperties = serviceByWeights + } + } + + private fun String.toRouteSpecification(weights: ZoneWeights = defaultWeights): RouteSpecification { + return WeightRouteSpecification(this, listOf(), DependencySettings(), weights) + } + private fun String.toClusterLoadAssignment(): ClusterLoadAssignment = ClusterLoadAssignment.newBuilder() .also { builder -> JsonFormat.parser().merge(this, builder) } .build() diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt index eebb7f283..93239bde0 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt @@ -21,13 +21,13 @@ import pl.allegro.tech.servicemesh.envoycontrol.groups.hostRewriteHeaderIsEmpty import pl.allegro.tech.servicemesh.envoycontrol.groups.matchingOnAnyMethod import pl.allegro.tech.servicemesh.envoycontrol.groups.matchingOnMethod import pl.allegro.tech.servicemesh.envoycontrol.groups.matchingOnPrefix -import pl.allegro.tech.servicemesh.envoycontrol.snapshot.RouteSpecification import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.StandardRouteSpecification internal class EnvoyEgressRoutesFactoryTest { val clusters = listOf( - RouteSpecification( + StandardRouteSpecification( clusterName = "srv1", routeDomains = listOf("srv1"), settings = DependencySettings( @@ -171,8 +171,8 @@ internal class EnvoyEgressRoutesFactoryTest { egress.headersToRemove = mutableListOf("x-special-case-header", "x-custom") }) val routesSpecifications = listOf( - RouteSpecification("example_pl_1553", listOf("example.pl:1553"), DependencySettings()), - RouteSpecification("example_com_1553", listOf("example.com:1553"), DependencySettings()) + StandardRouteSpecification("example_pl_1553", listOf("example.pl:1553"), DependencySettings()), + StandardRouteSpecification("example_com_1553", listOf("example.com:1553"), DependencySettings()) ) // when @@ -203,7 +203,7 @@ internal class EnvoyEgressRoutesFactoryTest { val routesFactory = EnvoyEgressRoutesFactory(SnapshotProperties()) val retryPolicy = RetryPolicy(methods = setOf("GET", "POST")) val routesSpecifications = listOf( - RouteSpecification("example", listOf("example.pl:1553"), DependencySettings(retryPolicy = retryPolicy)), + StandardRouteSpecification("example", listOf("example.pl:1553"), DependencySettings(retryPolicy = retryPolicy)), ) val routeConfig = routesFactory.createEgressRouteConfig( @@ -234,7 +234,7 @@ internal class EnvoyEgressRoutesFactoryTest { val routesFactory = EnvoyEgressRoutesFactory(SnapshotProperties()) val retryPolicy = RetryPolicy(numberRetries = 3) val routesSpecifications = listOf( - RouteSpecification("example", listOf("example.pl:1553"), DependencySettings(retryPolicy = retryPolicy)), + StandardRouteSpecification("example", listOf("example.pl:1553"), DependencySettings(retryPolicy = retryPolicy)), ) val routeConfig = routesFactory.createEgressRouteConfig( @@ -259,7 +259,7 @@ internal class EnvoyEgressRoutesFactoryTest { // given val routesFactory = EnvoyEgressRoutesFactory(SnapshotProperties()) val routesSpecifications = listOf( - RouteSpecification("example", listOf("example.pl:1553"), DependencySettings()), + StandardRouteSpecification("example", listOf("example.pl:1553"), DependencySettings()), ) val routeConfig = routesFactory.createEgressRouteConfig( diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/ClusterOperations.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/ClusterOperations.kt new file mode 100644 index 000000000..d261ed874 --- /dev/null +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/ClusterOperations.kt @@ -0,0 +1,38 @@ +package pl.allegro.tech.servicemesh.envoycontrol.utils + +import com.google.protobuf.Duration +import com.google.protobuf.util.Durations +import io.envoyproxy.envoy.config.cluster.v3.Cluster +import io.envoyproxy.envoy.config.core.v3.AggregatedConfigSource +import io.envoyproxy.envoy.config.core.v3.ConfigSource +import io.envoyproxy.envoy.config.core.v3.HttpProtocolOptions +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ClusterConfiguration +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties + +fun createCluster( + defaultProperties: SnapshotProperties = SnapshotProperties(), + clusterName: String = CLUSTER_NAME, + idleTimeout: Long = DEFAULT_IDLE_TIMEOUT +): Cluster { + return Cluster.newBuilder().setName(clusterName) + .setType(Cluster.DiscoveryType.EDS) + .setConnectTimeout(Durations.fromMillis(defaultProperties.edsConnectionTimeout.toMillis())) + .setEdsClusterConfig( + Cluster.EdsClusterConfig.newBuilder() + .setEdsConfig( + ConfigSource.newBuilder().setAds( + AggregatedConfigSource.newBuilder() + ) + ).setServiceName(clusterName) + ) + .setLbPolicy(defaultProperties.loadBalancing.policy) + .setCommonHttpProtocolOptions( + HttpProtocolOptions.newBuilder() + .setIdleTimeout(Duration.newBuilder().setSeconds(idleTimeout).build()) + ) + .build() +} + +fun createClusterConfigurations(vararg clusters: Cluster): Map { + return clusters.associate { it.name to ClusterConfiguration(it.name, false) } +} diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/EndpointsOperations.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/EndpointsOperations.kt new file mode 100644 index 000000000..a47cf5fb6 --- /dev/null +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/EndpointsOperations.kt @@ -0,0 +1,33 @@ +package pl.allegro.tech.servicemesh.envoycontrol.utils + +import io.envoyproxy.envoy.config.cluster.v3.Cluster +import io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment +import io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint +import io.envoyproxy.envoy.config.endpoint.v3.LocalityLbEndpoints + +fun createLoadAssignments(clusters: List): List { + return clusters.map { + ClusterLoadAssignment.newBuilder() + .setClusterName(it.name) + .addAllEndpoints(createEndpoints()) + .build() + } +} + +fun createEndpoints(): List = + listOf( + createEndpoint(CURRENT_ZONE), + createEndpoint(TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE) + ) + +fun createEndpoint(zone: String): LocalityLbEndpoints { + return LocalityLbEndpoints.newBuilder() + .setLocality( + io.envoyproxy.envoy.config.core.v3.Locality + .newBuilder() + .setZone(zone) + .build() + ) + .addAllLbEndpoints(listOf(LbEndpoint.getDefaultInstance())) + .build() +} diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/GroupsOperations.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/GroupsOperations.kt new file mode 100644 index 000000000..b38867bc7 --- /dev/null +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/GroupsOperations.kt @@ -0,0 +1,78 @@ +package pl.allegro.tech.servicemesh.envoycontrol.utils + +import pl.allegro.tech.servicemesh.envoycontrol.groups.AccessLogFilterSettings +import pl.allegro.tech.servicemesh.envoycontrol.groups.AllServicesGroup +import pl.allegro.tech.servicemesh.envoycontrol.groups.CommunicationMode +import pl.allegro.tech.servicemesh.envoycontrol.groups.DependencySettings +import pl.allegro.tech.servicemesh.envoycontrol.groups.IncomingRateLimitEndpoint +import pl.allegro.tech.servicemesh.envoycontrol.groups.ListenersConfig +import pl.allegro.tech.servicemesh.envoycontrol.groups.Outgoing +import pl.allegro.tech.servicemesh.envoycontrol.groups.ProxySettings +import pl.allegro.tech.servicemesh.envoycontrol.groups.ServicesGroup +import pl.allegro.tech.servicemesh.envoycontrol.groups.with +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.serviceDependencies + +fun createServicesGroup( + mode: CommunicationMode = CommunicationMode.XDS, + serviceName: String = DEFAULT_SERVICE_NAME, + discoveryServiceName: String = DEFAULT_DISCOVERY_SERVICE_NAME, + dependencies: Array> = emptyArray(), + rateLimitEndpoints: List = emptyList(), + snapshotProperties: SnapshotProperties, + listenersConfig: ListenersConfig? = createListenersConfig(snapshotProperties) +): ServicesGroup { + return ServicesGroup( + mode, + serviceName, + discoveryServiceName, + ProxySettings().with( + serviceDependencies = serviceDependencies(*dependencies), + rateLimitEndpoints = rateLimitEndpoints + ), + listenersConfig + ) +} + +fun createAllServicesGroup( + mode: CommunicationMode = CommunicationMode.XDS, + serviceName: String = DEFAULT_SERVICE_NAME, + discoveryServiceName: String = DEFAULT_DISCOVERY_SERVICE_NAME, + dependencies: Array> = emptyArray(), + defaultServiceSettings: DependencySettings, + listenersConfigExists: Boolean = true, + snapshotProperties: SnapshotProperties +): AllServicesGroup { + val listenersConfig = when (listenersConfigExists) { + true -> createListenersConfig(snapshotProperties) + false -> null + } + return AllServicesGroup( + mode, + serviceName, + discoveryServiceName, + ProxySettings().with( + serviceDependencies = serviceDependencies(*dependencies), + defaultServiceSettings = defaultServiceSettings + ), + listenersConfig + ) +} + +fun createListenersConfig( + snapshotProperties: SnapshotProperties, + hasStaticSecretsDefined: Boolean = false +) + : ListenersConfig { + return ListenersConfig( + ingressHost = INGRESS_HOST, + ingressPort = INGRESS_PORT, + egressHost = EGRESS_HOST, + egressPort = EGRESS_PORT, + accessLogFilterSettings = AccessLogFilterSettings( + null, + snapshotProperties.dynamicListeners.httpFilters.accessLog.filters + ), + hasStaticSecretsDefined = hasStaticSecretsDefined + ) +} diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/TestData.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/TestData.kt new file mode 100644 index 000000000..fc2ecdaea --- /dev/null +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/utils/TestData.kt @@ -0,0 +1,26 @@ +package pl.allegro.tech.servicemesh.envoycontrol.utils + +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ZoneWeights + +const val INGRESS_HOST = "ingress-host" +const val INGRESS_PORT = 3380 +const val EGRESS_HOST = "egress-host" +const val EGRESS_PORT = 3380 +const val DEFAULT_IDLE_TIMEOUT = 100L +const val DEFAULT_SERVICE_NAME = "service-name" +const val DEFAULT_DISCOVERY_SERVICE_NAME = "discovery-service-name" +const val CLUSTER_NAME = "cluster-name" +const val CLUSTER_NAME1 = "cluster-1" +const val CLUSTER_NAME2 = "cluster-2" +const val MAIN_CLUSTER_NAME = "cluster-1" +const val SECONDARY_CLUSTER_NAME = "cluster-1-secondary" +const val AGGREGATE_CLUSTER_NAME = "cluster-1-aggregate" +const val TRAFFIC_SPLITTING_FORCE_TRAFFIC_ZONE = "dc2" +const val CURRENT_ZONE = "dc1" + +val DEFAULT_CLUSTER_WEIGHTS = zoneWeights(50, 50) + +fun zoneWeights(main: Int, secondary: Int) = ZoneWeights().also { + it.main = main + it.secondary = secondary +} diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoyControlSynchronizationTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoyControlSynchronizationTest.kt index d2a1b8d2b..cc163f075 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoyControlSynchronizationTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/EnvoyControlSynchronizationTest.kt @@ -78,22 +78,6 @@ internal class EnvoyControlSynchronizationTest { waitServiceOkAndFrom("echo", serviceLocal) } - @Test - fun `latency between service registration in remote dc and being able to access it via envoy should be similar to envoy-control polling interval`() { - // when - val latency = measureRegistrationToAccessLatency( - registerService = { name, target -> registerServiceInRemoteDc(name, target) }, - readinessCheck = { name, target -> waitServiceOkAndFrom(name, target) } - ) - - // then - logger.info("remote dc latency: $latency") - - val tolerance = Duration.ofMillis(400) + stateSampleDuration - val expectedMax = (pollingInterval + tolerance).toMillis() - assertThat(latency.max()).isLessThanOrEqualTo(expectedMax) - } - @Test fun `latency between service registration in local dc and being able to access it via envoy should be less than 0,5s + stateSampleDuration`() { // when diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulOperations.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulOperations.kt index 342c7b9a2..b6843d6a6 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulOperations.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/consul/ConsulOperations.kt @@ -70,6 +70,21 @@ class ConsulOperations(port: Int) { tags ) + fun registerServiceWithEnvoyOnEgress( + extension: EnvoyExtension, + id: String = UUID.randomUUID().toString(), + name: String, + registerDefaultCheck: Boolean = false, + tags: List = listOf("a") + ) = registerService( + id, + name, + extension.container.ipAddress(), + EnvoyContainer.EGRESS_LISTENER_CONTAINER_PORT, + registerDefaultCheck, + tags + ) + fun deregisterService(id: String) { client.agentServiceDeregister(id) } diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoy/EnvoyAdmin.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoy/EnvoyAdmin.kt index b7cdf9e57..8be80d7fb 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoy/EnvoyAdmin.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/config/envoy/EnvoyAdmin.kt @@ -5,7 +5,6 @@ import com.fasterxml.jackson.databind.DeserializationFeature import com.fasterxml.jackson.databind.ObjectMapper import com.fasterxml.jackson.databind.node.ObjectNode import com.fasterxml.jackson.module.kotlin.KotlinModule - import okhttp3.MediaType.Companion.toMediaType import okhttp3.OkHttpClient import okhttp3.Request @@ -109,14 +108,15 @@ class EnvoyAdmin( private val client = OkHttpClient.Builder() .build() - private fun get(path: String): Response = - client.newCall( + private fun get(path: String): Response { + return client.newCall( Request.Builder() .get() .url("$address/$path") .build() ) .execute().addToCloseableResponses() + } private fun post(path: String): Response = client.newCall( diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/TrafficSplitting.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/TrafficSplitting.kt new file mode 100644 index 000000000..a49c7f996 --- /dev/null +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/TrafficSplitting.kt @@ -0,0 +1,67 @@ +import TrafficSplitting.deltaPercentage +import TrafficSplitting.upstreamServiceName +import org.assertj.core.api.Assertions +import org.assertj.core.data.Percentage +import pl.allegro.tech.servicemesh.envoycontrol.assertions.isFrom +import pl.allegro.tech.servicemesh.envoycontrol.assertions.isOk +import pl.allegro.tech.servicemesh.envoycontrol.assertions.untilAsserted +import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.CallStats +import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension +import pl.allegro.tech.servicemesh.envoycontrol.config.service.EchoServiceExtension + +internal object TrafficSplitting { + const val upstreamServiceName = "service-1" + const val serviceName = "echo2" + const val deltaPercentage = 20.0 +} + +fun EnvoyExtension.verifyIsReachable(echoServiceExtension: EchoServiceExtension, service: String) { + untilAsserted { + this.egressOperations.callService(service).also { + Assertions.assertThat(it).isOk().isFrom(echoServiceExtension) + } + } +} + +fun CallStats.verifyCallsCountCloseTo(service: EchoServiceExtension, expectedCount: Int): CallStats { + Assertions.assertThat(this.hits(service)).isCloseTo(expectedCount, Percentage.withPercentage(deltaPercentage)) + return this +} + +fun CallStats.verifyCallsCountGreaterThan(service: EchoServiceExtension, hits: Int): CallStats { + Assertions.assertThat(this.hits(service)).isGreaterThan(hits) + return this +} + +fun EnvoyExtension.callUpstreamServiceRepeatedly( + vararg services: EchoServiceExtension, + numberOfCalls: Int = 100, +): CallStats { + val stats = CallStats(services.asList()) + this.egressOperations.callServiceRepeatedly( + service = upstreamServiceName, + stats = stats, + minRepeat = numberOfCalls, + maxRepeat = numberOfCalls, + repeatUntil = { true }, + headers = mapOf() + ) + return stats +} + +fun EnvoyExtension.callUpstreamServiceRepeatedly( + vararg services: EchoServiceExtension, + numberOfCalls: Int = 100, + tag: String? +): CallStats { + val stats = CallStats(services.asList()) + this.egressOperations.callServiceRepeatedly( + service = upstreamServiceName, + stats = stats, + minRepeat = numberOfCalls, + maxRepeat = numberOfCalls, + repeatUntil = { true }, + headers = tag?.let { mapOf("x-service-tag" to it) } ?: emptyMap(), + ) + return stats +} diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/WeightedClustersRoutingTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/WeightedClustersRoutingTest.kt new file mode 100644 index 000000000..564660fce --- /dev/null +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/trafficsplitting/WeightedClustersRoutingTest.kt @@ -0,0 +1,114 @@ +package pl.allegro.tech.servicemesh.envoycontrol.trafficsplitting + +import TrafficSplitting.serviceName +import TrafficSplitting.upstreamServiceName +import callUpstreamServiceRepeatedly +import org.junit.jupiter.api.Test +import org.junit.jupiter.api.extension.RegisterExtension +import pl.allegro.tech.servicemesh.envoycontrol.config.Xds +import pl.allegro.tech.servicemesh.envoycontrol.config.consul.ConsulMultiClusterExtension +import pl.allegro.tech.servicemesh.envoycontrol.config.envoy.EnvoyExtension +import pl.allegro.tech.servicemesh.envoycontrol.config.envoycontrol.EnvoyControlClusteredExtension +import pl.allegro.tech.servicemesh.envoycontrol.config.service.EchoServiceExtension +import verifyCallsCountCloseTo +import verifyCallsCountGreaterThan +import verifyIsReachable +import java.time.Duration + +class WeightedClustersRoutingTest { + companion object { + private const val forceTrafficZone = "dc2" + + private val properties = mapOf( + "envoy-control.envoy.snapshot.stateSampleDuration" to Duration.ofSeconds(0), + "envoy-control.sync.enabled" to true, + "envoy-control.envoy.snapshot.loadBalancing.trafficSplitting.zoneName" to forceTrafficZone, + "envoy-control.envoy.snapshot.loadBalancing.trafficSplitting.serviceByWeightsProperties.$serviceName.main" to 90, + "envoy-control.envoy.snapshot.loadBalancing.trafficSplitting.serviceByWeightsProperties.$serviceName.secondary" to 10, + "envoy-control.envoy.snapshot.loadBalancing.priorities.zonePriorities" to mapOf( + "dc1" to mapOf( + "dc1" to 0, + "dc2" to 1 + ), + "dc2" to mapOf( + "dc1" to 1, + "dc2" to 0, + ), + ) + ) + + private val echo2Config = """ + node: + metadata: + proxy_settings: + outgoing: + dependencies: + - service: "service-1" + """.trimIndent() + + private val config = Xds.copy(configOverride = echo2Config, serviceName = "echo2") + + @JvmField + @RegisterExtension + val consul = ConsulMultiClusterExtension() + + @JvmField + @RegisterExtension + val envoyControl = + EnvoyControlClusteredExtension(consul.serverFirst, { properties }, listOf(consul)) + + @JvmField + @RegisterExtension + val envoyControl2 = + EnvoyControlClusteredExtension(consul.serverSecond, { properties }, listOf(consul)) + + @JvmField + @RegisterExtension + val echoServiceDC1 = EchoServiceExtension() + + @JvmField + @RegisterExtension + val upstreamServiceDC1 = EchoServiceExtension() + + @JvmField + @RegisterExtension + val upstreamServiceDC2 = EchoServiceExtension() + + @JvmField + @RegisterExtension + val echoEnvoyDC1 = EnvoyExtension(envoyControl, localService = echoServiceDC1, config) + @JvmField + @RegisterExtension + val echoEnvoyDC2 = EnvoyExtension(envoyControl2) + } + + @Test + fun `should route traffic according to weights`() { + consul.serverFirst.operations.registerServiceWithEnvoyOnEgress(echoEnvoyDC1, name = serviceName) + + consul.serverFirst.operations.registerService(upstreamServiceDC1, name = upstreamServiceName) + echoEnvoyDC1.verifyIsReachable(upstreamServiceDC1, upstreamServiceName) + + consul.serverSecond.operations.registerService(upstreamServiceDC2, name = upstreamServiceName) + echoEnvoyDC1.verifyIsReachable(upstreamServiceDC2, upstreamServiceName) + + echoEnvoyDC1.callUpstreamServiceRepeatedly(upstreamServiceDC1, upstreamServiceDC2) + .verifyCallsCountCloseTo(upstreamServiceDC1, 90) + .verifyCallsCountGreaterThan(upstreamServiceDC2, 1) + } + + @Test + fun `should route traffic according to weights with service tag`() { + consul.serverFirst.operations.registerServiceWithEnvoyOnEgress(echoEnvoyDC1, name = serviceName) + + consul.serverFirst.operations.registerService(upstreamServiceDC1, name = upstreamServiceName, tags = listOf("tag")) + echoEnvoyDC1.verifyIsReachable(upstreamServiceDC1, upstreamServiceName) + + consul.serverSecond.operations.registerService(upstreamServiceDC2, name = upstreamServiceName, tags = listOf("tag")) + echoEnvoyDC1.verifyIsReachable(upstreamServiceDC2, upstreamServiceName) + + echoEnvoyDC1.callUpstreamServiceRepeatedly(upstreamServiceDC1, upstreamServiceDC2, tag = "tag") + .verifyCallsCountCloseTo(upstreamServiceDC1, 90) + .verifyCallsCountGreaterThan(upstreamServiceDC2, 1) + } +} From 1abb570d5fbabbf3df873dccf5eb16e2d5519f11 Mon Sep 17 00:00:00 2001 From: Nastassia Dailidava <133115055+nastassia-dailidava@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:55:20 +0200 Subject: [PATCH 3/6] #292 Traffic splitting - Updated param name (#399) * #292 Traffic splitting - Updated param name --- CHANGELOG.md | 6 ++++++ .../servicemesh/envoycontrol/snapshot/SnapshotProperties.kt | 4 ++-- .../snapshot/resource/clusters/EnvoyClustersFactory.kt | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70baf6fd0..060f0a016 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,12 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). +## [0.20.2] + +### Changed +- Updated property names: secondaryClusterPostfix is changed to secondaryClusterSuffix, +- aggregateClusterPostfix is changed to aggregateClusterSuffix + ## [0.20.1] ### Changed diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index f30895f24..9590a1801 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -158,8 +158,8 @@ class CanaryProperties { class TrafficSplittingProperties { var zoneName = "" var serviceByWeightsProperties: Map = mapOf() - var secondaryClusterPostfix = "secondary" - var aggregateClusterPostfix = "aggregate" + var secondaryClusterSuffix = "secondary" + var aggregateClusterSuffix = "aggregate" } class ZoneWeights { diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt index 6b0d210e3..60e46e1d5 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt @@ -82,12 +82,12 @@ class EnvoyClustersFactory( @JvmStatic fun getSecondaryClusterName(serviceName: String, snapshotProperties: SnapshotProperties): String { - return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.secondaryClusterPostfix}" + return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.secondaryClusterSuffix}" } @JvmStatic fun getAggregateClusterName(serviceName: String, snapshotProperties: SnapshotProperties): String { - return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.aggregateClusterPostfix}" + return "$serviceName-${snapshotProperties.loadBalancing.trafficSplitting.aggregateClusterSuffix}" } } From c4a0609003d9254e40c05f661cdf2555ee04ba10 Mon Sep 17 00:00:00 2001 From: Nastassia Dailidava <133115055+nastassia-dailidava@users.noreply.github.com> Date: Mon, 11 Dec 2023 12:37:35 +0100 Subject: [PATCH 4/6] Fixed traffic splitting condition for cluster configuration (#400) Co-authored-by: nastassia.dailidava --- CHANGELOG.md | 5 +++++ .../snapshot/resource/clusters/EnvoyClustersFactory.kt | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 060f0a016..f3bf18332 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,11 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). +## [0.20.3] + +### Changed +- Fixed traffic splitting condition check for cluster configuration + ## [0.20.2] ### Changed diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt index 60e46e1d5..b0601c06d 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/clusters/EnvoyClustersFactory.kt @@ -304,7 +304,7 @@ class EnvoyClustersFactory( clusterLoadAssignment: ClusterLoadAssignment?, trafficSplitting: TrafficSplittingProperties ) = clusterLoadAssignment?.endpointsList - ?.any { e -> trafficSplitting.zoneName == e.locality.zone } ?: false + ?.any { e -> trafficSplitting.zoneName == e.locality.zone && e.lbEndpointsCount > 0 } ?: false private fun shouldAddDynamicForwardProxyCluster(group: Group) = group.proxySettings.outgoing.getDomainPatternDependencies().isNotEmpty() From 977567bf5fdf38806dfe456629c09491a9af7113 Mon Sep 17 00:00:00 2001 From: Nastassia Dailidava <133115055+nastassia-dailidava@users.noreply.github.com> Date: Tue, 12 Dec 2023 14:59:26 +0100 Subject: [PATCH 5/6] Added response header for traffic splitting feature (#401) * Added response header for traffic splitting feature --- CHANGELOG.md | 4 ++ .../snapshot/SnapshotProperties.kt | 1 + .../routes/EnvoyEgressRoutesFactory.kt | 43 +++++++++++--- .../envoycontrol/groups/RoutesAssertions.kt | 11 ++++ .../routes/EnvoyEgressRoutesFactoryTest.kt | 57 +++++++++++++++++++ 5 files changed, 108 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3bf18332..024b8332a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). +## [0.20.4] + +### Changed +- Added possibility to add response header for weighted secondary cluster ## [0.20.3] diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index 9590a1801..196b4b6cf 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -157,6 +157,7 @@ class CanaryProperties { class TrafficSplittingProperties { var zoneName = "" + var headerName = "" var serviceByWeightsProperties: Map = mapOf() var secondaryClusterSuffix = "secondary" var aggregateClusterSuffix = "aggregate" diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt index bb09953f2..021444709 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactory.kt @@ -36,6 +36,7 @@ import pl.allegro.tech.servicemesh.envoycontrol.snapshot.StandardRouteSpecificat import pl.allegro.tech.servicemesh.envoycontrol.snapshot.WeightRouteSpecification import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.clusters.EnvoyClustersFactory.Companion.getAggregateClusterName import pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.listeners.filters.ServiceTagFilterFactory +import java.lang.Boolean.TRUE import pl.allegro.tech.servicemesh.envoycontrol.groups.RetryPolicy as EnvoyControlRetryPolicy class EnvoyEgressRoutesFactory( @@ -359,7 +360,8 @@ class EnvoyEgressRoutesFactory( .withClusterWeight(routeSpec.clusterName, routeSpec.clusterWeights.main) .withClusterWeight( getAggregateClusterName(routeSpec.clusterName, properties), - routeSpec.clusterWeights.secondary + routeSpec.clusterWeights.secondary, + true ) ) } @@ -369,15 +371,40 @@ class EnvoyEgressRoutesFactory( } } - private fun WeightedCluster.Builder.withClusterWeight(clusterName: String, weight: Int): WeightedCluster.Builder { - this.addClusters( - WeightedCluster.ClusterWeight.newBuilder() - .setName(clusterName) - .setWeight(UInt32Value.of(weight)) - .build() - ) + private fun WeightedCluster.Builder.withClusterWeight( + clusterName: String, + weight: Int, + withHeader: Boolean = false + ): WeightedCluster.Builder { + val clusters = WeightedCluster.ClusterWeight.newBuilder() + .setName(clusterName) + .setWeight(UInt32Value.of(weight)) + .also { + if (withHeader) { + it.withHeader(properties.loadBalancing.trafficSplitting.headerName) + } + } + return this.addClusters(clusters) + } + + private fun WeightedCluster.ClusterWeight.Builder.withHeader(key: String?): WeightedCluster.ClusterWeight.Builder { + key?.takeIf { it.isNotBlank() } + ?.let { + this.addResponseHeadersToAdd(buildHeader(key)) + } return this } + + private fun buildHeader(key: String): HeaderValueOption.Builder { + return HeaderValueOption.newBuilder() + .setHeader( + HeaderValue.newBuilder() + .setKey(key) + .setValue(TRUE.toString()) + ) + .setAppendAction(HeaderValueOption.HeaderAppendAction.OVERWRITE_IF_EXISTS_OR_ADD) + .setKeepEmptyValue(false) + } } class RequestPolicyMapper private constructor() { diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/RoutesAssertions.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/RoutesAssertions.kt index d1162561c..ad89091ee 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/RoutesAssertions.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/RoutesAssertions.kt @@ -12,6 +12,7 @@ import io.envoyproxy.envoy.config.route.v3.RouteAction import io.envoyproxy.envoy.config.route.v3.RouteConfiguration import io.envoyproxy.envoy.config.route.v3.VirtualCluster import io.envoyproxy.envoy.config.route.v3.VirtualHost +import io.envoyproxy.envoy.config.route.v3.WeightedCluster import io.envoyproxy.envoy.type.matcher.v3.RegexMatcher import org.assertj.core.api.Assertions.assertThat import pl.allegro.tech.servicemesh.envoycontrol.snapshot.LocalRetryPolicyProperties @@ -27,6 +28,16 @@ fun RouteConfiguration.hasVirtualHostThat(name: String, condition: VirtualHost.( return this } +fun RouteConfiguration.hasClusterThat(name: String, condition: WeightedCluster.ClusterWeight?.() -> Unit): RouteConfiguration { + condition(this.virtualHostsList + .flatMap { it.routesList } + .map { it.route } + .flatMap { route -> route.weightedClusters.clustersList } + .find { it.name == name } + ) + return this +} + fun RouteConfiguration.hasRequestHeaderToAdd(key: String, value: String): RouteConfiguration { assertThat(this.requestHeadersToAddList).anySatisfy { assertThat(it.header.key).isEqualTo(key) diff --git a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt index 93239bde0..2044699df 100644 --- a/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt +++ b/envoy-control-core/src/test/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/routes/EnvoyEgressRoutesFactoryTest.kt @@ -2,10 +2,13 @@ package pl.allegro.tech.servicemesh.envoycontrol.snapshot.resource.routes import com.google.protobuf.util.Durations import org.junit.jupiter.api.Assertions.assertEquals +import org.junit.jupiter.api.Assertions.assertNotNull +import org.junit.jupiter.api.Assertions.assertTrue import org.junit.jupiter.api.Test import pl.allegro.tech.servicemesh.envoycontrol.groups.DependencySettings import pl.allegro.tech.servicemesh.envoycontrol.groups.Outgoing import pl.allegro.tech.servicemesh.envoycontrol.groups.RetryPolicy +import pl.allegro.tech.servicemesh.envoycontrol.groups.hasClusterThat import pl.allegro.tech.servicemesh.envoycontrol.groups.hasCustomIdleTimeout import pl.allegro.tech.servicemesh.envoycontrol.groups.hasCustomRequestTimeout import pl.allegro.tech.servicemesh.envoycontrol.groups.hasHostRewriteHeader @@ -23,6 +26,8 @@ import pl.allegro.tech.servicemesh.envoycontrol.groups.matchingOnMethod import pl.allegro.tech.servicemesh.envoycontrol.groups.matchingOnPrefix import pl.allegro.tech.servicemesh.envoycontrol.snapshot.SnapshotProperties import pl.allegro.tech.servicemesh.envoycontrol.snapshot.StandardRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.WeightRouteSpecification +import pl.allegro.tech.servicemesh.envoycontrol.snapshot.ZoneWeights internal class EnvoyEgressRoutesFactoryTest { @@ -42,6 +47,15 @@ internal class EnvoyEgressRoutesFactoryTest { ) ) + val weightedClusters = listOf( + WeightRouteSpecification( + clusterName = "srv1", + routeDomains = listOf("srv1"), + settings = DependencySettings(), + ZoneWeights() + ) + ) + @Test fun `should add client identity header if incoming permissions are enabled`() { // given @@ -278,4 +292,47 @@ internal class EnvoyEgressRoutesFactoryTest { defaultRoute.matchingOnPrefix("/") } } + + @Test + fun `should add traffic splitting header for secondary weighted cluster`() { + + val expectedHeaderKey = "test-header" + val routesFactory = EnvoyEgressRoutesFactory(SnapshotProperties().apply { + loadBalancing.trafficSplitting.headerName = expectedHeaderKey + }) + + val routeConfig = routesFactory.createEgressRouteConfig( + "client1", + weightedClusters, + false + ) + + routeConfig + .hasClusterThat("srv1-aggregate") { + assertNotNull(this) + assertNotNull(this!!.responseHeadersToAddList.find { it.header.key == expectedHeaderKey }) + }.hasClusterThat("srv1") { + assertNotNull(this) + assertTrue(this!!.responseHeadersToAddList.isEmpty()) + } + } + + @Test + fun `should not add traffic splitting header if header key is not set`() { + val routesFactory = EnvoyEgressRoutesFactory(SnapshotProperties()) + val routeConfig = routesFactory.createEgressRouteConfig( + "client1", + weightedClusters, + false + ) + + routeConfig + .hasClusterThat("srv1-aggregate") { + assertNotNull(this) + assertTrue(this!!.responseHeadersToAddList.isEmpty()) + }.hasClusterThat("srv1") { + assertNotNull(this) + assertNotNull(this!!.responseHeadersToAddList.isEmpty()) + } + } } From c2566993d579024508c59d1e90fde2b59ff5678c Mon Sep 17 00:00:00 2001 From: Mateusz Bartkowiak Date: Wed, 13 Dec 2023 10:48:39 +0100 Subject: [PATCH 6/6] shouldAuditGlobalSnapshot property (#402) * shouldAuditGlobalSnapshot property --- CHANGELOG.md | 5 +++++ .../allegro/tech/servicemesh/envoycontrol/ControlPlane.kt | 6 +++++- .../servicemesh/envoycontrol/snapshot/SnapshotProperties.kt | 1 + 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 024b8332a..65e5bed63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,11 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ### Changed - Added possibility to add response header for weighted secondary cluster +## [0.20.4] + +### Changed +- Fix `shouldAuditGlobalSnapshot` property + ## [0.20.3] ### Changed diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/ControlPlane.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/ControlPlane.kt index bc02ee3c5..c7fe1136c 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/ControlPlane.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/ControlPlane.kt @@ -337,7 +337,11 @@ class ControlPlane private constructor( } fun withSnapshotChangeAuditor(snapshotChangeAuditor: SnapshotChangeAuditor): ControlPlaneBuilder { - this.snapshotChangeAuditor = snapshotChangeAuditor + if (properties.envoy.snapshot.shouldAuditGlobalSnapshot) { + this.snapshotChangeAuditor = snapshotChangeAuditor + } else { + this.snapshotChangeAuditor = NoopSnapshotChangeAuditor + } return this } diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index 196b4b6cf..0a2c76202 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -36,6 +36,7 @@ class SnapshotProperties { var deltaXdsEnabled = false var retryPolicy = RetryPolicyProperties() var tcpDumpsEnabled: Boolean = true + var shouldAuditGlobalSnapshot: Boolean = true } class MetricsProperties {