From 4c05974a07130aef3e8e1b99e173cda335270a68 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 24 Jul 2023 12:01:57 +0900
Subject: [PATCH 01/11] Add some comments to make if/else and loops clearer

Let's improve readability by adding some comments to point out which
flow constructs are being ended.
---
 clustergroup/templates/plumbing/applications.yaml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/clustergroup/templates/plumbing/applications.yaml b/clustergroup/templates/plumbing/applications.yaml
index 6e52e667..43a820d9 100644
--- a/clustergroup/templates/plumbing/applications.yaml
+++ b/clustergroup/templates/plumbing/applications.yaml
@@ -134,7 +134,7 @@ spec:
     chart: {{ .chart }}
     {{- else }}
     path: {{ .path }}
-    {{- end }}
+    {{- end }}{{- /* if .chart */}}
     {{- if .plugin }}
     plugin: {{ .plugin | toPrettyJson }}
     {{- else if not .kustomize }}
@@ -178,18 +178,18 @@ spec:
         {{- range .overrides }}
         - name: {{ .name }}
           value: {{ .value | quote }}
-        {{- if .forceString }}
+          {{- if .forceString }}
           forceString: true
-        {{- end }}
-        {{- end }}
+          {{- end }}
+        {{- end }}{{- /* range .overrides */}}
       {{- if .fileParameters }}
       fileParameters:
       {{- range .fileParameters }}
         - name: {{ .name }}
           path: {{ .path }}
-      {{- end }}
-      {{- end }}
-    {{- end }}
+      {{- end }}{{- /* range .fileParameters */}}
+      {{- end }}{{- /* if .fileParameters */}}
+    {{- end }}{{- /* if .plugin */}}
   {{- if .ignoreDifferences }}
   ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }}
   {{- end }}

From dd3cdcbe52c81d2f8ad8ed6862e732f315f31185 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 27 Jul 2023 17:03:01 +0900
Subject: [PATCH 02/11] Add some more comments in applications.yaml

---
 clustergroup/templates/plumbing/applications.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/clustergroup/templates/plumbing/applications.yaml b/clustergroup/templates/plumbing/applications.yaml
index 43a820d9..075e1bdb 100644
--- a/clustergroup/templates/plumbing/applications.yaml
+++ b/clustergroup/templates/plumbing/applications.yaml
@@ -200,8 +200,8 @@ spec:
     automated: {}
     retry:
       limit: {{ default 20 $.Values.global.applicationRetryLimit }}
-  {{- end }}
+  {{- end }}{{- /* .syncPolicy */}}
 ---
-{{- end }}
-{{- end }}
-{{- end }}
+{{- end }}{{- /* if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) */}}
+{{- end }}{{- /* range .Values.clusterGroup.applications */}}
+{{- end }}{{- /* if not (eq .Values.enabled "core") */}}

From 5f33f3325de60b376e611433dce97585727bcb8d Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 27 Jul 2023 17:16:08 +0900
Subject: [PATCH 03/11] Add a default for options applicationRetryLimit

---
 acm/values.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/acm/values.yaml b/acm/values.yaml
index 1f430370..7c4a19c0 100644
--- a/acm/values.yaml
+++ b/acm/values.yaml
@@ -6,7 +6,8 @@ global:
   pattern: none
   repoURL: none
   targetRevision: main
-
+  options:
+    applicationRetryLimit: 20
 
 clusterGroup:
   subscriptions:

From 91f3ef0329d120e23245a3b8f13d40e18d934baa Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 27 Jul 2023 17:17:46 +0900
Subject: [PATCH 04/11] Split out values files to a helper for the acm chart

Just like we did for the clustergroup chart, let's split the values
file list into a dedicated helper. This time since there are no global
variables we include it with the current context and not with the '$'
context.

Tested with MCG: hub and spoke. Correctly observed all the applications
running on the spoke.
---
 acm/templates/_helpers.tpl                       | 13 +++++++++++++
 acm/templates/policies/application-policies.yaml |  9 +--------
 2 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 acm/templates/_helpers.tpl

diff --git a/acm/templates/_helpers.tpl b/acm/templates/_helpers.tpl
new file mode 100644
index 00000000..fdd91273
--- /dev/null
+++ b/acm/templates/_helpers.tpl
@@ -0,0 +1,13 @@
+{{/*
+Default always defined valueFiles to be included when pushing the cluster wide argo application via acm
+*/}}
+{{- define "acm.app.policies.valuefiles" -}}
+- "/values-global.yaml"
+- "/values-{{ .name }}.yaml"
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
+- '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
+# We cannot use $.Values.global.clusterVersion because that gets resolved to the
+# hub's cluster version, whereas we want to include the spoke cluster version
+- '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+{{- end }} {{- /*acm.app.policies.valuefiles */}}
diff --git a/acm/templates/policies/application-policies.yaml b/acm/templates/policies/application-policies.yaml
index f1c7bbdd..5bc5de6a 100644
--- a/acm/templates/policies/application-policies.yaml
+++ b/acm/templates/policies/application-policies.yaml
@@ -43,14 +43,7 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-{{ .name }}.yaml"
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
+                      {{- include "acm.app.policies.valuefiles" . | nindent 24 }}
                       {{- range $valueFile := .extraValueFiles }}
                       - {{ $valueFile | quote }}
                       {{- end }}

From 17697e546417fc3498e54a897298e40fd6f433bd Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Thu, 27 Jul 2023 18:06:21 +0900
Subject: [PATCH 05/11] Fix up tests

They changed because we made the list indentation more correct (two
extra spaces to the left)
---
 tests/acm-industrial-edge-hub.expected.yaml   | 16 +++++-----
 tests/acm-medical-diagnosis-hub.expected.yaml | 16 +++++-----
 tests/acm-normal.expected.yaml                | 32 +++++++++----------
 3 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/tests/acm-industrial-edge-hub.expected.yaml b/tests/acm-industrial-edge-hub.expected.yaml
index d54a8db6..444b833c 100644
--- a/tests/acm-industrial-edge-hub.expected.yaml
+++ b/tests/acm-industrial-edge-hub.expected.yaml
@@ -206,14 +206,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-factory.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml'
+                        - "/values-global.yaml"
+                        - "/values-factory.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
diff --git a/tests/acm-medical-diagnosis-hub.expected.yaml b/tests/acm-medical-diagnosis-hub.expected.yaml
index 6e3eedff..f79e013b 100644
--- a/tests/acm-medical-diagnosis-hub.expected.yaml
+++ b/tests/acm-medical-diagnosis-hub.expected.yaml
@@ -197,14 +197,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-region-one.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml'
+                        - "/values-global.yaml"
+                        - "/values-region-one.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
diff --git a/tests/acm-normal.expected.yaml b/tests/acm-normal.expected.yaml
index b2f0ac48..900cc291 100644
--- a/tests/acm-normal.expected.yaml
+++ b/tests/acm-normal.expected.yaml
@@ -600,14 +600,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
+                        - "/values-global.yaml"
+                        - "/values-acm-edge.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
@@ -694,14 +694,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-provision-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
+                        - "/values-global.yaml"
+                        - "/values-acm-provision-edge.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL

From 669ff9208e16a9293d4a9be1bca8be572faa46a8 Mon Sep 17 00:00:00 2001
From: Tom Stockwell <2060486+stocky37@users.noreply.github.com>
Date: Fri, 28 Jul 2023 14:55:28 +1000
Subject: [PATCH 06/11] Fix sa/namespace mixup in vault_spokes_init

---
 ansible/roles/vault_utils/tasks/vault_spokes_init.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
index af1a02fd..d4310e7f 100644
--- a/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
+++ b/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
@@ -182,8 +182,8 @@
     pod: "{{ vault_pod }}"
     command: >
       vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role
-        bound_service_account_names="{{ external_secrets_ns }}"
-        bound_service_account_namespaces="{{ external_secrets_sa }}"
+        bound_service_account_names="{{ external_secrets_sa }}"
+        bound_service_account_namespaces="{{ external_secrets_ns }}"
         policies="default,{{ vault_global_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
   loop: "{{ clusters_info | dict2items }}"
   when:

From 5cb41a368a2de1468a8b2b17a97ca9b13e241e07 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 31 Jul 2023 15:43:11 +0200
Subject: [PATCH 07/11] Update local patch

Also set seccompProfile to null to make things work on OCP 4.10
---
 .../0001-runasuser-comment-out.patch          | 42 +++++++++++++------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch b/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
index b4ea727f..6545881f 100644
--- a/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
+++ b/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
@@ -1,30 +1,48 @@
-diff --color -urN external-secrets.orig/values.yaml external-secrets/values.yaml
---- external-secrets.orig/values.yaml	2023-05-22 12:42:54.000000000 +0200
-+++ external-secrets/values.yaml	2023-05-22 16:20:02.748621794 +0200
-@@ -117,7 +117,7 @@
+diff -up external-secrets/values.yaml.orig external-secrets/values.yaml
+--- external-secrets/values.yaml.orig	2023-07-31 15:12:18.815909938 +0200
++++ external-secrets/values.yaml	2023-07-31 15:32:59.905360226 +0200
+@@ -117,9 +117,11 @@ securityContext:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
 -  runAsUser: 1000
+-  seccompProfile:
+-    type: RuntimeDefault
 +  # runAsUser: 1000
-   seccompProfile:
-     type: RuntimeDefault
++  # Uncomment this once 4.10 is out of scope
++  # seccompProfile:
++  #   type: RuntimeDefault
++  seccompProfile: null
  
-@@ -331,7 +331,7 @@
+ resources: {}
+   # requests:
+@@ -331,9 +333,11 @@ webhook:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
 -    runAsUser: 1000
+-    seccompProfile:
+-      type: RuntimeDefault
 +    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
++    seccompProfile: null
++    # Uncomment this once 4.10 is out of scope
++    # seccompProfile:
++    #   type: RuntimeDefault
  
-@@ -453,7 +453,7 @@
+   resources: {}
+       # requests:
+@@ -453,9 +457,11 @@ certController:
          - ALL
      readOnlyRootFilesystem: true
      runAsNonRoot: true
 -    runAsUser: 1000
+-    seccompProfile:
+-      type: RuntimeDefault
 +    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
++    seccompProfile: null
++    # Uncomment this once 4.10 is out of scope
++    # seccompProfile:
++    #   type: RuntimeDefault
  
+   resources: {}
+       # requests:

From 9d2df973aa3e5882420da9a6fe472fde412550b8 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 31 Jul 2023 15:43:53 +0200
Subject: [PATCH 08/11] Update ESO to 0.8.5

---
 golang-external-secrets/Chart.yaml              |   2 +-
 .../charts/external-secrets-0.8.3.tgz           | Bin 78591 -> 0 bytes
 .../charts/external-secrets-0.8.5.tgz           | Bin 0 -> 78631 bytes
 3 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 golang-external-secrets/charts/external-secrets-0.8.3.tgz
 create mode 100644 golang-external-secrets/charts/external-secrets-0.8.5.tgz

diff --git a/golang-external-secrets/Chart.yaml b/golang-external-secrets/Chart.yaml
index 74b1c051..ab900162 100644
--- a/golang-external-secrets/Chart.yaml
+++ b/golang-external-secrets/Chart.yaml
@@ -6,6 +6,6 @@ name: golang-external-secrets
 version: 0.0.1
 dependencies:
   - name: external-secrets
-    version: "0.8.3"
+    version: "0.8.5"
     repository: "https://charts.external-secrets.io"
     #"https://external-secrets.github.io/kubernetes-external-secrets"
diff --git a/golang-external-secrets/charts/external-secrets-0.8.3.tgz b/golang-external-secrets/charts/external-secrets-0.8.3.tgz
deleted file mode 100644
index d738b9cc42fbb4891d382245ed4ac1fe98a092b8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 78591
zcmV)3K+C@$iwFP!000001ML0lcH2mjD2(=RKLs{x_OiW?NJ_re@waPcRFccBDZ8vC
zsa(5PpFTE7LKIpczyUzXs_Hs#^}WFNWG60}iNrmV1nC>FX1XjQGZ7h?85#HRKBitA
zy1_8<rm>eM<G*zO?8Ec?=~Mjg!Skp4`hVr~mxCuyo;-T`^x*j;Xm{}B0Gc~bw*X7&
zStY3(JI-Gg{`ATVyxMkc@4wK;E3W_1l^ds{J9iOu_6=O%XHTBguK%;=&vE@9KYsr7
z@$<(Au>Q{u4q*NFJA<I%`Nr4ZUHb35IPs(Kg>&=hp1WLTf9{XIA3eS|^O9-oFH`#M
zrPwYGZx?6bhVI;3cwy>XMzQnrY67pl)JyJNMGNnRbCssc<i&VA_tUG@WHgNy<I;{R
z{&3Hq;-_TS*u5Qb_f_J>@G6C`nT<4FxPCZxlZ0L-(J+YS@IP)m_eRTbe(&15yN%*m
z^5WjmxmKVLO8^ZW`7dmx5On|Fe{c>)2mkNU{&4^PJ^WS*{||3*JP-a3UO3lY5cuI@
z>fS_m|2fCs5cGSF6S{~WesO(||0;bry<5W1uqc5)b#Vpm-N=vg;%vPBC6wK`!OBZI
zB>>Im|MC9g=T8ds|Jmaw&-?SgizoJIZyiOeFn!@1+`IRkGaNeSOK<95`d;FsSDxc8
z@U0VFI#+&@MzKG2&bZq->=@_z`@~7EqE#@1-R>=&2Z`sY)0-Wukspm`(KH#u5uSQW
z*lKY0u7k*((NAd{1p#dC@eGEJ?vSL6zncc08xB{?;WC2H-95Y)dpADr|GyF-cdz}0
zk6`cLyXP-}5WRqd1v82gAK$)k=2z1gzuQi89A~)-f>Zj;3+LqWmnc1ry#%0uSA>%b
zzyy87N!_`VMh=jp5&b&zF5Oj-IzFRoiZ`f}QPL5O01ab6CH())zr2Kh14enc%K&J=
zDoz~t2FQau3A{Zg@UO99f>`kqcooi^)x_taP5~>4=OCJ2`RQL*6PPpq6h?q(qQnYP
z{uAIz#FyfPNBQwi0gg~>ALG6-8<^n?8^bU!oWVeBj+0CHbh_vGAsn3`VAz)P*qwRK
z(b+K~A&yq_D+kWYg0V5WCmQ4X7fu?lynFYiM0o{vVNm>a&w=G|Q!x-ieiXn7_2TU2
zIj0pvu(+vcAm8(A@eR|#xs!7ayT&Vx%rEJk;jpKx<f;TG{#XFc4Pn8Et^-p3_!FB(
zp``Hem*aRL?uVH~8LiAIY*Zcydj0($ba%XkUa>#(XqhgdLFvbPd60_-z`6BdDVJUh
z@Gl(LO*23X?5Zh3=S;lx*7HJMayY#S?td>#Rx$25X91{z@zX0ebfVBx&5&f2J`}-6
zT->HE91<t>7l3j8-b?)43+K`e5-+#c)F4g{+Dkvc#ap=P^vZ|p{JY#bVx#nm3D|NO
zN6Xm9MaoExBd)r8*-u9SFbidL)qEe02b?^(&Vg9XyqU&AKyPhr9XD|RfQ1LJtP%(Q
zizF0Ix);FLacu1VhJJocznUQdiAfX&cLYQ@^<kp`>T$-<4?cL~BUHE(lBGNK?j=*e
z{p=U{w>Hl=u+d?W>A*AE3T;QF&CU&+vmXzS9HJY}D#Sg5_!jT7FMmfw!e8K};imvG
zP#fIX&Qu)0gjWn($)AeT72x9s^XTy<WcX>`U2q0@KgZD&DO$~#Bj+Uy1C%V~=Keec
zFmRm3=$`1?L|&}FPt&ycs!nu@H}mZk?xz@VR-9G_M0S_r>hj6~MdyFK6|HK<$JvCd
z1#D?N#<;;&G2L2uQ~)a=HeXUa>+rWXUGY)JEg%kiHWV=&z|`OPQ}1v(B_2c)*NTZc
zqN(F@Tgi3kQ<Ky-PpJ=AX+%s6Ppddi8eJ1{bMQJtYQStf&KsLAqZtxwIYwb<?VJNq
zbZ0aCPsLY8l?0#00F1`2!$-e;5D!~RI*|>6oCuyc33Yjr#IaCwILrVDQ58CJe58?o
zp^fbFK=Ak63yE684W9ssrGe%3;-nrNXm~kN;tUd$c;ZeQRuO3heH8yO@xvJo3uhlV
zAiP)FmlXaMQxm-tzA9^XjW~StVL-y%zwwGA008a`F@=Y<5`-cU-)Rfyg*Sd2g>=kr
zT)1W?fv2yd+EGO8WA|lvLl?Ig<c+%&7bT1Zvgry3qW(*`jj9GXjOV=cIWTUb0J`Qn
z!p;?4-tkNQyQN+Wxlf3TEqs#)cteM%Jc@Q`^7}V~;7BzQ-Rn=!u_9adG75HBI6F-P
zoWhBPFPFN&Z`#4ZKY@s?Vn4k@=m1Q0pe~bFz{D<JIFCR?MIx1NhG#hlqTAEhzX8%W
z_g*GbH*i@=!j}{57<cJT{J>9PKk^=(0UN^qavXsD^=pz>+}T^W#m}NB{RzqF9qiVH
zA~NwRJWPIxLVT@J9{TxL*v2UR0EBob;Gi#-r*Q;)k;h+Q{lOWm8BpG1=Jw%)%G0K1
z8+-o^oKPy*ae#ce!f_Yk&xN-jaq97-H~zhQ87rfXIjj=!AaqvvPMaWSw1{pbJF!1{
zKHA?Sj!7K7H&KW}8u5yN0U~UY*_8+sO||pg&4)nPi(<g$_xs=Ps|!f9Yam^C5}8uE
zz-i_NmnbFne~P>$FwQ{OPK#_`Ql6*$pkkNsgTN5nMJwml<r67ot^8*bL3lNGPToqh
znU9+hcmn1#al@+L^fMqjI47{NW8jGKYsoZrm!1Z(FJ8hH*iTfS3)ocADn$lJG=(i6
z-cNZ^;0N!9IZ`CKA>ICJBwStkiWmeA+S6?0*Kjdu95bG3VsmiWyxDtr=Uw_A1!=ql
zrjn4YW_lF?M^)gY#mLNMqri->sk=XC(y?3uV~VqP;aY=bpLmzZm%+$zG*FIr{w{i-
zac_9@j|WoGk%6le9obJ~ye5-$%%5AuL?{Y>eaAR_FF<=QKzn%45!lVX$`q7l1eX>Q
z9aQ8XtIa1i29osgh4WzazaFYz=>3A&u75iazw)jXs1m;oGel<`Jikg&b(&K17aDsn
zk$bitR=0!BJRTnsrL96>4h7EN-@k{CxbHJr?mgTR@55;35jOrI5$7#k!9D+9d7S@$
z5$XR{i7*%h$7o!U;(Fc_N9#o;J$y-|1WzDR3#583TzN>W7EB_DX^WzOg>#J@Wyc(^
z>FlUik*D0*Nfc*^n<N{jL|0WmjTkAWG`pFpU6C=qhqyW?{R5&He@TIVi)9mJAkt_V
z1=0NOe2G^m+{_7Z8NOmq+{;TJP;jR)3&0it>F^`G$$>3ICJEOAr7r%F<o{n3E2}zz
zxEimPtO{ApU`1iyAf-pe2i!@(*93`Uul9tUm5j5olQD86$LjAN=~FMNZpMWl9!hN?
zN>PaEh5PZ>(A9tC3BdKQI69&Ei1?SQ2*iGX5+S;WfBeG#R!e{DO|GKox=|<-ZR%vr
zYJp4)G!=3tT@6Uhue|9s3DgL$7n4pEZVMj;F#P)n8=R=yXz+9~s2MT<nA|Ja80uo9
zs~N_?MtF(SxUlFjK&dgUKOfPYcD#g#&rCm#AlGTg8H2|@oTqWRSdQ_pq<&=yJuY3W
zVu>q6BWAiTVb85%PioJ9f<GNV_6aFA;0qP+%io1nms<%=f&3JbG;L?%us|tBbjg?Y
ztK%pu!1{K8En5OIZMuNAsLo}UE~mS7oJy6h1`d;A_=iLxF~<Sy0c5<Qdy+CA>_2*n
z!on7W^wL2uD|R+j?UX*zp?arE!LyEvr%K7QmYSzZ(PORZ*^aVDQ};Md`KE>~Uc9UE
zr^eeF(3ZQe)m&@uY{#j&wY82rySMRtRo>hccX!q8U44H$PF~jTObD(6EXQDW`?Vr(
zSeClCE_XMuwpH?Sy~J!JGgnB>-N?;#lCvf#RIlVVgoSFHnhOkNk-=POs1O^3J`L!5
zk^uY@T~>k-W7O|n(!LRm@Pth~x!U+%kToUJ>Z9=tZ~!C}ftTimo`ZX0mDf`a3yQDQ
z!`V<)Dq=BArX((cRHrBw9doMUhQ4*`;@mL0!nox^WhRJ71OB6=ylv^ODUBVcL2cYJ
z%qejLRmx-fHBSg?70CRNf)bf#R#YRKD3YsG$$4dRrcQ2EDA%ZztCh;tYUMh`vf~t0
z%VJzjz0AMlRLt_HyqcNBJtg-vilDkwr%Ab{5-EYV@=9XmS0?>!TQ=%cvgrksUO@TG
z1(dvUEk~^?6>OC%i(b$Xl(m<1dP%33bj&3k>i&7j8DEN^(Mt+nm!wc2rXOZu@|N$b
z54cV<&6_Apj>sHLAN|y^7oWpZ;`${U)nO#4ef;OMgQt)C_|IKD4eS5Q+l!ayqx56C
z={H*9KM(ew92DX|pFi6_=;Ob3@sz?du3Yrd0cMQJCa`D8iu__x(7O8{_wJp9P883W
zS)F)uVBT05%e#dqd+fi4Y;@>(bYY@^w^|Zwt0HRdWl=cVuNk-d0NGvdBRLQ4Ig>l)
zkMVo1bN>b}ll%H`4@dXzy<z_%3}m6(Q3_*O+!fwQBwcGgIr!izx|LpK=t{(1`S*Zl
zMUM3nSPbG;0W^%fx>`-(9{Ix=am@5zfr)hfgxel|0?yMJz2o>2&6P=Tkj@aANofNi
zymjLc=Jev;zmw>E8Mt%jL%H7v6oNA;g&-~pDjWa;IRBW+urTD5M9kR2pQ8ZH0ytt(
zaGZ;xlO)W+gVF!|^HXoo{@Lo&K>yzZy<2*5GD?@5g#x$G|L4yh7vldP?LR$u+|&PE
zJb(N#{$KZAeq16cNefy#5xV)m#z3w9_yhGLmmqjKgW{eUVW$BRHPMWmU<6r2eU+kx
zx~A9p7fKZ2)Oq%p{^>8ySC{D4I~WceF&5JxB&h)AkyMSyFVL0b{P)TYkn^9Rr;X5=
z{pRu5)IP;8;AHS-o4TaFL0X+<E8uCv7{QFg>H<`pdqVpOME3#QJcyFxU(T^DQBDvz
z;JP`v%%X2`5Fwu?!uf|)m#HGt6k!KftV_TPXxlL?wVWB2;f9e&EvnEZ@@n6kARgpN
z`R{+DNxb;Md}T8j6*_p3(V4iCsIP=G_oF3n%h(UoOK0#uli~kN28FTsqvrdp`k%So
zr!6a<84<0EOG-;C_6fHl1)It8QuAzWi*wS^&Hok-WiTJ%C+rOVUjt|Geqev7q6J+3
zQWw|`DmP?UF~ED2T#X5QVuk#08mwjwQyei64Gj~as(&p$G}3mHnEj#hsKa+~>PLBX
zwn~zbF=twre*wjaQm=rG@+h3!WHy}K@j!BC3B_y~oAp>53b(wiV^4kPYsTVGsAY55
zTpueHFbn;%GY}mI<}jimXqZ`Sx4+`W4}O&^Uznu*4lu$}(@rQ1P}~tfNu`a^oR$`W
z7*@i-rp(68!mL5f9Aq|z{3_@duy*COQm`$+EXUp&>}`wR#T*LX*laEtyHVuHt1an9
zdrfzC_@$1Q%r_eeYh;15e^8H+j8PputQ$1cr>wDZa`=Jx$G~WSW_GPB{Av5&2#?jx
zYw%h7wL#l>_NX)&Xh$e5A4?<D=3On;#c+|H8xC)eaEtNEc;CAG-=O~~-np3_%`!V&
zv;OB`|H<QL1^v&H$4~Zq{m(9*=ChR@COuCiTy4qt=HTA7AI@Ir)^v=Vow=#|;+}NC
zYP>zQyQ1m_&BeACuS^b<*H}?Uuw869rfC^7gMnfK|K)@*DYOwh;X!dA^8Km7P^J3-
zchy}s6i{jOH#j?WUlPY2RZA~22h@b8Uk!lnq{;(T`+zo$P;Sp7Nj{0er#xG)H6+`j
zxy*BCNO;Cyl+;IjQQJ@Qb4`np_r>55i_SC34Wec>zR$X8E5bhnxyg4qeeJ78(-c0M
zS|^hUm8K*&n#os-F1^{XC1>AFa9m~rnyH8p7ctWIf^?!i&$YWi7u=>(Qn<I(F!`yp
zEL*_^NS}3uyU&^!%z2sCPe_ldRedw(W8GhfX?dAGn{L>oZrY7gZ<zkUqw?0z;XrLm
zklgE0KrKd@Gd%Qv(bgJ6e*aa}gy$40gCY#4n$LXO@R@&oell)6Pju7_X*nuaW9STr
z(|9%%VGTp+Q29gC6_AU7$bTBg6T5$iJK+bLOI?cg^~2Fk{zLWsUI7Pwr8_XxXvR>m
zaUcEF6)xjhGOEiMN&-xIZRnFfNT?;yrCIn<ZC}xZTo+n8%F{6{otfAT=brO#*WTTp
z^KX<66U{s|n?!kg<`E*U!Am(nX}*9l`~ti{{8qIRAPRA+u6MaZ@x)jDh+elzo~jHp
zI(Hhyjm(kegdsNVh<tks;E?}%8cn0%g>!LqT6iaNednBs@u><`ln*-Uzw!#?Fc)iB
zc;Tj3FPt$BdG~wn9R@A<ZgA`c?%g>iYn&zMXPRrX^kSc`Cw}|Xg1Adx;yg;c@TNOT
z-UdPz_>=3FxtMkeNxisKa!1a0zR?|(YZy1vfi2)RhFJqwcwg(hp)rJsA)nH=s(Rc`
z)+-myvk9Bj_IVlZqp^-M0BD<^)gqI!PI|b~c0XPd1Eqsf7bdkSVD)>n6#tZUtO$*2
zBIdQ@RO{b9wRUFvkA?mZ<d-ZIjHArV6oGC2zfYb%D(L^7J$m}2*Z=L}5eE-lS(<f#
z^+Ihi8c=z;7Sx6urJN}aPs?4q)gTU+v&rY6MU+~W79v-HNj-j&!OKTfHjp}_(Q<Tn
z4e)Y-oC3f?aHl1R6(i<=+_g$F`}n6msoQxh=s$+!uT>YQh5kQ&^yo=}{y&EHJ^kOs
zvnl<jO(B{L3k09uxvTUFn6BT6dmUYW&kjcN4iE~HGvIGKw;pYQlE<rng`%MY6Qz(%
z@qwW;fM2MV2Tnc_Gi6<1K@f$uQ<!$NkiV0KoMM0z?r`J9ldLfi#)14dru0*P+#>l?
zf322)Jx~3)lrJk`oh|$X0gb&m7XHy!rw-;UA*9fz<r41h3i3MWfJiSRltZfE$bDM}
z>UOP9-FP+M;e)W*M8u}t5jv+)6wmz7Wc`V4YK5zSf@)ZX!{G*$;z!Q+@<k8~0Qbzh
zq<R4Y_YJd!R%No-#oUtB<e$Lj2-4L)o}E$6j=`35%-i3-EvftSc`W!pssFZS0bBUL
zM+XP{MgH&E{<EI{+r=aJzbJMdtgizo1*$&WU^MC4Ew`H*vcO%cn?Vqgj&%o_wZ`~b
zX!9d#QgD_+gsWYM@?{a&<};99>Vt|VoPY)zVe*cu2Fo=KU^$weH{X@C%*7>jyK|MQ
z^qb<GBjOT0L2H~c0<O0XLuXwyRiLMRup+(+BV~&7veB_<YRv0Px>Jrk`Q|j`U*}_g
z|H}-3=4?Ql{{P@nA^*ptrw6_MXE)EL`k!j=`=TbOcvnlN-|ot`kxD+f(q9hM>=&0q
zo|aBiAEEvpthfm+KG)$b++PG=>eEF3<5@RJ!0hvXJwHJCuh0Lr{ikjHU63Cr{S)OV
zUd#N`a{oWte|AvJ|MKYh^FIIAPM(51B<f63CHqp;PuaYosb|TcaVC_;$I76QyW%S^
znEZ`}zO<!_ss1Lax&|FB2mEjjn-;@xCo4agd2uef{bql3a4>qJc#r&EPevl$bQD)R
z*h*=0&RX4;)`BJBd1GFhc@%3YI){a?Yl_mtqq9SLaiLzI^8e?Gm#^V>77T+`jOlm_
zQ=)gt6^N6+xQmvLV|uVv;Ks#4P^iR8>@OU}Oko~WfmLM`V3gh*xWV$umCmXOoS}sZ
z=W(!5d3bnw^6v3@;RWVpO{THG<n*S4{4_Cl@G1^5i_YQin5FGVy7M|`Y|pwAIn~oE
zH+4k%Hp<U}>ExEH<O(J?Mqhi(<U^kK$;kO7!p!ZHyR3|t$lJr8!xE$b2Yli(_L3`y
zLE!>un9E0$kA5)oU{;inUL>CLaj*L6-9s!A<|h&!u4nJeqT5g=x79)s0`JBPM3S}<
zZnY7$A2}x>43LQKoDdG<YiBjkGTIo}k@Novfd%&*%=i65<pQ5mD!b7%T8s&uNc6{(
zAexL9fK*Nnet391e0#V`uSScR9^kNyvDmzxY?dF5a^!w5EbM(;eGxgq^WY5mVmD#-
zLE0G{YwTm8?j;u-5UKr8ba5iGZj4B}z`Xe)H$RYp8>}H1d(&th`oF8u5{YlFBg!eK
zG5<38rtgt7v~cgBBaZ8=LT!W_CRC2fGMK}oq>F&d#R`2zxp;#=Ss`H<&u~%4i9a8@
z@$|}1VRXXx(jOAAArU=5@psDncE5l=)@{KSM+=z#f`~;Uu90HkhH*uAo=b*OnNt7k
z<@rUHfsxS87|xm|8L|;kfCo$ni7hYVXhEY$gDmGm3Vfv3$!fCj(?q5Dg>@J?M?~-G
zgp#pvMtl4S=tppbGTXLMP1zuah(2><7b6q%9T;1=S9+vf%}L0SI80}(PK3xxDa#*l
z*%3b1Oy<1Nd?Z_;VG(D?xz8{|<Q1?kPMi@&u2-0N-ufiqyXXdmN$<9Zu{wG{Gy(dS
ze{JqV$mT>cCxVPtH!7g>O}-CKIT4qIc;%>fMWhi)r?#V-PqjgekEHr1rBhi8^vR{O
zfP2SZ1{F}^!A)R4hn_0Rv5aP%W)*J~*4EPRKsY%&E8TewU$5QY#U>RyT0TOna0+8g
z{UtCRCd+eP=%lZY%ny{k1SX2G;EJ*&-7gk1YQj=q_vB`9q&vSbZ&44LOty-*)-*RA
z3gDuwt*(Rg`3H_2tDB4IeDGnK+r0fs)57$#46^KAO!KkiWeGHfN}IK+a=JPE_*{Fn
z$Gve17%?W`2EgJwnHHC^t1h?um@OX2_y^AYs2v)(-y$kT!8v;p#ei@_y!0lj-m3@4
z5Yqx<g^2|DF!36%IX{-AftnwKqnJI!T(5%{J#R|^7XUC9QG%;Hrro?1uvsZ<3wx%w
z6~H$@E$R->P_Culk@J9+LndR&Ho+nD-lM|bay=D)7?wZF<8_RhRw64OK9sz2Yo6;P
zZHWGC_h-99u=}%J+qCs;8#I$!t{%g~jFDNFos-4Cthnvp3Y~OzPQKeVzn!;k*|2iw
z#hxUsaZ2gR1ZSvJ%Ig0Ssl0{h<Y*;qT$)!AHC=Fa?rH`!ycF2nGR;HLOU;f|EgxXC
z4_I){Ul75sFHm?=o$rm-+I4QdAQ)bUsLje0xHKY3rzdCUhv;VZ>gcp;OI(q%4rLrU
zH<dEmU7|iMlX?QF<g9-{++P^nK-Q<&jbrz&v84(1ZlT=zX54^+8&A%da(~fO+YlY?
zG!`FLZ*NA;TbeY!){4DdV7rR`0&y>#)72#Kr$<4ws?r4Hbx<$!;}$4|lnY^`T)8<F
zdLeX6qC{aBiV}sWgsLKqO!A!{a|-utB+_sY@Zy_?hsWw$BQBH@VMR0?FoOZp_p1oP
zJqLvBh$~;hHfd0J&7&dabb?)+YKkxQlS_@XStp};^xf-&r;l_5?>WDoze3d*H4#4@
zUHPFa{{6~}7j8&@6g6kOuB%1$&KtI@Bep1gyQW<RP)!33%G#Y-bCRT*v3g5tdyOjc
zM2O@Z`9qV1QdQE$aT!GuSW_+mG@^B&g2lFwvC*mxtids7E2WE$EG+U))D^CK3>q4c
z#%N8FFG*n1tT-c?D+q4(8-G?|q(S;c)+Ehdg(aBCq9iOnY?nekpRA;`1gybGO{Swg
z{5AHN%;Gm^Q#YPvCxdK30;|ajy(0ADZm9i*bKIjjHa5Z05@A^)G>D?J*@?q9Blw?d
z^eKa5Cs%olL<SGq)tKfx9@wsI>V<BdqAP#ba>L`SzLQSa_$?Qz!phRRjp9sP3pBNo
z@)Ch35UVbs2GHv-n<0%^@w3F5ncbn{XXM_nhN&v%=#UPQQl;s?ttJ)eb5Mb~;);z$
zM`}ufMFuxC+~wV;v)@I@Rtz}w=64`CXnDCrRH6J@*6GYcOT)XIftj&!BMr-}7ZJ4`
zGjQ{zVezpK3@E1#vyFG+M<i$xM#-9lzdQH;X!HLO>{vciS*Q7bpY1<=^t71&_sQd@
zz5mZH9?k#vL4_00!|c~`n!9|(zfyqC*Y7Y?c{q%mh1T*ADtw22&&7-87lhtto<fyv
zN)AKSQ(~%J;Wq@g1HV(wLX`vDQ$9liihE^;p{xWsUaZjO2(yXh>HR;GC_E)PDqLc+
zM2lzM<)|Q(@gi}V$>N<@xR1+23%=|`uSTv9E4_d!8W?<m?oqridCtk-|Kq`bj<DYk
zKMc+=h2P-eKL7+5x>QUEJ8$88NpWB~Q+VI}IqB>*fwQ}*uUF+hMK+eSBkT<%dGhMr
z>cD4oPOSG)>V1@YAEiQvb$pa6k7mwOiKKcjAyEm*3CZ=9-HM`8lkVHg_57tq#oDM=
zl|wj^MzA@M`I%}pqwHFLxf(7+c?#zhn68`xE{URcg$m30DO8NsW=^Qu9F>q9L&Mw>
zOXXgKj;!ge=dlG=E2t^R_O*A%g_ZI3DJwx@`f$y6TQv7Mu=4oW2uSAvUHS;v=zqiC
z|NgKV>Uu4+ne7IvG^bvRajG!QGufx08|AUYh9+?3?AhZ_ym%n)sj-0YZaf-2#4#?t
zbb8gSHa9otXVUt)6z*HiFG@vy%>OXxprPeg;c_L)3%MEyj)b903(ySiSM=&$V}8E?
zm$2dF<kz<{H6u@q9DF}}cakN;(?cdu;f5j4%O3h|&M+XNQ&{D#CKBq~fh{uYBSEFz
zPuzq%PsSX^$&A5L9{5C7vR_6?;$uF-Xvsn*+8BPq0rqHZM{)<#*)&>hiy6yvYdKfB
zg@j+ID~&l*HK4rU6oq46>jCNmVDXj@_fR#Etd^L6pwW-idQLaheD~T@k_W$XM%$W(
znXM2-F*qZQZ47-xctif&c3KP04Wdu(Zp1?i=anxCaajrt2)m>T5eLyHqE`G|Pr6An
ze^rCowIY;xdAqyuT=sEXv;-z(C4n6h$x75@$6+CX4tF+V-t1(IK?4Tr_Mt)ZeYkKx
zo@Q5~Q_R7if6OmW6*|^B`4R$NX<aq`z|F>VIM-k%Ecs#UCv4pKn&jxZ35a{KIb?2J
z2p(%2RNodv7q}F62A!l18EPa>jJ{yy4p%MfT7pi(aKXJom>y5vB)N^^*<K+6(1BaY
z#DUFvI;L)k4b#zus$HysDSgIgNb6<Pu*LO52h_l$m(6eOWDlPT!Y*~61>Rq;KqFcG
z3K_CRrjd^wIaqV!>ziE%U(u}x`meBY%Efjb=J>D=+M5rb(UJJ2<fogT=%+pi-R^Ir
zh9&?GGvT?hm12@=TNyiN)w}!Qx%mm$1!MIIHbxdo1`6?sbdmW`hl@EBjjPS69&*uP
z==hF3P!Lhhs(ZTYH)~$t^}>tinRJ$Uw!-C+D;uUiEm{~edO+!HrY&I#dF`)c@I}{b
zzA&3HGi*!Oj|HYM%uOgc*hS{0=r)Tyb}kf5f5uvl6u*QNq~d4%qslYOcJlc2I+2F?
z^*WL6VC{7xhI8$8B43?O<g%69tiEEfpE3qbT>KT&b->1VNGKt92DpgOm`HvK;*R+V
z`}G%0f5B`zH8bfU2O#dfq+-(w*}7{%4h{kA|1~6>GMwGZG!_Cjd0yIK`p}6ZblY~(
zu{T0fcFax!L^cqK>~7YMa+??<cW$sQx}TKIYFc5pw4BwX(scS=$%(ipZ(~1gIXIQ4
zTJ)3>!_OoiU8Zm$&b?Inl`Jyf5YbLun{T8nawZ1Kc7e?3B)$A8IOUEbQI^ZVmkAyM
z_s)x@=;b`P1WAVc%>y?{A2!a&D4@;ebeo^;Mr4vNX2oU6;W_XZA`MWB46%&oqYNdh
zbh)DNb60>eI`fu+JM|8sk;1HrCex0lNi&04+vW>`)w0F8%SnxnqQ%n3ysL(vveZ5y
zy#UF+H4T92On5XTd8i@eS**JzYfQ&RM@4ELb6wd`%*~ic8r>?El&vjvbTjLhZuv>1
zf;7{yvr<?Ty_Pq#a1*2|)LB|6*ct332NY`>EheHi5TA6ZV1Xg&QlQ8mF-#=Svl2iw
z<>tuw4I_M$N`Nysi{tw_E?W@Rob5p70TiiqKte+x7^L2mX9YSwy(zEi=}mdPDX%x>
zna`&;<$Wdx;S-qhIxwykLT~DAY~t=YC<n^Q7CATC+^AAj?=C3M1}>t%z~mK|bkL-O
z5bL#(MRMFZ2CFOiP+xDQ9)E{5GI=EQ_vhY&Fd6JQgH<wc9>8WF{6GJ9GI$6-Ea+$Y
zp9TKU)xdef$)ysH<ig**IMR%TaHvFm4Icmwrv)ARL9H`y>kiAuQ5j}%+%nBFp;T@3
z>GPmUMhCo&0(C`q41h7oGu1#@S}8!Y+$xWC?Z@d102+j~%Xxbn)*7;LxWLm}pJ85t
zI<~nXyx@YxW8I0e97&K5D!HHp3_>>)g~1&sW)*U_7dy=nG4e4v2nC!p?ju1po6%N`
z{K<{4ut4>YQ5h(54-4{?=5#*-H~PuBPakhGgVbk2k<YMo2Gk}7v7=c^8ai*#MWUrm
zi#fsQj2HHz$tpE&S8l0$n&duEyG#U!$ujZRH(e)!stvy;YtV`eqgC)1i&cu*DU8YO
ziR_^;>R(E0fC?#7`b{-{E1;7o3cQBhX@4i^<f$niBoiu;SeyO3Ir$|je$;G_3sG?+
z>1Z(0$1dFI-P}Q#)rAvL7$e|9bWlieoe6MonA0@PB8CNRE&$s_R=%ciI{B<;yxB%3
zSudOek_?qSiX7cMGWxy&sN|Mr=CGm>LsCa~2SRm#Z29~3T!GkgZ^Te)@5!<GSS4!z
ziG8OwW|s+dOW877ny+a{v=*){6e#&pd|w{?=CZWdI89EZ@-fV2X{XxZ6j*OuL;Jq1
zmCYFHHJh&k5kH1$r}f9$GN(F<RX((YQKNb9+D#c1-(3%2I~$yQ+FiM-fHNcq`A+Tm
zSF^`lrI(FwfiYWL4S9zfw>DDU;bV!;0Kkarm1<RE8)GFg%1h5rPf&V-QuFi##pL;1
z2#SptO6Gi8p8=!_nC^W7O_x8dNw2&Hj9bnLt+G;{lP7o-8zq<#PX3t#`Q%P{N29!=
zl3FGO{a!H{jbG^))Lz;vonF1n{Kkw-55-QLFA6i=p-O^gBxXZ4X*yP%vRQbgWxtSp
z=J1!}`Z^vq326=+J}#14$v0e>Qaa?Ysc8=y0OjM{UYIg$DeUUhIQA$Ln2ImKMk3Ky
zEp%pATI&Uto8)yC=EAeZ9|%JBniLac$H$~KQN7{ek+`q`RG}}+2*wD$pD;3U?_Bvy
z;Wfq8aAfK<Hsr}6c%Phv7}}EJe_np{F*O*j!Exjz@GJe&$y6Bxi-`(DC2p{gNgB>X
z&z}Yp62%)7QlRxoh*mB!qnyPPhghr<N_ZAV;Sjiv^saIYfe83R$3w$#VklBM@*B>W
zhl-t<Gg}eRu1pb(E?uZ7Lbt@WWJN{{pYeTSazU7dtu`|=Lxs+IP3Yz(bt0Ls8&xZI
z>J$S!mT5Kvz?4vU>ivNPk2cDm9NIYoDvH@e126YZ1k&ll;0Q1jt^qXiICVFi0H8ob
zaAEY~O|j?PUPTGhPo?i3z+Z#C(#{^7go8bm1uVCh72PJI-hkc>*123Zx$hn4<M3Kp
zAcugBq1Xj!wD6~;_QI>;!Z*yGM@|g2Ibt|_CFYzAr+$DQ3HN0NMkb5!>dKp5XKV@U
zK$+j@Fi(0pv0g=^5^q#!Q=bx%6P_2E8ze=femQeYG~v|i9p**M^0`*6XahZL=L-N|
z3Fd^~gaA|{&uWNf_Pcd}HUd3#N;z-yukj0&FO5!aH9fv`;lRu?#=7-1{zM)0ljI5)
zCG98Tz<6k)gTQ_vkLa|ft!&sP?fYEK0%2UmUY^&wEC3DzE`#Wfs58<CA{w0KxSB$?
z?^A=~MKxuM{3MUU90sYJR~p|@Sda}i`7v^`!D$;peMXHD<lC#eDx+(0;fvLhwt0k_
zKeE9=A+I`4v21Z#POExVotRs4&#BGuN@ZB|{O9?n;n=j`w0_Ec6_37($BrMv`XAyg
zh4R=H|M*Kw{g0=QpFe%RU#S1_`1!N_zW&E9o=xh1<Q!wa)#4x8$@qkoKeVNwm!+~F
zT7$ZpANov~z*iOgNNNgxXua=sU+qIVo=Hbn6k}nRE|#TR;qcYV(%p$E`>O}udL@n-
zGQ_y1`P*7n%*chsZCElR?+LE);jlKyo2wl7K{U;(v*MB=o2xSWh+t86TNdRtQ8x$d
z&=S)ifaLl?20Dr2+Bt!~FSpT`+vv+}6gsR^ZbLiI?L{{9U~4-SlDPa@1*`joR8y=H
zjAQ)w%k#Iodhh|PdwBf<R%ni@*OB<|QQ#&CUMLSq!&vA<G3PKJSO#*@rK?^GC)b*i
z`!OELOFzK72Zqwq;lM~TpI4RddZT<ML%CYfA+e!qNpitj(S78+l>r|rIBcPUyDG*u
zh(}-eVOx_ng^7FZ-371`Mt0Ui(Kuf&6Ofz8z^>#joT|()E942XPVcCqubh0%_e>0w
z66ROG9WMP}&t4llgey>9{e~r>oL}Rhm;^ju4Tj>>3=)AG8IiDnCm%|iTJ(olN>sx)
zMQrGn39XPa)kw!W%3_{fII(9I1%$-PGg=FWY5)=)43<C!<jqp3cg|&SX@jZkiFn$r
zJoarSj1O1uJvlaUVks3dRue1Ce+U=CRWuWW4}Ft}bSrNcxa?3>QdbVC5%3Jwp{wsW
zW}%3@0`le5hOb~9Z;c$KtY(my9FI!)-!55rkg+#x%oBDwwjk%C^KyIazka*m?3|bR
z^OO}Pmj?<h-mXALqUFxTR+#TZ_-lNiUHd_*l!ccQ^~MW8W--a<>BTn_fM+H-Pwjq_
zp+pGfHgX_YxGa|Jf@nLHMYTe#(k)JD;e6gtoDawj2?;?^SelS?9?|~7yB-y>l9A_z
z;+7OhL~OwaBKQJa^L{E{OSSaYk}KJG`!!Y`D~4W8Jltm_SH;9ZY;_7PwvmQ;WQx#2
z+LDSHI4ARvDfXq57*o0Jg??a2Dgjvh{NHk&lak3I`z(*QB{W%iJ0>|ovLWH3q40Vj
zqEw<_dI+DZ-OB}Pro3{B1L_28ud+oVgO>5iMWU#a9W&xsJ*;p6)3P@O8W4i!=f8&3
zz;m}k?A+DNM-7It%XEPu<K7CHOyfVms2^Z2yZ%DOb`=r9h^@gA%o@e+TQ3NP*I{%U
zYWhwZk#Yl_oSh${bJeS(Q|GrRz78UH=A5856Qo-lSBN`mjtZ;patY$Lr*4-(YW><D
zOV9Z=e8X*>uRA2hIZmJ_%AY4uwoL|T=-X~V>&+n;D)GUfsm8Onv^Iv-n29cC!(qKH
zd%w#36*;eD=4IjE>>#cSb>@O6K0A@cE)=hID27n=Hi}nS)SM8)9%y`ep1SqvdFpS2
zd|UC<eBdt(;%x9KX6eq8F{LZMk8b`%q$u%nVZZF5H6h6z7!cy2%LlfF$b-PArx(C`
zVzK@ddSYSJ+?rUNy0P1uIRT%ZV)PWl07pH=_!=pOVN;`KQ}@SJII~C_cKY(o7_HLJ
zp1`r2MyQNAI&>y9h$;klgMo%9QDxRjHnuoZBoCJ)ZV78LYsxNjW+!PCb@2avX@&jk
z#l`74(wH=wMgghnNEPRaD9t-q&jr^w(LTd&(j~~S$HnV&6bwT^P)iK}5VjU>`ofvq
zHRgOXTJx!U+F*{aMEZqhgjbrm4DFoe-W>5=m{i*-cO}JEVP{Bpv6i(sU21lSLNTE|
z4n?D-Bhh@oG;B~G!IC}3$IpboHWF6hGerJp=uwuIC)7qWtbjElrIirNkPxkI8ll^-
zi*#QLMw9FU<-k0I0}z^_jrVl2!X&|oTKYXy91o6Uo~J<@)a|Jp@fkV>72mm``gAww
zGE>PJC<7b9x^#dVuLF}Dxkbm7rlz{HNKLy|sDPkN+(~UZyF4SzZS7opM4zJ|TFpA~
z>}hc^se)KK$gqmi)$B<~?BU;J9C52-Ol^R}Cyo=l?0|>5j+7FHC#k|4WAW_l{IE-f
zY2?qQl13fIMs+)^_$?ft>QVgU2i~bsDK*=i_EF$%1M-BUzD*ruEXKC64iwhMutyH#
z27Lq$4O(hg`Lreo?LaHi=UhdBDjk@~>Kr?+XqMR_$H(6C@UwS!a%|+cS2-!XpbxWw
zdJ{yiBiP0idL4mLb1SVP99ZE*-_7Y4JEW%oJq6gp6nY9^)O<_M9(gXordxr;>`;Fh
zdvjR-X3vUB8S#udY6o5E)mmi04782w%^>A$crE9)w&;9o7!vc_xt+)i?FF59L&X;2
zoy*PlNn+Mx$1rXVb+qK_@8Q05<GYfFkCI+t3Vx<O22450?3(=yIml1r$2q>{4#)}I
zAvb;;g_P_i@w_ZhZx&6H5ezeO7w+#-IGRR_F^o6_poVh{66ZiYM8j~t0#uD9#sQ;4
zXgRt{7r}RIxx)-CLk)nYS|z5J=|68<)0r9w{eU*!1C?%}ok}j7yCs+GqBV|^y?<`+
zpIh<t{<+^4Z}sW@bGNOV`t968FNI8jb_Y%(^o`Y&Kp3g4yQadgDjzCe%oOVw#lo7y
z6cjU#X*Wx+>e8QH&~1HsLHFAr#+DImIWn}_=`Yf>o&xj~U<*^|DS%P)ojb&_(#2ez
z1Z>i_RY`12HU{Y|3Osh;rGFis{i5Xt;Z0vu+pqxVCdsOir8R=JBC};9xI#Ko${dDO
zO0FWs)g<%a%j#~|=P{L!Ng-EJ>qDTVr7<~Zdzh9?Wu>crI?@pGZfs~E@U*sy@b^{h
zUEi3g39;?Z@9b2C*vG+Zw7bkXyGucXz>nZ~OE-9ECUz_4_nZ1lH=us4K7OWb0H+T-
zX%#`sA`9VJc9#@d9-<{f8`K2BH@m*tz>kk13-cAQFIE?tDciDrmc<%uV^-yhXHzUt
zW6YlLp*%OLB3N^-kF+8Bv)!NV4#Dovc5Tyc<Ow{CZE?V=f?$!murr5}54~igiNPsY
zKLr}$G~N(5CTNH(45rEf!K{Ypai0ff;5-n3KEy<kqNG)x3;{#*AoW5QxsW}@kL=}$
z;6ogo+3lIMDh=d_;`hwlgjx0GVP;ZVMl<I@;(3ni&W7;E&=)NqHd#r{1Oa2@WAnlc
zT3Smxnn81;jVfo|%q!+L$;qX&fW@P`qJ(CY7t5I5L#sDsP1e$*Vve_rGIt~{nwfd4
z1jnqWmdmcvGKzUX3i2eCM5#&$Ra~zwxO-!p@V9CUHnag-Q}TA3@5Vu3o!NM|918ZO
z-Q2qkqcXbD<^5(Jy~!Pp^O_UM-1A#bK}{v*w3Oi;s2+?ENbJC`abp4X+>}_Gv&-DW
zCfYJNjditQm+p1#X(|*iyY}?ebcGU(t`5vz?oW}+8gry8m4Mtp<5iV_U4IP7rn!)3
zB;r|6U_wFnBffE$1|9)c)j!t)#>!4{Q(Y-y0{~2YR@$r2Tgg047ploYoz+)LZ-rw%
zT_&}>eD0J2&vO38N?rXbim*m2$AX>)Zi+sopW4@TLswV8LI=F7vB!~}i)U}Q{}PpB
z`1E#r+j)FxtoNE|+J?X5Z9y9Ek_ZX(y%y!8I_D3>_*)3rR$~KqgD5o1FKQWW-aFxc
z1Bw^<^iKHw?eVQU;oHPb7VZx79tMdjH1D2_{O-_jwKTa@ibblqhwLk=Q70;9T;#~w
zOcT^DA^K_HPRv9^KYi^^>|{jl^3IKYtRtO#8hNnb%ETZJ7eYj>aAtBP;8INJ!lGd;
zvDwFQP_7tzZX@g4AOQBMOnV7%{VDW!xKZ;iB|ua2j!6cBtzUkbxZqY^gq)C6T!kB(
zZdMjn8_cF!ut60r1#B{Mj<pS>RicGUmEziWV99C7jL^D%{=`f@eDb56av0lxqAY=H
z-T1h?2(z4pXxhcSzfEoM((hHlJtI($qn;7y8G%+tAnA$`5E8hJZ-me^iPYtY=9jWW
zJpM**XjvV@sazZphosDmQf(;D^5=c&W~CgB?q02qt<4pjD}XCD`xkN>=Rh}+!3}Ds
ztETNW)NQbV52lN^axA-YMUDt|^*w_Alp=!v#9P>vsV3-t=W?2z+HvG}H@8vr1yp)w
zqh~h0T4uw^s8UZWT4&tT3Nsw_wBl=|6&5+UbX%Pj??l2uBFKqB)QYtpWBt5~y}w8A
z@1dUF-=n9*9i!>f`+FESO-(G)xizE$RvZn&6r!r&c!#8W;<>RGuW32&`P!bZt;A8!
z*M2e7^poXGTSTe%i^&S9R0rZ8rb^c{`h;G^up$!}#TjmDP)GL7qBLj0o~|i*c_8O-
zHiMU)RBkgV)>;Da=#V=xIp)%>L#=eHRv5HpSi>Ty_!#e7vtp>FN!`yS-}gSk84TTE
zDE7g~kH$CqqbH+-G2UY1?<yM{xWV$uJs2GwN)VbdNZ_-pR5`ejc2Xo2pWSD=>7Zch
zT7a*Y>*gXy#}U#sil<t`o3^BksRfl_+Cm{!e9Vfe;$vJ;l^dHDRmH~wjW({_MuJ6a
zk<|=9gG;!@bqgPLU1s*xQTxrwJv+XnvZ=M=-T(vJwns;?JFUMcbI5s1O|9(EqD!Ya
zEqCAzrh`r8)4jzqz1!pB;a8aylVx+-V`1gi7cHP=zBEpjat8z(glwnoWd*+rS=Ruo
z4Y&!eV;rsKm`oO~(bT`mg-&;w7w-}_g%=~%>=mXzWqqZ;h&G(OGY?Nsa8+(lYXB@l
zFGu%s^!iii<!GbkhPGsJEZ1T9Pr0k`QI!N1P6;0ObAKKpPU&svoW6V`B(S|cuBE36
z-A|#X3P#O44<glWdxO>)wdu^RfeFZ_t*5-4(rl`zmKef$dvtOvVqJ(+%tAgpOM8do
zT7mkj0K^SNWFbRYbiWnW+8yVkGx1X<v6B(p(h702xh~hL{)MQ0A@%`x7CV4*%$jWh
z^DK47kiC<iXKfn%abGOG%%ClI00UYRtGt6?r`945Hx2TB>!LPdtpZ~<a`0c><jVho
z1mJfn?Qu78Q0{Vh)>4|K3_bU$0+GRE)RNG*Tso?)v+$-@Zs;eAy=+1;y$xq_-_l}{
zES~c>FEAEeioQ#?dF3)32u&8?457AVmG7Uzhr}T*;U;5&orycW#ypy^a~DX^85@Mz
zJ@mAB;S2->gEn<PK2|IOj@n+lqck;~hMpaCCi&#HIa2oG#7ik{@oLHUSPeP^4mwv<
z8|!My)6V-FT(g*?91O_u4RDfT8oN9?#AcTjfl4kFQp1J(HM=4Rc|nw?%#>DmbY>p#
zo~rN=3o63fp^7P&!GtaY1)GUaAp_NmV7&;o{uFu<%&2+iA{bs`2F;kh8#FXy>urk2
z*oI?q{8gF7xOja|?}WuaaVB@9E5|*;K@qw`z@Dyi=5Q`oe_#3xUO5Xdy^7kfw4=zb
zqbwMW+#ht<i#JEccTsz0#@3me?fmfRX?*L`)A*jom!9?6&z!li%zi4|3Kmo&kUCAQ
zXFrSdq^Bf3CFynwJtZ+}-fa}XKX2_AvH!ZQ<inUmXv~+=<owrf7b039BOvhG`0dH@
z(bie5%*`ktKeJv;!P_NQUvMf0D@0ipT$1$oDYSEn0wa+l%A)|CW*pH=sSW!;BcE}T
z4`@XF{G!YhPO?BQK}1pCA!E9vYD1f@w^&9oCi-tcRfdzQKr|KLF~g1bp_E+oLq7AD
z>)`$)?UM+M`#`$n4@j!<^eZ)r>GA#i!p*#oOFyQw1f)C)XB)0*Hk_0CbPpnfg5!RE
z%X_eoc|%s{QD``4>HqDA>9Z$R3j#g7w&L3ISu5o@K9yC)6%nB`rtxyAc9pvt-7C;4
zQ{31R5qzu(NokhfV8|*ymUIN4HE2oJ&77X#W5ZqIv)eG%Y*v=Yu;w^RbNf=c&NWeH
z7ut%Cad>M6k)fDuA82cvdfXZ$Yr`RM-kTZ?k+-(D7s7|PV=G+CQpk!-oC%2x^;%3N
zG;F5H+>td<lNFR+23aOLtckgfCKI2GR5Q(zRd3Df^)u^Fq1VqCHUAXWJmW97=e3ki
zU4Baw<xd5t$22VS=aK6(D{X4Ac&5Hh_}I`ax)o1tFY63%o8H;gs5HE~GcZ1r8~m`4
z5ThuP@+zLmn>|TZ3vUFy=$DC)nuLO9S8mscRHKPUfkPrbEeiapZzksN`mz_EJS9{#
z%@J?-$^ZyiyFH6<bNM##^*A+b60K5ZC-$5VbkIIXM^UkXsW%q77lc%G-{S~ocryWD
zlmLsM!+r?7IH%+3`G=l=SbqvV|6tVI*iyV{DMO8Fb);OZ)4%BiYp=3}Ae_u4AVtin
zmfI;~^_ZNLSrNU}av5k4NVzQcDI^7+yA?{;r}MMajedUil|G%{w?&aZeL6oIK~ae|
z25k*u7L1_`X718ToO}%(j08!H07IOP@rT<ep1~VG*7RMkj}K3`?nPj&+C_wHDkoOW
z%s@iKPj@dH?$j+!t+l+*2o)57*%Bhr#m2y=mtoqTUWT!q$2W3gTFEeyyjxS1UqweY
z9%b}_eyb!B1<J598`2iSHYC=%y1q#~Fs@LSKb*O)%~v|?cYH_MF#2SdTHQ_36Mk9L
zclY@XJE6Ec%5L~2QdtYsbeZMWB>QSUyU)uvj+SV3!f99~wY_lze}<G+H{9p}N+aj3
z%IxW9QZO_UrR78n{>8=VIiCGAnnnQzy~3-d8v}+@&V1pEWkdFG835BreN-1@B}14v
zCJ;iU2dREMPRg0w!7465_=$3HVO+wtG!yKB0cP5O4Y)E)Cu_9YW@%(gr&cA&l$>+6
zOd@Tj(LyzR(v&6}(Bn^=D%SYWnUK(Jr-!uy)`)O+pAyy>Mw3*qJ4*v=mIBr|{i}KE
z*NzkKwDN<ksa}ol44^BwZah1ITL6wH(9-4vk@>`s<-Shp1wkSR5oSQ=CNOJvHgqrX
z!o7|C)RT_o>b~V30W`xafmQanJraMh1d;$t72ioK0jV2;C|ZiUWa@^{1(wr={R6~|
z=r$_W#ibMxytwJT(47R{Opr(<M<bP^`}X#BMBxLXBs!+xo<-ASEYn_)NHLDRWgx_h
z@7y4WZr_VJ0(9?heE0no&7pN&CQ$^ltxu|Bbnx@~re8D~#VLc-Aft?rN?61a7Whlg
zO({o>KrFAr%P^&cUzAi8=o?K`E~^*b_;D02JW&z~tuRrX;)#NhoHx+MABucXBca3!
zlY_y?d4q|1+zA@D!wei;K46(I$y`m^veqT>6nx`spe7xe(cx^<3RY<Mgi)S!chq0v
zpHcPmJEh_CM2TIg)?)?SfOCM{Ji?~JWafo)KZM_KgGOPN1!^!xfn~s-NmiGa{zqa9
zsLBAI4ZX-fmR%}R@jRH2rD((PnVk}{9L0kuM+E%PXk)D6(f=E8?7!i;Z)7qG$yfAl
zfRu!`sh>mv-MS@;l6Y|FK~m+60d%V%Qf5AI_<&1qrt0x(N0_SLP`z8nbK&9<WJzpQ
zEg7%aw%!e3Y2^}2$|P@kr!=-3?qqGqjj4xajfne#Zx`D+V~-t|^KL8tQ)e;dR+f{b
z368vvE|6?*G>sN7zJIj8KiGT=iKEaw9igeed1N~2cjADFNvjiEc?`9y23FYfQQ&t5
zHwOb^Pi`K;L6+m`q9na(0H~c?89Fyj<&vpE)08_(0oRb~Tsq^|UV5#J$gMZIilS?y
z9B{vJTg$54b1(E_%%$kT-X!`VzFG506RBtt%^F3b9N0fX<IQEr?a2266}^PN;p*%_
z!f#lrUdGp+UdHcb{9eWv4@;ztXCK%+pT&ezLt0^oirk*~D+99WeAudIOl2j<@TSce
zXeiDkHc5WZsJXaoy<>M~(Yk0`v2EM7ZQHh;RBYR}?WAJcwrx8V+|*jT-FxnC=gXXb
z;2raAWAy&?VLorFot|*!OR8XwcoQf00Fa#&1X*f`5-Q!;v34&CMb^q_beIiA3yUH_
z-daE*M{f^-m_|%hMFyhf%rd5pBw}@_K&zG?XO7t3_}VRaLbPirNGLmNa2@Ek@|zZ>
z6Mc#%+Z41bK|)%C#Dv!zhNZetW3`m}BZx8uw%YXl+#=XrGqllZjp6s|8zl7bGA;IT
z4QGe_q6Ux~6j?Uiwp*tx4lhzEyiyMeQLfqobb;#em1(Wbq#9E7q}?`@ZO@tajv`QP
z!h#=fD@utiytN+F0JMY<ke{i}&}23g+kqH-Kn>ZP7}3+@PT7dnwLx*wUQW#Ay2$ib
z@wcM+R&;7yJ~|G_oTaEpOwsnXJHG+ai^1$1@=gpoN8zlL9=H4b>(_vcYle3?KpvM5
zdB3Q$j?1Y52Eyc$vU7&hNm>;*4Soku4ss9T(AUlOrP+<G%t|Ab99GEnQ3j(TP2sbx
zsfyf<=`!%&)KLmAMz%&Aa!w~_H?DPAY+D{lm$c#rBzN%Q=x5&9;J@jKf_uQ19Ax>4
zhcTZyW#9a)Z(fJqH!>TEZ60-=jA|QAP>d~G_cPJ8V=HG_k;lroSBAU5*=$3Wi8BB&
z0SH5Nzf)`Q+*CYfSOFV;RE|4(7xh_0TizNb!4|UBB8c2PBH+01cDd%u0MMvqx}!ST
z@iH8kEfG}`XJzy5X@z-?(q#@-o{U)&R-=(bZisx|A*8t`@wC?D#ph(G#k>;h9!@|u
z2|B~naYZqL@%bk*fos6d)==`2m5JLcF?aujiOxMMQNzYe=C(+5Xoap>RUzigNlh^G
zLVh6tqpJ(eg?I#q3dP|?=c?Cqwl^rU=wyEY6JKrhJTZX+A8naKm?8o#{GGRh8BcDM
zE$-kXV%~^=CBdENfl12!C{*2ZLM}$ZT=_O%gV|u)ox+YC4zH&MW~9xLB_JmK!pqIi
zPd?m_6L8PZ+ksy^%h#ZA-wgX#YVV8g4sDbz{6{aF#awqlcyQJhtA*#O$AN5eB~4?m
zm5<$TPMf#K`hb-LI%x@K$u0JcCP0kHxH&nUo?g0c3Y3XLAHkwzbCI#xsB4+YUUFTr
z6r%GW)-9=TwDu<!U-6!V8XdPs^9_m}hs}aM^?2ec!4l=^N>e1I6-2q$^S)|V6)7)&
z1~AN~4bN@iYfRlZ;8~Gtt4hY5`m<>A+3kq-;u6`%RGRjQ>Dbh#h@MO4xQS&TV@uK)
z8W4(|iI8eW5&wu?=a1Tr;JWkvSiZoP3Ff--bV+6hn{r|+J7lM`?9r%^DyOBcKMv=S
zoT}e|G53RQr+(J!Lq3*V?XGG@!N?tY91F3&(7IRQ&?T1$WCU(t^WgnDoD?u)>_x6O
zY^|$^tHG-hd9px}8QlzBQ<6*A?>(Rdn<nVBF!Ej?4H)k|hY7)iS=0n95;Y?L%$6V7
z*VP@buY4$rnwW&fOnDf^WPpgBu`fQ;O-qc$kQsyUeKMYA%o1VmX%jJQXt)!xX(}7k
zT)d&qFzHV}@zUKqy*Jv*Ts0w2S#JuW@3Aj0U;(-t8|@<@8kxDuwbe*z^K35>2g{tj
zV7TvM&>Vv1QgNEDh{FDv&&w^*ZZxE953;io=B77kR&ru$fmieC^0Wpe__PRXsRu3v
z-)BE?lAYPEY$rdgDpyMSAK=&3v!#hxx81~c8YLjTdMYFw>6oC*RKH0?b%<lzKINnR
z@rh5tn&{9T>=p~|sCfz$X0<23(N_37QoZdYJ3pTEBzQWg&cI*AHI~?(m+A4kCP%M>
zQ+MGi8c9XO2rYQixm~EiYPlH=QfGq+Hf7etB~=1y<kNRtWv0^Td#x)qAI0**j>@r}
zwLAHoDlmP2&xtpke8Lq!W+q~Jx5ZjzN8(d^YagXf63y(ZN~gEXwL++4<%QFJN0U*i
zWC<cQg+wBM5geC!DIqZgRn=pO?#*gZFLaDE09)?D;V{7rgy)YwrSH%mptg=`Osg^=
zQFW>*+QFiY{K!kEe!$8Dz<a3W3(JzX1__K)q)#B1@`0*|M_Z>)(kFsN?<|M`td%9r
zT16nw6D?qYgU)Vyv<@xb{)Z{7o4J=&A#J}!)`&i{XD2RxXf^r+xD{wLIXhE-BJg6&
zC{L7bXQMoGzZB{i5!I=IAHWC8Dpht|p9K4EWS%qWVzq$R>_1xFa~!3*Q#LnZkaF$_
z{)!RtnIH<~yFOgYT;)YnC<tH?&C614wqY*UeD&G9#2b^s)0!OGO_y%ots=s$fql@U
zm(#O^guus7wZ?KDa?%PQw%;S>pGj<9<|fWnG8?|R9uFkr9dm#HQB1;D!$Lv?V>>Iw
zC$3=W>3%J(4NQkPMgy|rpoWsa9QI%m2+}0NQ#*nX_KG>VTs2wPf1Iq$SwpuOi%H^G
zK{$Zwv$|Xqz2&$!2=;?Earr_E>XRE|&xslRTz4;tM7^Fi_U6BzE}PrPqJfW=><(`q
ztg!32>4ZxwC&$vJGLY>eMK#SAg<GSteWIdfO>XdDcGTu<a(LAaZ4w?XiRHx=<_1tp
zixE$!g25IIos~WFr1}Q33#z;vt*1r^oh=Q6-{3gX1fY2zx#--SKD`6xXnLxQ&ZhNo
z+TUZ4bWLf|;FFZFx&vG~S;jm5su<s?fmO&IezUO0>@JY?HD!;ap2|0XX1oi3rG$St
z4c2?C@}~OcPVD4K{X9H)cfb|C8XVuG?)rpXGwv>RC`6;vPX!+xr>8XNDcmRE9~y3N
z@XKWnZ3*4>8<8|F1@AON4Z&rN8f3G=X=Yy^xm_+69u{{%-~Q~EzxC>&8x!=MFhwo*
zmXe{`$jMP#pUfde-X|hNDoG12D@841ydV!i|Cfb{w#?N(OJI(eC;L1P5~~@RRvQ~h
zN&Oif2vBL_urtbaujj>YL->cLRwldBmQsOkS<>#u!XApSk1H9sT{4DdJwWx0#zh{l
z%x1{Cue_p8TSZ8!W)0NdRbJ9Dd)}m@MHxmw0=5^GU1`cKRv=O0dcwIVg1tt`W>}rH
zxWw@1LXmi!_rQ#kMM8UMw=C52&n%b8Ix(AyTy)^y*<~%~G+>NX0P(`vhWFRj-V9RD
zmqv4CNG!Obu#jpeMy9cFhf5`$_}=`@62|A>q10hqvEs-sDXh+AjTrt!)8yCjhVVF|
zvz-#zo6jl^jF+;gn}cyu8M>i>FeQ^KNjz&W@Xt{<3dO{BW$&BaTpzBoFG*V{x(VQ!
z0zH97>K4{TQ#@jV6dtQ`iYG(Y7B0~J7MBC?fUFCqctq|kdrQ$4y4MbnX#osh%m2gl
zd|dZ6<%6EgxR2qo2-`m2-#qGvVZKpgLHs}5i2wiNMh8D(q)4v#OqH?&jJnTbj(50+
z&(&F$E=P$AlER(4WGA<0sREFtTjU5P{h2{vB@=iy+)WPKgep{VaoTb({4Wtkx~R2Z
zMgE=zDi(pJY{FF41D`O7FZ-akOe#E=Ol0XgOvmgL;iOac)C)N9MqTzq&W{a)gzDk8
zzynd6!GArG4bT4kmoz<?dpY%ni`XN<oKUHgsvsfJvjwFTRyreiji@S8FK{gWGOzeD
z)xO*R!w~2MF|b65#E+GmCyBNxd(=Ip(<{Y#idnk2jn@7WT;t}UcWM{O^!eC5yRm%v
z`P(*sNhn3K1BeXaoxqBcISO)R%WqFDc}ytdQa&Lnm?nyXoRMgKYMu)6sZ<TAiMK0b
z_aAGT3;4gVCMP3E{$(Y`nHt}Zn}@fVkP5E1tir0nEA2mw;-}A{BA|un%}AWSOBFKg
z99~Svos9>20yUl@lEA*tx>$!iu%Ed4xE0KGMXKiWc%!AI%0Ek^{AXz>Rj_1YvLvRr
z+em}qFOCT}!^V-1yI?>*-A)1^3gJ>+9R+JqeN0m^y0HZ`+gO4AWx@y)KL4#aC^giP
zzn$&SMo}f`U<O?y&p;8)K0vwTOIZ6x?8H$DtnFb~69U)Fl_z<!ApDPNi6Fb5c4#F|
zYw+S=l)JI9GQ+!RZb&};rF^cjo1|7*eLivhy-ay|fd6+^r=n%+NLpx@p|&MzBf!+K
z#gHJPya!lOxV(P7b0Io1L1FqeQI$tm<3`9WW$WmO0B$ZJAI7rb5A%rSYHzHZo^{pz
zS!A>~0Cp0HWfTY5|9xZxO92edNNXRGVFr!lx_`PfsK1pMO9ooDFIYGaLG}Q~!6+bP
zR1$zPl5Ns5OhC_FA9NZB;8bYRnwoL_WDK5O7*3JSIUZ_F>0?wk2Ap@WFMTUVV&Q{7
zhTLby`Z*2sH?HaLHxp(jT;iOQ)@y5UUuf^SdxOM^QE7O3QC?QM$-LrbXHj}{+a?7T
zJKTdUm-Y<cuO!3jD7NK^4_8QCoP?{vQ<|+Faa2J`V`2gk#qe4EO*VD@B1$`ar%k?X
ziM)6ZGorco1>!+AIJnrQ7WRP;6J+2y8rZZxzYM9D;U^$hME&wg{JxLFoWT0Vws%Rj
zN{BNmh^Ra6{>~Qu_5^2ch=MV<z4tx!PvL?E^-LGW46&UqUblB~vB#W;i?_<t;mGpv
z*R#`cIGwv2HQi2op?9MN80$aXs|~<PQh%X$Q$p6QS-1A?wb`VE+O|9#&#3hm;MtT3
ziOUcu77}=zV+zeJXpDGDwx---V~`0=xAj#j;(u72ZtJ{1q*5aaGbyr%w##w^ayiu7
z(yGg)mJ0@xGfLyJ%DT<~E9~seB#QNf!Mh%&UHgW*OQR)aKp>M`S>F$gYZn;9yVa_J
z1Vr<#K{Ny#XCVSc9QbRct)<`2OtP$Y-GChw&Z{nKq~m=<tx0Qj-kL;jKWS6_*cFDq
zW_Pmp!9uy+0z;{bvpuko2wTH%^eu|j6{*h3cv)L)&b|z4ZV%OuSgO07M8_-RRe%38
z>QS(R@&S2hzArmmO&)=j@WMatBH4w#mvz+JKAFmY%2f1J^8HjgoB0);;fgy|hIeMW
zXkC&OThN)=z~>c;zQgtAIq#l#&kY$sO0^^@#Fl@&R{|X^o^J|yD7T0Wj&{y3ylxv8
zCci3hTGvq0I;xYDPU{Vyk4FzKlb2COQg`Ylm8g*vqRYu_eiqC|Lvy_;l6ekG`{!aR
zoAI_+chEL%S5e(KcR|^*cV>vU2HZMl2=Q9sgKTbA88)j<nXk)npv{;!UDaNHb+QN9
zIMj78B(ho4Fl`5!D!!$O*#b$pMf_IqrJcoh`3T<L;Eznki{IQjz>Xhr?|W3FPY1^#
zmMBBZe7lr7Dv`u4nR%Jha!njSSnx39)faMGAp-_{tNa<Lw699M`zOO}ep+L&D0KeN
zlqC77&mi0NJbr|Ev`2GFuX;TUTW{N+*Le*<{qe9SH2gn|cPthw(y$cQr!H`3UhUGB
z<-f0!x;Z&{e2qw|dm;#{h$q)xWP#X*sEo1JK&pmbp9T&9pmHmbcShbH4Vy4xJQ&`s
zkPD+Tw^5~?bPx&ryH^m9LZ{z=7`{*yjVtQq(jnL?zm3y(8s#?cVAKtc7Rato?PBeC
z973aQTkKuaUg*VPsz4fz4_h*!mde)V4;9B!uj6=<RKqG6h$*E?$xZ9hQOk4$9~XMF
z)561i-q*8N$HF#`vgMUYbAvTf1+Zy@!ZZz5UH*$RyT;TF8)rTnax7lxFE)&qu1I=y
z0ku6LKXGgqJEb6I7xyg^9+s$axtJuXO@`;+drDOV79Y9}v9qIMW0Lc!9B{Khb0UXK
zB63JKbFgK&?YN(ux|a@a^egzcL$BjtV1>4Ju!$iMZhEVo{Su;Osvp=jY2;$28VkA+
zae~NQTF5p>fJM!@*J~zFin)&drf840+L=a0JN#|G)H?>=CTW`+`ud<mskyfQMe549
zn$-#)d|vX|y#ZYA13tJS=Nlj~`!T8Du6S7<UfOF*px~N9s{rM{Jo)W@JfPco7gwR*
z+xPe*ZAL;V?zU_h*&&M5>0D@R$*c}rliHF%jZM&{jYjj}tD#QEs*~01j%(<b){TvF
zEQ{BoiV?)#!D17#)%(69F%685#r`%$vHlLH#H=2oI=CmCbVMz%SU9KIjLnFi<1n{8
z4=s_29yn}MPejA}gI^kiuZg+l85WGj0UwUwFCk28XiRJBCOrpHGI6T0qtl5jAdziF
zn+jdi3{0@nO@B3AJxpG(dYa|LKOO^YLs^^+LJ9H9`0g*GC9G^i$hs&~1GAvki-h6|
zJs<7o_VcP#&J+7N$&8))J+me0ViW5eb3Zo0IUJGYp^SJZX&d{ygsO!OzVe}|VmJBx
zAL5yvlPNu2Ph5Fc{Eo`jzOc-Jg_*@8ZRdK}E(+(Hu+OIPM&%~o3X(3k!57{;4P~Gf
ze$8k8d8Y(yn=L0^{#3ZEap^ZL#Qe`BlGL88zXO!BjsvT+FgM}6q|P|b=n5AT<i8MS
ztMX3c)LAWvLLt+dCC)APhw@XG@vgZ!RHmxM%QG)Vtv-TB?>S~=to3r$6GBB*$==3M
zp0L>qClMaaj&MIE;zJs!fx|h{76>e3sOp|_6Lz*X+00K|4>*yAOH<o4b9Im3`>$77
z=8Tg!bQFqnRGX$-OHoYO&n<>l#Hpy22ijw^P;Qb)6rCn$J5kCDtCreSZRJ>}$9EbE
z8-f$>H8&O}Iob-5OK~_!Udm-V_@kraCwkvj)1rz=zhc^gdzljmm(`8aD1?6zN-Yxj
zXSmsR+Ky-EcwV%%SYkhIZm>;uVX#DYi6nXSq*cX@Us8P;RA_P+%9(>#Q&tMnhGw2c
zrE4{dM=RcPEGVaQ!!KusrbhdC4p)f%lh~|W)5ieZoJX_MunWIu8_9(59}w<c#6pW^
zggN0}6ej8jePfy0tZXbh?Mko9<rTGL&V6e9GOMPTlXw$+n7h~Tcrb9H?ohFO)z)@<
zVN%qt`%X{g17=m*Y}8!9RtphZlzhC&&*)6;fpwi#TPyr}_zJ3Dhjn~%mH^Yj#82c$
zWQw8aSDY*-(%V>fFBs;~IPRn4a?a!SE$#>6oq(wjgZ(>?${7ic=tv!s&`XHAiQKZw
zz?DuGq_ytLSEl1i051}&0m=B}RQWZwfSJyT76W-U^?;iDKuMX*XSRs(Fi`bZ)&1`@
zCQy<HA-lJeU+4Crqhs5(nKBQ`K68$8aP%zJ7Tf6|>^81QAiIh)iCYx3|Au3SY=>-@
zo7-L8I_7!!2!>ufB`%#R@$KJ(7ZF=X%dWV?X0|V}FH%)=s437VmMlqk%7`<i&;+W^
zH%qNpC~z4L5VnaI#WuxbVykIb^Ob32>)v0J-2D8*No|Wxb;#+-iwL*xk@JegXl705
z6%KM6K9FA|b~K*b5k!<B_Y}>QjQ^6<-4TbmVnV+U{iJ`&h-^u5`b!20hMiSzv?prw
zJ?LcQ25}gp)u$CWS-)}E)07=WwKf}JR?mus*0JDmC7xrJSE4$Zc{*>QvWgQlcBUUY
z8+S^Ra<+vV?mqbyek-m5XA^rfrlr^9mr_4XVnO1qpGaV=L*BA{@X2TjXOy@{|7*~p
zDZ_~4nBG6pJ<-U%!}xZW7;qiI>e<KThu51p`~UFzM%e%G`nYdUpK`N34^-P9@q{`{
z!AXdX<A>MJ-RC%}Aq0~{P-h`>U!Qz&3un!5%yM|YiI#1>yeo6?sGRyh@~F^TZnx=|
zZasrmGg&Sqv!<UH%g_vrwZ;}{8iJo(&5hO5Yao=SnZ#dE2SJWB13sw%gkeP(n?Rc|
zs4KnBUA1m!hYQOr1Bu#8Q4LO&6u4hbX(eDIN8PPzUjtoJ|Nf<B!MXu>jM&Oxd~<k$
zK!5J>1MI5==>7rw#4md=4SjSgn}XZ+1bapopqpiu$Xy<^XtsD06GIRue^t35{vaO6
zV0YX`A_|OAop+mtnHpm0seoO?Orc{P048@LsU8i(rOhBH17`{++kKT=69$ux7rE0Q
zgbN+7pB2r3Wu)9uVlSlMhqou5NYP+gM^|cLKLWXkJk6p8D#)VQG#){6XR%{K&kWC>
z*@S{GY)L_->X3(|_<UU^8vuGEcE8@MY@Vt6Gy9X}F0uVrBZmW^n@{NUM&E2=&sbMb
z0}$uc{0M?2x}O-5xrhEv$X3&cVHRB#gDR3tMpjQ0so6N^I``}YajKfoRhKn9-Sq&(
zO^Eo--E9xO?CcQ}+%YSr$A~<{mL2O0H+XxvQ4wGa6+%fk_Dl4}?lGdYXD(C!#?INN
z`yFd*G=(y_FogBoXG?fgS=q-%U;(Ojb1<`Ze;qIkWW91-3q!B@#!EAnqjhX|v`8E@
zlGc$QpM{>Qb(<ZvCq1x#WOE}26gg+qYAZWeEKS|FPnG8rWCPgKw{PF5qA;asq)fv<
z&zkb?J?P_sn0;JOFUoM7b_?I)zGdb_rRFuF;J)tq<fPWAo()Rflsg_;$1^zV5A$WD
z`5#NzqjCSgAsJ}cy^mV)BUGfqemd--NR+e-GQolyL6^#fTZf{XKIc+iQ{<NBzaF$w
z5iFaOlvl~E({g*-$CAH6+OqDT6IFYh7OXaPXlDo~>PCdFl|TpsQ$>vVmBgA|P;pUf
zUJ{3NS@YAjLzv1j^M(-jbTr+h_c$*TA~o8tEDkWh0#E^`;Vn0`?!U?-%a2rk8N#w@
zR`m^L>w1=XOeACgv4S^xrnwvjGr_|{uNP3>)$aq?Fa9oR{n0aq#~l6?CU4i-#30X*
zEe20pj!9NwI)h_7PrvMDt%T!oOgLRgj=0pEwF=t=5XVCECwB@+a!?hqQQQYk4npOq
zZpNo0$Ap?51MC!CQ=66qXUPu<kAtJJA)NP<<nr~*;Lde$+Rz7YFO8M8<pUMfpX21l
zh$pmq^U*aJm+%dilF9sRYcqbfwTUJBMk+ufHd8$&*L7w9#V)WGKM_<^6I$I|u8c3j
zzJ3pMkU*)Kb_|`+`ckn(dss`h(gSiIP>qe?RNdxfigg9f^Fr!CR*Ptt)kri!(j5g)
z)c609HY8jx780*>oPVT^wsCEI{q#!ZR+Ow_QGAyS^%)h^GYL5f56Sr}WDiNh#m<e*
z#qN!aLP|RpM>G{LbTOnKZG%3l!{6z3g98Tu&Ukh(S1Ex0GN8xkNtUNh^Xrcds`T-I
z6>Ysz_%GnQ;?o#TLFZ}!c!Tvy5NVivvHI4rMPj_lqwkYyo({L^<|-=3P^T;9$;hi<
zbvF;JB(B`&&0ATjsr*BGg~a&v$H}#6K)lMqlcmPjKZtn~BZLU;URAZQU6~q&&Tp%m
znXi|$3LZZH42o{4e+I?P!jC~w!w?^904R(@C<M^U3ca&Ry>5IEL?x5vbC)x;gw!Iq
zR^py%-Iue5$uG|VV@i#Q!@UAB+PkU?cmhaKcKbm#E6*`q5M&HXx=q5t(b~r{rl?>P
zcd))|hc65nB5*S1Ofm0<w6WbVzV~vtN~xxA0V<vX*VxBe>C`nXeOn)=K}B|JGG6^!
z<!#{N2IopVV9T8S_0`Ouegr}Rk;QqOsTB3_;m5OdS}rQb(#=~DPwYqjH)!zn5W~C#
zW6i#qB0QWT=^BlZk9SwwOkoyQgP0#30;=JGF@gcjh4v*+_toH^b9{S9<hu9sxj;tq
zbbK|%&NHROF+xpKqw+nD{#^64iF;vx^z?HlZxLtw5s&>L%wpx_wmi<4m0GF`tTQEn
z5IN!O5|Lc{I09GX19!gpgcPBn1r~7t$1v{2g;3k*uad^0F16ihQ<m{DIognph0Bjq
zCBb@M068b0wEr@FD^lZ5$I4n?(g3kX*k-gZTo@mA3ix{*7uUcwA+TVggae7Hq4Uv4
z?~@>iXYj^PGXT<qzOS`O26h|lH|hye8-aDi&>P=|G}F;mBDEe35<&k}^rxyAO(fZ$
z_lKbKYR^dEF~b$BG!a~qN>SLAQ@D#NC$iO<r)I*fXELEp<R}on4Mv;Z>pn+iVcnL1
z4A;TvfVL)YYksZWkSr~96){SMjD4-$p$+QhZA=-kJ7^&r5z}I`G!c=zZ$EuHC+OCR
zSkPin?~70%k1N<9iz6}oR$R57hdhP+v5PPa@BKx24@mLoqbFFkC97#T+zU$M5;P=%
zGZn^@<8x~bk1*|%35v((3#;^nh4_-9tnltNZ2Yi$L5tF04cy=PN6vs4ncUzg_4F@W
zqIlw6f+O%yMsRT|&Iolt9c{-cG%@{_yUC|u__jxi@fIL}YsewZGOvTIxqnjAgy1=#
zU)ro9e_98xCH?Bm_he9ko!cbU90*wE`*=6U_8=$7(`j3);!pmgAxW+3!sC0kGtlIs
zg`?n@ObJjfy_%~P)`DcLX6AS<IN5omESwK@(k(w)gH6>*hwx>)YYBe>hW3=RV7t5h
z)z^Ey{SD~70{L)s`YS8ENpK|ylzh*)@zxI~y_6+gn1hQbRwR^#!PRSekeSH$#1x_?
z*6SiWXC+tg=FxibLrJ(B!<PdIx~fSkW6`X@xMKG)EyQGu{qTMAXY`0V$HEZN%i0`u
zE28vIs!K?V%*~~xGN$ep272xojF0*#s2Z{a6AHtY-k~;YfbQeOpxBZS0gaUH%Hh&b
zK~|<btZPn7Vc>+Wa967Q9J5&G9+geQtXymopFm%ZEs!4F1*wxUB3J#1S6<+=fX7QX
zjC5DwY~nwgs8IFQR518_XisR?fDc$VO9}GnLuiJtiZ3|Fm)_DA+ovr=w?5|oXA?~x
z$Y=v94rbA|XEUnCV*Da3RR2GHA_L~v4`|MvJln^I#!+YSaIWRRXJmIQ^M)lx%yX_5
zVsgs4;k;^regPx$!1RtLL^3@gFd_j&9Ul17gW{^}F6U461=lWKUhb{-mVjnUG=zro
zEOizpAP5A$tuE`<1#LLX>LYK_GW^=y6lX&nYiKVIjFPJ}6Z9YRnTV|<8JcLUgGJ>{
z#o72kK@{(_MUqe<51Olyz=mKbeNa<v#nlqUB<_D1MS2_swb%-9zkl9;EH2VnEm>WB
zwS$==8$i`}agG0i2fq~xnF)5G{2wxr#<%G727N1%W{Naqh-d+Lfq0&;gM&wm8DDgX
z0{wm+vC0_OMtBA6ATBMCK4y9Bc|eshI1*Tz1dDJ5o}}sp#~4o4K44HTd8&2%#9Ojy
z01v%YA*()6O%d1LA*~JJlxQW7i<}4uz`;_V64eAO`80<XDJ_}BA9<Ku=HfBX$JPW?
zvwJwdn$jp_mI2x^$#}AP`V}Hc<nLjf->So#L5{47GQ8dmqD2SypvqK1e$J3p2whb{
zX%J|Ft`$OJVlXkY2>QJJiIu@1iW%Pdbio%NVdaHoG=Z$!(<P!XHfAEbMqc3=a5rDZ
z!2rbJO#0$r$kvSVnP#(~&1f~6N^u0C!vk2%%DLB|IwdH9nr$Nl-VO^`pk=ewSTnMM
z)Ys<&un<#~1K-Nm7e%`8!~xcQ5fOU^%h%SYy8BOFSbxjOK9`rSCV2p1uMi=9DqIif
zQtE0A%J;b}l=42Yh36DExy4;S;Q!++6~&fuSL_X;pdxg7;9`=NL0opkN8Ge`b>S#T
z2bKY|-xI~0C!o-Z|H3dDOoJEgb_&FA_oh1rpY7_o+j_yyS#GDbd5VfU718B-iWFUE
z56r<dPIAzJfHLma^*w8&NG?POJ92Tu=$E81!m}fK3@Z#DH+kyE;*04Ap=P7OTemJ?
zA3_2l;;_q$<_ntoC1uZsNLfqIfgX0s=^9XSOAkcmYBRev-%gwpV3!5c<Pg2hienf|
zE1z~Nu^{$I@`a(o*Q4~#|N3om7%B-ddfpCTw$kGsBopi(eQ=1qo~Mwe0*oD{(1~$t
zmaueG{2iYbCPkO6`=-1Y4|GL)U{3Js*DE24aZs~b1S(!`Ivv5ALTk9ARxccjs3rQc
z({D3hpsz1B?w4q4iTo=6ZJ4-(S=OgS^1O+5VFg4uSf0`5tfov`6yfnnF!x{f5IRAA
zyXIo(eq`H-$5#f21^7~imG1;hQLAw+)viG5nr(x<jANPG6ra~2TpC!8M(2IN(_Tza
zw0hPjQR&02TKt{`tt#0B$yyq+38d`zyzTrAJW<i!cb|oypMA$#;@H8*XW(65Q$!0A
zJxE~E(wf<;<3?pVEOq@kvF8A0_D=Np&xgkd*v1?=v~Kg6pnmIZ$@xxBv&(rF;~f+r
zBUl9`0#rnf|E)=1|7}zG8@-{4;^maxhUURAD-WGu^gpH&h9%<EWM$hocr;rodrKh<
zeA(#}09MU3>>~h-)Dr{?;H14Fi~a7V0b>HhxWv36rzdsUe1H722Be40J~VHaWv?pB
z?8IwV)C{7<!P?AxWftZ<q>%FA^PnC^oXp7pE58vX6-Nl0O^J|@1F1!swATA81`8UR
z%z6}+665C#F{DfZ(fycMUSfj$o^sWGoW*Z8t!?u?U^UaIPN%-1d_o8iwM7ajP+9@N
zMB_1&BK^o1igcnv^JwnzBT8gM89`Un9ktU6U~OsfK?u%CZ}{8w>0<wx!Zw}7$qzNg
zJPNFmI92DxrWjL$sfJt13U$t=`m@SXl4vWO>FK_a)vgmNdO9sGuQaab%l>LJm|Yre
zk8U@mMv{Oi9dYR{?I><znaEcSjDbw=P6iy=CdM9jy4KH<mrqLADh`;_KrMrF(7tCD
zrpY*F=3nN^DwCUS_DnvDMbZl8+u}+OZ0A+UN?t_cn;T`eZtz{?g+!t8ibJ53*sf<i
z$R6$oBBo)YKjo?n16_vVHCJ4D^kHvwXXc?6BGDc4$9c4$D_Xk0?H9VjB-xGF;TW(8
zu>v*v%B>oO;FJao8_Eiha->t#V_#v})jtf8|Mqw?WqNHCPf%cm*xo%kTEEa*|F}&3
z|8berycp5`;FO6tF}riMEBterR46%0sM}xsX*XxIF(JwH;gJ52wi)%1o!2FT@Zl}(
zc%DBS*Wg~}OfIor1x(tQ3$Ppx1e$yBg!5|B@6@)9aALPyt~;$o+y5Rgfiix{a@knW
z;|Os(tIewY7(e5<$Z5PD)0R8#c4TbPnQp&h*#%WSItS))_QzEfkcW0FK`KqN=`)RV
zASdF1EjoI{<Df&Ec!b^3dtM8oQLQ2z!-CUlmY;&Sp>W>cBsvL{gj`~Tc)TtapwC9I
z?vq-nrM=x21w*?YVZtr3WoWkkj=k{G+-Ur}5R|D(gH`gIiOo9d9fzX|DaBGu=;lEM
z0tY3;8FH2LN13u9%9zdOHsX8cCaHqHx6~{u?{Fsb*<GPAz|j`d?7?=PAeZ=%@Izq7
z4V@uAXDrD%l;f!+o{WYH3Jv{8rrfi>oiXpJ1o~%Iu}PbIF%vE);<o9<D`6IRH*CAD
z$#S8QQ%+-bn;O$OCzA5H2NG1Y6fMC|bq7=fHN}7A`_(_YRL^A1*~ps&*PN-}G2xB;
z++IR8L)i&pZ{YM($Er{@WR>&xJc;GI`Meu}55GFaX{R75w17?px%9w@#s^ya`gp+2
z4$%$*-bH0S{E)>cI$H@y^!{mOb=-AnA#~*l6pG+V1L36sKPN2q9sygtb0QF(eB6Nz
zAAnS*pFnrUQk3+AhX_tEw`+p{uwt<j{qj|R9++vR#5Q+620>qC8&@y!<@oN3@LQid
zJQC{DnocWCM*O0`JfGov^8Gqua*q(lpxUWssCh*9NybDc%*={BnAQP4-dPPjSxY2)
z-3dIAdwKf)X@c{3KR?oe{rr%9K0eM4PGaG{8oo~<KAzCbd_5PYad#EBRvo??ZcEkb
zx|^@ow|(>F_M8)yQGvzGMj);gUC$yHUIAT7TQvkZGYc<nkfN{yo!qZN`AuSe#m?<Z
z%O@ChdYrAdx7;eCfe3JCYSf53wBB7DdgK<;YBISu)EQuY!u-L>TJq%}@Io?)C0n<0
zr~?*3=sdTF?LbkAlU4QkbqU``ZRXs_$H|Uvz(7Wdn(WDgp)eQ&Rm6mmEFOlpB_x4o
zCWHc^$4*lXqOf;XxNV4g=5<<!3GOiw=Hu@CyR4^2{)R#Ac;?AQcS1R1LLUW)OOr{b
zWaHNAT?*8kNx!U055!iRiMWY?Kt7Qr-lAtL{w-fUFcXMPUAHY^lg$1U)mC)HAno?{
z@o?+lp+6E(PCeY;Nu6R^KZ1IXijIbj0E7>PN$75OxG*5sgDO6XyfkB3H;-8wlWN`q
zhug7cmzx-6>dor%^KwdkjmdxFXblO4Y$ysMlqb@>Cw-)r-j7wPj6Skt1wRF34jV_S
zaHt<<f}&cS3dPfD736LUoai`PgrLD0&WfJPtU!igXDP5`eKPb>uD88vHp-&(SUF!K
z>LgNeaz_Gv``{I>_&p5FUYBs;LXH6%5b2|@3Yk4^Xd=I0hBHxjMARy&Qlg|SHj^SU
zMfpD92cJMT%_SvJJ`4LX5`idThX&kWhKDr)$Ie7J5fXv@^8V+~A%Vu0G~q{4r;ISr
zXK44mn7b>?p?D&{H$pZe*rv&w8uV%CthVJ!wnug7gCM`!N;l2sR>cuI9IZO+&xG1?
zcLAOmM-aRi@h`{u!Gxd2pf=th%c(=BSDR#nbF=JYh9`o*om5Zd+&~sHo~*A;JU~_V
z0~P213zU~ggjfqB@A_{Zdm}hbuS*z|5M6=PM~`08elX8D@yd@QD(mNaIELRZM4d0-
z0&qaa#BFV`Rv;9P!Oxk+SbwV0xRxc{4AB(x$q<@npVe<4x}j{Tl5KE*T>bd|GC~p?
zh|nZPq+W`vaa4_3E2@F?3VB+^igv7si-#`P{YeH{ydPRJShi`jo0?0TIk;X2VYAco
z{&pO+k5WuDm#ii8y@#{wMJ%M0zU{tTVwUM9yPXjM=@A=>P2oz`_z+70MOhL-MP3oM
z#6Jl%vXQ}}TlsS}GXSVUvoFB~9qN9YbVm@5?uL{_42}omUUUo_DKp7j7!&w97n-%-
z%zsmj%(iscKZgG-<(yUr!bX;9x>POygbp(1b0@!yRsGg;C$$@w6Vr($VNAWLZywqv
zL&~_~v+PO-L4M2%*faq!8aRb0-U`m0csE_r-)iMKvambi#Yh!l;zG>NW;e|O+Xu5Z
z0LS@?R&lfy6gcW~0*4DqaXA6j$6d^|66tEAasgA28DQ6uVfrI5wWNvi2htao$;VqC
zg(wzlZRh0Y<K?GiuHoZ7!Jg3<kp_#FDtT<~rUiM#k2ooDEN?frgPsSzb{{*}3zpw#
zH*d|wdwSec&p*Na=Ui^e)o;8TKA-uGZ`ZrWXWyx>+>Hy-<*z5{kGGrCVedOpDYR0J
zCnvgz<Btdhs;gItIrH2LbMxwzg{JtodvZwCNbW7wwZ1Hb0-Ge`>lA$ND9CpOT_6vw
z_6^7tGxyVgP-lx(roA`qx!zqUXS^6jwV9spk-%?kgC0B|bp79_9eo47QL6{_hJqk)
zeGxZPvsDsjI8H52Ew~76TSQ7QPGlyF6t-s0p{LbXUCmuBf9z~+?AW6Z(~9uGDYVG-
z-n~4r)ZQsurFOA}3bB7_Za;;mZhPQTk^3x1x+CGVJzpbo3Y6zOqws0oO@U@w0sUqL
zoOb7b0Rm)x-?@G1;j0SyqnTu@1~{}0XzV9yqB*fReF$zD!_murSG$wMvo5WYETMU#
zNN=T#SH}H3@)4Udj1teqjfc;_R*Lg>H9QCXgj!wEg00-25(oL2>72XZ+Mg3x<8<1&
z_EX>2vGz+UJFtB8z%Iv@KKENBHE8(ymF9-ltH--3<fE%BSRNJAkP|8}2XtUD>MhR^
zStGz!zX<2Rw%E-kAI(tt=(M1Fi9ahmm%fe)88eP*1(tOSbC0z7Ald@Xs!Yl?*%Cow
zP-ht{TAXGz%PNwyo2|_WRkhg&t<G~D3H`SMdorhn`WOn_#aWkoCdOHnD+C*!vnz_V
zaP?|&Jwy>p>Fk=ksc+7zXmTTO9F)FU=|E0697f-+xR<M_8wb9TGok|^o)I!0RqQB_
zQnW)qax|LMwQORk8Q$|t5Ccp+fP^Fd6h0-;P;60}a~?=WWjWFnnT($(UwEJk%z$y#
z3AEC9m%CRH_<QC%8(N<T2KABYa|ZDH#B#UOfC*QHEIjL9>kFLrwpBd@7KZefeVEHi
z3`^sDUve`FNo`ks`1lgV(N!|s?%At6Jy8LqW(4PSXLN|F#7MGyLY#Jt%JkvhPc%=R
zt4X=@-T<~9uZa!M65pIhKqh1{<Ktp!w-${50iedk+M2to9IC~sSj=_6#8V*Ku|ZE`
z)Tol(?inK^$w=ip`Mg8ezVB|Op3o?gI9hJwxIhk|sr2X2%c>Sh#AbUtq?u#F(TQ(7
zy3!P<7LfTibiPj)+seR4RFoo1O8b=Sj@P?&dMMuo?mcpdQsg3MPLw;o8fCRW9O(n#
zQK>ae($$9LH<7(e^3kPiShs)12aFq)gXtN@--bFN5Y;*bCT`la6EQ^|=AW9Ee8ZG%
zQK2Lyy3D&EvnrBnHpHf!)Z!wQPAxYB$S=0L(dq@3F*B=XohYxo)+pWR98NYEmA=~Y
zZJiw3Gb1!F^uu|S2@6I2TzOr&20+6F^ZG|1yG!rK5-Nw;CHQo8pi2;o=F<wiF;H@!
zpX=IWd<aC*tCifAXZYk=K$z_Y=`Hcb9p2PUnz4s)l{1?X!P5%r>+{Q>x(7@DQVXX&
z80~}TL3fHyJyx#)7YXoB_kWhjtXkBFw%rOn3?HX2lr-?GarIxF52J$;Yp^y42jCrG
zvVN#9EA)*tfr>vfQ=M1*Vq~{_gT1QP`bbl&ukVk7kqzmDh|<JVR;U-maB}+mQj_cX
z&K&uyc=k;V4#HeeN;hlOoM31f`^#K=QEuJ~=&~1V;@DOa$Z;oBmA+j;_Zq)pQ3F|a
zZ5%4kFgzNoK1ZP~E&OQBi<%jjVrA+4M*-f*;IX@=RzY@C1s85baw`A4QBEPUMLLmT
zIZjM%?al_dQ0pF^=QJeh*;u;U?BM2<Z+d9spoK1LU@fZaTVc3W8zkT_u7xd^XA$Fu
zlj_$c-?B1B)8%07fVJ#Ea0hk-&_DlI({iVDsnT}7bZJ9YlgEU=Yy+;%sj4}-1VHhi
zki5pyS4xkw_`?xN)j9HmXEE|Ap&-~ktm3tOj2Bu>fd8FyE4YsPFXz=4j(lqR<BpAd
z!eR1<N|&G9U5a1wYPPPFVQ8qVm(V%iCH^Jp;~rv{_ED@&J>09=&FOl1;f3Z76#~%z
zbW!=a?&i0B|GeZb={<fmc70o4)ECV>e>LVNep?@Vij0WNk>ZLuDh`Gnal;Nqf(0nY
z6eG>JF?*D0!+W4@+>4bWK+dH+yn)ab!jKa6yvw*lNfEAHs>%aY+@kU02K{Exk-p}}
zXk-Y#K|gXKW>4hdA?Y3sg?ky6WADYS*4s8Ha}n{(J#8+%lX(|bV~^ZRU$~**cC$ZD
z^DBMBBvzg!9`m{py{y?g@tCg$%^HV0ajD?(7M;>WGQ63*DR)}K_0BEa7;KAFO&b1%
z$`!I?5>50F<;>rxaeqvrmrgSJm}U-wxws=Utg6r`B~4OiTkW5mc}rED`J1g{&22i#
zFo;Qa&5m}%%(k^0Ew{oC)m7Q4;M#%UavmP)#JS{VRZCfbMDBM;1gdM^Wj%c!GY1c*
zUuB1&>CqTD!%6u+49>mb1RFceZUI*c5U^3urJFc}JP9q;tTg*s`zPE=NoXl<xu{v8
z(tCXNFp2r~*mUN))46fvgS@sroG%>C?%CSav-WJS1Jvy}vpw^3eZ34W;=L-MV10&O
zyRe?i#vXc%YL!@sy4~af=yYTfm_~;WHBErcmSFH3Fj7_$_WUQfIbA`Lb{M6CMUew6
z=RGv@D&`H_s(XB6^7Zr3PwATcrWyT6jn2|yIUC`1bX9!I!~kvI75yFNPzo(#FOY{5
zJP!x4{*Cl}0pTn6dXe*6mJ1B|y0plU2r|8aY7dl^`O-uRA`e>2mAfZjUqS+As^0x{
z5CL22Qe=?M<v<xUaH<KiYRa4i=F_3l3c_rLa}IGBotj34g@Y;myyPD7x^`o=HWs0h
zBfKE>u*R2kZ4VLH*lfBv!{G`wy<D?NNo^TxtR*+xzX`L05MIfikcl#Acr9n^i1F40
zq_MZ_!H^<_9gf!jqO@1m8OuYRD^r!tej(A~H!W7Ym<BWzEj8`u&vYH35yb#LLi!w~
zP7Qg{CW?O4bf?L#Y?qLE5&c?;Nuz_~$=}(*vG#EL$ji>)xAE|(81@L7>&|&^Z~S_i
zM@I5h8HLQDxY|I^35qn&HaHw19Jy$|-z;%BA}-DCEwy$GKke0U<#m&HZB<#>Ho-hf
zJt9VW{pVn=%XUFMbaj{K#=ZV9BtBy?a?WZ+|6f9gd!j~>*rW+&iVT+?Bu*!6RU*mC
zfLVPS*gG>0l>z9-kBjQi2{<v@)B)g%(13mTPsh3IrEK533z@zi4{~;2XH$Gu0WWLm
zzVF8J-i&3u7>jJF&=IjFM<bBoshEsZQ=LD>${crcs-~-X-nYe=1UdJ;3IdeTIs{7(
zJRmDwIv(h3HuGm&x1GEOTb|h9uBAVK&04WqXE}gv{#L1e-F6MYA4e`Let8!C23Rpz
zWZR{97YngZXCsy+`SY<nmY=3pxOD7=SJNPv^@L9+$GKMvp)M5c&u0Ui5_ro$5)jXZ
zoMTe;c0PzUCXdHT)%!K@C@+%I+Z!VzgMkBcD_aE$w~7(wRQHUns@r=YUGCTJ#Y`#p
zYl-f!^aULkVQ-XQTW>Pn&m6n&Q8qNQ&lnp&Z|~thyhd8N^;bwH))$dWFGJ^l%{=8C
zDx-^cK`)`Qa_@>gucCj%#JWDV=RNo5Lx``J-M0nr&z@KAE#HsR|GiN*|9<=G)64pt
zHeI`|qUY{&_yXkqiD_i~_hQ~sex^_OS%m*=m2<qO8WA<*HmM0Znj@VZ`L9|XKM^=w
z$32hGQJx2@w-#&wNU}M7vb`Lfn6<1(&rn#U3w!!_fgxY%$b#$)LppzU#sW3K*{JS@
zAx?DI1Xx@eZ+(-I5T+c3nV)lgeWznQ5&;giWQC?9v!0ABTih|K6Rd2C3{7b?s&2Vr
z^}}bdXPJ*+g?D6cX1io(Gv}o%w`iZ8(5huOhVpOw?GgKrsh31;0!XbXb3)(29~9}L
zZl4vN02-;8n>4JKe=fNNYdMU@@!c9W-5}O$#HJ<AfzcTPDIAs6({BAmLrHhVf91FC
zc4HB1vw<Nofwo-h5N?)qY2=zU&NQx_tX;CtkmBl%*Od3uh~M;^HI5V1N@UE8I##AR
z_P}#Yt@Z4qe}CS8ROdik0#Mukg!WPlV+6#B?skaa^%0Al;3y^wX2S&q^)ba2XQBLQ
z324@ZtR!_&+@5Ja@rSCPu3xp`5Q6iKr9F~yOB6yXnG!O!%(aAHj;V{+IVl;>rLWx-
zBg|L0Lf21`J=<zi|Gu9zdafV#yfOc#*e4qb%Y7p5Gkv?+MflJY`0{-GSX<Ej+8A1x
z@J;_n-MQ#U0e;Y1G45Au%j*bmPV?1BK!Q@LNJgjP%^8a+PUT7^d}vH66P=ld-_GWQ
z&Jnt;_ae`_H5q1c1^Ixb_Y8B}cAz(=V|Ye1qGPb7Wndlia=X<m{`q($aj`<pz^rwt
zakaKq?VskTMy;BPnQCsr<5}%X4h7QFysvd|*<m#@FF_sERDq6B3_ZT7YHnKR4UP1!
zRRZIaQvA$HPqLIdTA+D7-H=U#ZF1uYrvZ-8?JDmoi<n!GAb3XXQ3YH&41j=9L7rew
z>OkP(`-TD&ArDzuINL%ousyFc+@(|Q6;S9K?bnk*!AGZEr^^bMv`vF<OJ7m}->dPT
zXH5=(f5U9%I$Ot6P?lh?uorpaqB4EAXtTNe4LX{E6ic_AHQ2RTS_kH_3mDDLj>Bx@
zMav(nM?7`Ixg*$`^^}T!k(zjJ!nk0Lfkz=5!Ga@4M&qxh-&_k>#5u<KqkT3)5@HGS
z);GegX~gnyCse&%66_i3Sw7h6_1DX9j`tU-j&Hu8G%#k|0`YG85_emb7X&eUTjKxQ
zze|9N7PnxLot}nch(O0!-5Gp#KKvSV2>z`wB?D5|CbgSsHo1oQmu&6pePp(Lm2<Rk
zORpKILaWWj<Gcgw-0B!{^L*bbsk`P%YJl*{#_mlDNqvCPUF#;m!mG=gaQLmMyTOD&
zBmiCDu(<-+{7M>5W+>O;G$MD2+QZwo_U0zH_RwPCn@;4qR>rGW^P?x{=TxmI@0-sJ
zwAS<U8#YJxJNNASNO!0CSkFgo;Vt)^&t%=_%}HXWmcMrC_JlX#?72DDwPq=`aqj6&
z_A-R2N(X=ED8a!=`}yZ;9KlTVUV>a`K4J{p!w(wG_-nqodq7ZKcDdT;th3}u2#)+N
za)faLR@?D)Rk|}6z%GG2HgM-lK~lLkM<Sr{Ni&0eoi;XJR15t+7mYkHla)eIDWGKy
z?uV3|jWmtPHs`=`<ads|ctLDap!s@0h+ty64-B@b5z_FeibXETr6a_Qx4P|Q%k<6z
zR2C}p^8O{meS~W_<np4_LFbZN4nZCj;J-+|j|*9#dvgol<%B+A(x_;Kzh%X>j!`Vy
z-O`3h+#ZW;hHI$|5Kuu`2D~r_#uYLRU<&n8CpcY&Gd~?=P0G#b$LEg7k}55N`K0%%
ztU3lg5{X?SC6KYp0iX>#?{OfpLcapI2!O(6j`tnoRUh83j7u%!km!Rud~zSyIX82M
zQtTFsjhTz~X?(l)gI80#N{UyStlun>ztzT2dNlQbW~smVJnoIZ9p=7ocGnJczjlU*
zWZ5A>;V6@S!8Pi=-6}12E3G11L;1eKSVAm@(<{POl_HFG=Tm_ouSZ$}JQY--lSdUv
ze4R(<U)F+=#Ob>ugH(#-sD3kr_bV0nYiLTQH=qXI7#Pu{kVtyJo|~NU3i+3N=y&Ie
zYV?Qy&$&bG&$&aE!DsBha|iYt!84_kA#M<qtceoI7+sgyN?4C2f&2l@3Lue{qI<t4
zU)|<+d@Gwm)-tHRic!580A&yjh%s_c!%^)o6~t}PH#<~YPMflx)WFARDU9#zHn<6j
zJy9|t)NCemiCqNv6;H^tx1BQ1%_&~M;0nl9ut+NSBY|E=@ym*WFpax4L^qFZG8ISF
zuuP5ht94-Iw~-1?^nxR^L}>5kThm(<%3rSPRU@6+VHpZWQVW=D4LKb{vXvabpu5hB
zsx8&xJS~>A%DMiFe)-SDGQ#4NJGOBl<ve&kTE(j$(bNmO6PPP?rfR)j!1JG~7T(BD
z0VxGlEE8aKSpa6Wcn4r$?lgOTzKyU;EEN<=w}wh2M!OxCqeMtLm2GiSc<t&^n5W~L
zijC5o4ZtjVS;c?7tfxdW7A>t<#3!$7<dnz8cB_<hubd!7Vkw)4P#WDkj14GSHww8m
zv8QCEq>|eaQ!FgZ5sq<}(7Nb5ZcqJsCM#k!<;M)wOd}MA2T8_+C?uu=+H`B|Gd=~I
zBVm0xY@N2)?j>kikyn5STixD53VV&00aN7pBl=cBQBCDVH6xmcfBMSekNH=j2=J@o
z;;g3JAqt4P1BV@L7J5!`;8JGnz90VjrZ+|mCbZ?5=x+V{M#*TZhU1vd!TZ|Xa(>@F
z{oo^AzmModn&qaS36CUbBS=Dby<HHm4G`S^GrT%3^}mK!X~+HEkc-7#$uJn08JI96
z;2eWV&0zv?KZGV3)a0N;)qjl%k&;IB=eMYrxF#EcFZSYbnqr0^2`S7W_zXmVP=hfz
znNk6+Crf%$%SIHF$nWq}SK+F9Q733>l{m7_WLhh^uMp2Y$me$!mpd35HMYT*``E~z
z8@MLVu*9XoMy@ye;<pvUypUa@;0<!-?Ue-ro67i-sdIXxV*`ZrvjmFb4r%X709uM2
z;)>F3Yk2mWh(IXWsc@M6@`ZVpBr~>0gnd@loY_p5Zvjod#hmTvdtcFJJA%KfpBSBx
zb9xn_8c{qPGIm!{q+@RXXjwtl)H@c(RIkslmlA8Rn-2T|3kscY`4Kk)NAXU&WYd{L
zDa-k7_|b}jL~51zp*!0}*9uxeGE&LC@i8RraNM2Lhw0LFLa4_3q#!0(s8#oLUB~|q
zW$(ZpiMqDk##YDd7#-WTophXzZL?$Bw%M_5+qP}?sa|WZ_3rPy<2z%VA5o*Ko_o$~
zdMr^W*n8ZI^#xh1$XFS{S+H=x@3CTi!ZNBEg-a%FF_L;@b|zqRrO0`erD!y-?RZeu
zCqwpkEzV_BW!|)XIV9#V2Y!ZIHP*J_T7SQn7--5+ZZ}R`c-7&*>cuX{Gin_d^?4i_
z<6GK4Sh-cT7It`C2%2GOQP8BOU2AAbIYWWFpv~0KIj_e%TuioF)vXBM#$5Z+Xb@Oa
zkC`gfVBCla>$@=hb<S6$=+4y$r7a@WsHkrH(ETl<haB)Sq3k;y_;s?;A7)xj-BDC}
zrPh4usG<p-2=;f%O8?Cu;Y4GOlXaOxPm;PYpNJQ%)X?E3UX#nv$8I+3Z`~WF%xxz;
zADoY$*}UGL`*tJ0pKj*JJAPl$X7PTq-JLHyzCLPs7!}ug*v#l;y*!!QNFsD{PD>wC
z`TdN~yQ^M2)4BRcZ`(96E$L4j(_PLK<vr@au@6KlE>}Z21O<%hHZy5eNuLs0K)xn~
zC>K+%EW$a}OR<rmj06jp5bzCS`@KFab5TA;jdtYQclL2cjjp<p$r*hx^9v=sg+!Ad
zbh~xP-@_|Uxvr?+z?G_+i3Ilt-Qv?VBX)`~(M^|2D-birkR`Sj2EHlGF>*qx$h`lm
zlt@RP=y<#YQG+JV-_146aEW~i<d)?EzG&IqwN)L4GR)k}?aN4ehcH)yzAN8CNdBxg
zsg7hRfl2t@#bH~@-Zcn3N7T7ftI-uIk0~+1%DOszIm{7u!StdytN)i`yg9-zH$#^3
zvCrKm|7lzW6wJbrWFhcd-N_0BnX2c9czwG%j2k8gXp#Ig)C6_bqdJ3(b@HpB?EPlO
zV!iz+RA!o*-ltGAQdM3mrsr|fH=>&wMT$P7VDq>}u<Aq~lV1qhUPBD9BKv4Dbj7Tm
z;AgHD$^x6_5S1f!7CXtZfVOeJH%IS4Q08d;0mXUE@7IewPL@V#@G1mU&Yl(!Jaq`*
z&a^xgN<2Qk>8cNc3De&1sdeB1S>xTMt*}jmfF&i@1bDHwEkjAwQFkjJob-vP=-f6_
z=nGvPY?~Lg*59e5DU|~X#U~wXX?_a5E2DsU#ZZ$a;rJQ_82s}3h1*hMt(WsjQkW$3
zx8a4$0}vLRg~ISf=tUi)aN*amoy2fq1#&K9fDx^>gG_$18OA+~_TNj!5p}NLX_wg&
zCNz1`brzo0=16g_%)L2D2JwtOCZ`I>M>q0D*581#7pZsLC?ZTdB7gg%;=`qxb9+cx
zNSQ!;xMT``0q=yd-;o&~>+SL{XkASV-430SHLMxmc$SB&(Sgoz@);~XD%H%+D*j|0
zZbFlrfc(sxIb-ukv*@AFzVV6xCm{mI*`T>h=BXzmX#oWl<aT`NZbWiJdcMC0ah0Q9
z%odcRj!4r)0qE6p8~>+X{m;}ensEd}<3VPpCzELTeI2>&dC?b2gD8YdX!tyHsI4EY
zAPFUm7Nj_u8Q<c9rI4EfSW;Pxk~!+)>%%yoe|OgRem?B(-s74{14^Dg%1#Agcf$6;
zfUV&`6tU*z6%+R7W-zQrz#3bWpB@xc*^OCJG~8Y4df`Q4+v+JoYcc%cvt)s;si<pV
z>ezJFLMx+?CkEL9i$!4>lzl-PJsyp1ph++VD$43!iM<9V@&u%GAH;*6@k(8rVsWoY
z$otfEJ~fTpF-r1U+wcri82Wf_dWJHme+|cC4FtE}zw5%THNrF>Un!#?&m{nm6~b!H
zV{am`5KBe02_5TS7!+P2oMlAEJn$;}b<uJ2EWimz|H}zSst@HV9p?&_%ldNI=v>8<
zH>H47X`Jc$Sl^tYEI^HCs3vk^{zyXdcx}TN)hs~1NpF`ipI3)1t}S*t`DIXfC$h%X
z+1Y!!u$TGPL`fnaVQ;Xt=e9;_7Hm&9hxCk`?|N9f^^C6n?`dI_<`m9h%Ws^u|H};*
zFoo2J<vpT=F%GSlrc%$`gF*wOb@!i_HNSd4Udl#AzCTiu2V&govC7-{9Xo-or3h9N
z11P{kl>ktxjN>+r5B=bK)SO}<%@jd7;D|Jvkrm=8(q%`gm=wHIIs+Sov#oP=g>S@J
z3St*IR2>@Oa4Eixc2SL^w>K*m98C=(N1A;xDO-~l!p5d_$Ne~Ljz>D}4lOUd665aY
zn1d6!QAt`KJnPA{#V{^Zh2K;BvP+|Zm1G&)jQNBRZs(ruqN-a!?Ll0IBk{!ujTWT2
z>0sy60XtRy2;WgfGx~7E2*4#fxc*%n@`y9^8Pz~42BCJ{$4DAcRkI@3nI!|^U1mVa
z10E|m=-EFv7s<3M`fVGg5l#1a<WJC7OZRJAH0?)dHTEc0-i{tWThQdLvfr$3RI@kv
zT-I7kw<c-s6^BtxUA9RCx71{y17b&8Ehvj9;=j$l=ohICQJ^p47UlG4UkYBTXur<E
zwpPl~9ed;SFEjelhy}57eTbwjD*0rASn9#>fYY0IIs~(;wx*QF`^c;|Qiev33=(7t
z82o>X3zz@*xUl+z{7H}4i}XD=IXu4k(`RfJUnswXl!5*9<F6PEgUZH9=74q_9Be4=
z%1WYlFEo!OHe+)^%eOl&E)~MZ-1C7AqsbL*7;G?aup!OX9wDY0O@^ASdEHjv2aAUr
zCL>UGuVsmHC=GOVsHxgEN=-t9zZ`78?R0HjtL-6^%rYxovNwIF+|*i{H52uU9#&(O
zPFL0e5SGDnX#CN;!CJ9IsPV~%SXSYmjc;`ugv%c*RaUE!+`hpzGze<tpczNB=i|Bi
zLUb#p`nE8Oa=xPMk!<~u(AY%f!DXY~^yP%^>qov=?1*4Fhztq^CHAT0LfuF_;vLf>
zw1#pw#2y?(&q$Ca&K_iylAs)U&pb?Qda506C1`=6#*_a2ceqQL@H^4DbQ-*twQ*_C
zAcMn0hk;o2^-0dm{)eJCDwD0L-^Z=u;-yS{ja09zC~~n51{jN;rcY(m;~VZvQub)_
z$MHhLjg2=cdl=424{FQnBNS63+qvDs2gl0-<Od#3{o2?Xp?{V){t&|X#X@S+^kR(*
zwwM~}GM4*8cXgs;jh-?eM|;!ea3+0yhrOC3cATf{0Cj$cI-9W_biw}%NGRSj3qnM3
z|7wQz;aAp~q!F`<a`-mKY703f>sLMjAukr~T(JCd(7NO|rTyAL+!M(Kz*?HC3h9p}
ze9&4m+I_50S9H`A`RR`koAp9pv2JXU4jSK@TBY^*?}r*FKuXz(kCYdxjB;~<=JxV-
zV$~kvM{`DsV`E3M->#{TY%1m#s`H@6Djleg&9;k<m0nA|wAmb;z^NU(+ps-wS6W;j
zo!{sbID+JCnwkJJAA|1Ip+#2DT$|_xH?*NK{96_Zyk!ob{1IJ&K2|KOwrnASb?<pe
zGlv~0pKLj<v2s@dTU%eZT2VS>)(v+q>96!+N(ApNM~1Hu;J-`7OOa+{%Ra_<DRg|5
z%0#l}k0rKXl96u<I4<_(VnF%wao@lN7&vVi<6?WP339wO+wbwCLh)zUg8I_Xn>v!{
zBgK#l8y-~CZ;U@A(4v3d5?Nv6542p&2rzO19^2Lqz++1Ql9}Kl!-8t`elgnh({%e{
zFQ{mTW^LK3uC8W9pKjg*q0)@{m%YjwqZ*1%s}g3h<x5&j$Rv37`hvpra1BscNA&;-
zYb{un)80P{E5_3&YeSDz*LU!z2!5U@chMXZFbyo<0xD5{@om=5FM@L<ipj)jx}(T9
z&p0i)Mow_W_IAR!ag0oo4Y}N7*-wS(iT2E`9u1t0tlw>`fU1_yb%(7oKsSUT*h(_1
z(i)fKn|dI4Q)o9wYtBc}IEa=Po}gZp!k|7;Z1lbtrRBV3j+r@|55)ppPth3+`IFSh
ztd(c;RCw}yNuEm6OglNMaohR1u<BS<wf+5BD<{=<6llm$0&)liszvvRhdbKG&#xU_
z!S3!qqqC4*B8ud$uJqQKS!%?O7Gq%4?3kgHLdyL1@Zv5*j|O$xiw@e4EIc|Jk;Qm)
z-v;F8<dT@Iz7%fKkx>;W;)VQ7q12u_MsY{$3zPnVYSLUPfVaXHKAQpV(OR^B;0rj=
z!Ra_FwoDYLSwMH^3tjf_r${v+G|X0N=uIc-!H4JU8noL?gyklYIq@ZXZoNU7&^!9)
zE<+OYVQ-yBXGI_kx`sz~m0Q|wLyS>9{cv=o5HKAj@SUnsJlGapm55dLbk060^7kvX
z0PfVON)N}y6BA#e$TEkwS&d^XLRa=PgAG)^VW27k%!Uf6SX*i+qv69cuQuD`K%-ZR
zs4@Y;)9#=z(Rj`~rLKGzyI>=KI)9EEEm{oo0EM$$`-(SkS^t?gPIyGa(oicDPMdjH
zzwXPHg20+6_k=!nZyg;TtZSqwoit$<9hmr+tN1d@u0D!~WQkOp*_w>@PHU(QTEV(a
z)*SW6Rb*6e7FGI9hQYaEq|+|7jH(l%R`)&SGvOielW5iUc9NT$r$?nlpc42OR0r<H
z*bHEoG&w&q4QDlOphhcrhwq@OS4;(2jh)nWed@z4guSpS*Wndlq;@~PHYa6KIs(vr
zN=%k3?hxg+3wRBa`68w^2r`27#;jX=$-2_Ke{{tVCqh{U*q3wa3%n=`@Y8A#BsSF8
zKsckB4^=e_myGDie!0|s*}rwg!&a^GSB$*Jz-7pF^>d&}28%}U@w#~|p+{NotOm2|
zA+MTyM*qfjU^r8midzJ~OpS2vb>`u>%J9{Y2AGJI;hvvP@l?NIk$tvG>xVY_1zN@q
z)TPXl81L7MVT2)~6{G~W>`zJ>CwtR%T5_|gA8Vlp?pZTNyrjZKYF#I{+Pl>pzrE6K
z943z05-_X#Fa@k8sdWB?!AB0R4@i#ycP6{M$G$V|ozx}}FtJ23ewv;;{M%le|9Dob
zfnqoJxQUvbx5ajMo=)A5Upo|E2}hwTtRE;R-7;V~Mq)qKQn0Eh|0c(EWn(*`A7xKZ
zFvQj^5oUINdyJH>tqMljqAU)Nal3RLMz9aAkj1E^u``qE*6mT&D@0uaWfM$Uqy>S}
z3WsV*#v2HyOy~DNv<%pU7NO5S%nbkG8j8hi@M=9h9Z?DRgJXabHE{FY2z_t&fujQj
z{da%rdTbT$6BMM#F#@nh>tt$Qi`IwN36tvqb^AS~dEaalQCn2)4`%zH(|UB9xL8{v
z7pYj9Cf1F2eZ|E$m2z@>9@x6>iza*yhrNt%rM6UR@{#<f%r#jb)U)wfarX%YYv1k@
z`b*rJ6o7uWHyHGPo;AiH8X)H~=t{=l>2_&{nEFQebpJ>GF==3A%lCXAcV_^%N!Ie}
zDaEWnGE%XXnB6O$p8N(AAsj^!4dR$)Crnq!dJY=tIVi)M^X1_#oKcB=1f&J*i-=cn
z#7SHkyjAO_KGs0WaTl-(mTVcwjIz%V9NT8FqWuiw%eZcp|66pu91;B`=t&$OLFwRJ
z^*lw<(9<0(+Z`|MN6I8}%q>NRRddmbt?cO>PY4`L)Y}WqRS)kWyn3!!?oLMG?<V}B
zsVp@bsQc^HFpDvh%7ndVWmUBA!U2;hgJXrODwpPt)%@ksb_P<y*EM7$h3ek^gyqj_
zvtK+Hb4b<M9Nhh);ax(ftozjJ)YXal()Oq)E~E}PmxNQbO{sVXcPg=jgY;{?aw@G(
z?JQy{;Dfu}Y|NR3H&-`xpzt@NDs5?`2&owD$VeFHEf^A~f2EQ+h%NHVsLH!z8Kxfp
zB0J<vllEj(oM4tx?O>^1ngR$lI(!BI5lHPWqH8^CNs-s-g+?ZU4=v;C+^_L$v8t(x
z`qF{j)K}IW1EIQORqlq43Z`}|ca!h=v)8AS-Otk2*L{M55qaXH<*sBlk0k0e?O*Qm
zbjf(lkzum5TeOK4BgwvkBZNNJQ(PB!rlxeAjp?}FCj3VS0wplKc%<%}I9Tgm+ME9+
zQ7@UAx$M9@E$~KwCo%w0w5fKigQU3N6-}J7GXdtK07C7D@J4vOn-Nufgzx^T2N0&;
z{S_Pxq;84|;aJKRV(n{We;1)tbc~|=*)k^kpfVI|SQkeu7}zTsi`=V@8RZBN9MrBC
z$Dq1is#0iYPfjVay}qn`e|7ZULKpeGKY6zV6Cqv2tY-;Prw?LGX_2C`yJc~tM<!ta
zfwSWr#JA3Og|K=5*95}w{of{#QWJB-;w>++vOJKnRERJJ4rsPckeP=&)}Zs(t>H*B
z(mwH9YZ(=9G`tnpgc-=!$~bXUioQupaZRYT7`3z0SF)S#W<l*w+rw5?-IHHiH+W`!
z$MM?cPHYl#&qfMc8%J#C0lSwJZ9B>0Ml|wsMoF6S=jAWwymVXa8hH!Q#d?65%0c*d
zEJckC+k8lh$c!e+y5ek!o@w!fBou~c42<F<*T*?iY;eqbnCc{JI80fNyFj`m_?12*
zAZg+U1?`wbIKABzeyGH+1+O>k-%RWw%bS6A$VUeP?V#6YrGG&}q?m!SZjaJuR?L{E
z7sk?LY9x{<*-x%8hSsNw!Y*7(D5Y8QNAp>gsqF#$B*CW4uZu8h#JwwCl4=H+GKxKy
z)bJJRFlu}E)rY0JT(a$Rqlk?~?kufLK2__jH|Jp1!0cK4Qt2qdhbTfxZ=9tVV4(!U
zDZrWO-4z=v(;fY=Pppqha-2!!Z%H0t({R;bsw;bs;_m~<;vm#2p5&Ea1=dh`rr$2(
zN^t}+)MPOp5s{ek)=Jbck`;xocZ;3`U65Uw1c+jBBbB2r*Vfj)1R{pS9jEwt0OZUX
zX%7LS0rtlvUnIK!m#_1kIe5`2Rrt$zBX4QcOwZI=y7!DJYB8Lme*_~hrQR1QwQV{c
zwnAJMkeYS`y1oQtZv{n_92;hZmI@u$y&;9>YhekB`d(qXFmf1C`%QkFpA@$Okpak5
z(g+a5NAP5)cI2k(2u!xNFFr<{Bn~WQV;af*O4pHfzG;qzqQP}CRBE{!D57q&8wx)|
ze~K<lT_prfp^!QkYDA;if=&Y4-$A9r#HV6Rejs`G!D9!iqnGqxf+qq0BvaScdBqQ<
z$)N;wWxXc?Rd+5GAGrG=n3M-UWa2D2Y>$eVhx_GPC_l0$OzgK!cg^phqt4h73KHF!
zHef~M)go_XaL2PG3d!A`Tu6yTCWz@uKk?L;?j2Ctj?}WDay-2<Z=nZkys5x&u^7@C
zl?KCh{WW(spTa~b>TmJwCz-R$*3Iz^glt7$lURr@VLP<}z7CJG)?{1dvs~st!hh*H
z9W%@t?a!YxpPxVOXh@<2?;Hb)J`ZD03bsN)$;c{YEe{yxtFYDdro?==u-0+mLU>x-
zz#!G5io@gXi-2>St&NV?nG>aoAY_y-DZsUa${bE2bUjWQ7>SxT_bJ1wBJI0B2CZny
z?Wa1X!x@tEAU)!bgP)Bj$Yl!hB$zEwL+yY3CG8M45pTgN-y?qpmDhnncj=Y7W9b4u
z!(GWY9$32E)Um8tUO(<U(NSdK%>oH2?LBs@0Zo-Vz49!E#6;Y_bXJ3$T=w{7k{6!*
z!`(cIbUP!-qTi{)xf1O{yc3X)ipZ21VJf(c6PLzgI5ZjCqY<$#w9V|wB)QvRMch5z
zq~br~Dt=|5TFxwxILM$@#)`FQ1q$X#98d1P!DL4JghPk23k0_yg6OQZFkkC4H#w$Z
z-Aj@&7$qjW<gol@<z&}hqx`XQ(g0Qt+MyZ1$}t*R)&p2Mn3`?2DQ&0cy$XM<oD9cK
z*S#A~r)TL5LFo_G2u~durVx$Pru2?R23?tdwHz-g_;yKI(ARC%lvaUXUK4OkB=GP+
zX-;TNF0|_r_ySO^S;F{{^GrYUzgD*dC&mSNaMoI2aJ(gdO65AS=?DhtJE97gW1(@x
zxqBP|2g<Am3y3Lsa_R3!2-11o?2qidA+l|lJ(5EBTt4SQ;mkNK<OUlF(|=c*F`LXZ
zsJ*TCIY)3+e3$$q<J4t$w6SPURdHKkwkBJQiZ?{8wxz1@0L*ffb6uk1>yh<w=bYp5
znVkz$F1zLjiUqx-QQ3XM1lH9zevC^KS(reSUq=}MvT<CG9(kXjEBkk`PaSMla)+lq
z0JFwwj&^w6d5n*(lT5eRfi_Latv=ir#c>n0T!t5t8A=qjZ&kb1dt2p%XANq&_rrCt
zZ(dJ8s`;gP5^5vsM?9IQUlbDm=Na!pEi5*@Mpr@~=eK-kW=9P5#A$`x7fvyWqYRCs
z<$F`X<dq0Kxm%KeS5!ISIU>DXRmHXMwDSIGwI8QY>m(f^+LTgwffQ0p*<dZO*SlZy
zQgrD0n(z<6C28-1s<A>RtY`OW_34El1U2DjEEz5Eaw0+C!6O=~Eo8(*`%5LUl;&!7
zO*Z%GGMH5%AQC?8^nAa9hrZge#InT%S^9eZv0!eL9q&*T<DLOLHmuhgB2#$?lZI<)
z`1vrDm*Bx?pa4dzSM;U#(Vv8)v@QO3#Bra<T8F2n->%o$#ODuvh@kgsZ8+TTLm^GN
zf9|0NW$Pe`TMo&W{fM62zY6uD%XHHaH@Q=1$@Z#e-wvnj`qKTOD}o&LB#XXp_D&?h
z56io{y5C;jxb2AWD2P1qJgOS9soHZs@D^bTV*KjSA#3fXDdrHp45hy44V97-yNGLp
z;pq1!z(X_6H%4bkPArSEZk772-4Ly@Ie}1|<`!BiCGecGQ^{{CFI}5PIRzcx5U`sQ
z89*+(OY(gttgdbS2UhfQy69buG6i?qZtpOA!mNsPGZD)2*Ox$|d_0f++g|`NqC_IE
zMW|DrHqwC)Py1(f4*4Fl2DNH#_GaX_i3C1%V1)P^fDz>PA49_L%rvZO@NYxHY$@`O
zApuX(3bUv<V!=nPFvwl?^O2)!6Kx}KKrUBVG&-w;yKCBhfp9hOPONc;(U3R~2+@%C
zKCqldN=#5j{4-uF2s~u1R}N)k$qQ@<ExsnkwLU}PLlqS!db<Kl%zD=fZy{vHFyxp?
ztg)b2Bw(pdf&dYRNn)DS1v`fjx+hF%6~;w*NVxA_TT5(-LqAoNoTsEEDbM@Rl^4YP
z?``2NvcI;4bI{BK&>*?ulu+Qw6K=$0FnMxR1j0^KP)V~cZ4voEHcMvjr3Bat3pY%9
z)j8b0^?e_+yr3@h+tw<uD>I3@ouiZH=Wv3!?1$a|(O{5TD&gY`=;6MHK=PKZF|u5v
zwK2~0RERgbK@U?qByOLgORLaUwXf6d&$&L2*`=5DQA8^W7^xtJz(IYnxpk6xfmn`T
zfx4;f=7N$xEgP&EqQyE<Q4N+`$IVs?7Fm%%wtL%oU(r@*zAOFKmLNvG5>zGn_kk9-
z%l~yC;7gRp#i%X}JW24~@Y^fislozMd$nvY&rveP!0-0=<2|o{Ge=xE=y%C3M_xCG
zA@|eu$VQ`KKd3-IvnAI&`~Gjt0v65UJNWuhqu*G*2o3MH>Y*b13H6lY3gtk2PBYBW
zXJCeTX1%~OS^I`(99W_;)%1FhJ{;QGQMbEBWr^{#NF!OtGFerQe<f>~wY1miMqn`|
zRoILaoN}ZUF4H9@G-Wc;coWk2(dFquFD@O7af$5mhA(by*7q@@W1eF8eV%J}3p%i!
z7cR=DC+e5+bVwc}F}DQ&MaX*J@c<XB2ywe%EO)K(R|w3%YPir?83CZ3P?9Es8`%Aj
z@W&fJJ}f3pA0n~6aE&==gMG4dm+AhraIM}Y`$pLqDN#cgkEQ3_8zUc;*EV%ExAsiU
z{59Q<-{L|KHC4dk1{gly4qh~QKyN^qqqXxDU88VpNj^PLn<f0v!-DG#U^0iZ@i?aE
zkAS|$N@(2fX(-iBZbNk3`=b^%CLc}qi(C`ME+}5(xv1otMY8L%rtoUs-?{_&LRIuI
zPmI!1MrcbE4!r`nZv~=aN)pSRU@Mu`Wf}}wParD2{Zj`DY)!Y95?P`L7f2mm{r-O{
zsp)Og;($u3XcjNv@HciR=-4{i9=?(#;oE4M87L|fFt)rlH2kXN{5Es#g|=~c;vmvX
z#xW&J6o87xV|k-W>AR_A$4>*uqC>W#a<6|I9VH)H^rRLnCR0uM9g~mQzb({tC&>mF
z5XW4+9pfas{JVs@qjP9~z|YaJL!~yPnIF)mEAr~?l=BMrsp~%k#q0Gb1rYl~vq&s*
zN~gAMQhWHsaLa=);-8-+-r-yCCEhEK?jn&6=%_-wQ1PW5i?OCQ6ZPi-Ma}@4qxW?1
z__!uG20GZ^2yv%ymt_B)<J^8HJp)Tw28ooLQflJmk^8WUv7yRJLwpYuc>UtZ+eZ)Y
z>8?NXc;Daa{FSGMf)A^Pec;@HXW-A<8Ux^MO(~)}R^Jf^-6A{FE<*LhL{2)6+4xUS
zv%bKLn_5jI9fkGr8^#%NEY6p$KnbUbf^c;`4j^6sZ`pzDa-({klndI$C$N<!*DQw`
z!du>tp1W(4Lm^R`%Dpgn&V{;8*?BkVa)6(`mRbbIGBQp}acRz#^1v_Y&GCxE!JfC4
zOic|AV8~wVeL@)C{HiAo&u6olL1<}J#$LVU0%NL6;JMLz1?ZUz{HjKmv91QxS(%ym
z&VaJW`-*a0V_!4FUaRMM`;ML`CBsuZzAG6Ab!C^2k!=&OTW?lv(Iqpw!P+u1%$dP5
zaj=~~FGw&14NHZmhJT=QPTgrBU{Fj6i!sq~Y5)%P?+en}x4$n)4&w=A|G6OjI%a|S
zb3s!0b3yV~R=?)t{9pGY7LtGNN9J6A-;aX-y&utN{dGUO&=<A0wg{hW3Ib;C%3KQ_
zpVpZUWwSn>>}W=5Q4i$I0$#Jp%J@yc6%DUFN0nT!!}yA)%MonSMWP`OFPF;>`Y0_;
zuL5DW*OR$NHe&7@upf5{v8zjR*P8;*kKIhJvA}HVEL1<sxxPhjL1zubr?k+=>kzlX
zVh|M{XF3Zv#JB;>ut>!!C`Knm?MHenN<TiV-P|QcxM+#f7a{~?&JIYRL1w6dvCY_a
z`WYz>&;vXCTe2h_c+L1zvaGckETpx@QDRG`*Q#U$uD^jUbL_cLzFb=eZ#VR>vXi{<
z%JtAa4l8~N{A^^Ole>cLu$tJkIYQUqF)Xd;vPI6tuPqYnE3w^x$MjZ7<t`XOARSR#
z?oII{V#?c~?#Pq>>CPf>HdhYa39oO7MUz4-l%DxXBy;wSUk<pDJ}?UelZCAa$dHHh
z?)-J=H*fZD%aYdkDUMOe^+_Wt{{ZWsYTEQ+3S7B&-z!%G;``VPCb_si(e_)v7YJYf
zmjWjVDrFu>_TlU4F1he{pD+seXcTJHl`1f$maYvt0tseHE1v;{=4mD8$|FwU5-{x7
z%<6n^Zm7R%C-Qe8R$FT{{>2y1AYNciF4C^tj&r(!m7Ly7iRv=A4TBax8^Tnf_(6V~
zCdZiUAlY3=erWzI-v(Od$SVUTse!E|92?x(#&VKzFc%ve=3*cO>Ra4UsoYhqfAu;z
zt{7<b)7!+PvX>X37ICA{eNB6k8SLww`&cv0pJt|NPRgqkfk*;&`2^QSGd9*i1fSW$
zUg869fXRxs&evNc8m!eEG7Bk(iXiy+=X;ew%Iwb3WsGhC^_;;Jhh3o&s;0vh-r1nz
zDd(S!TwrZ{YYj4OU!1P#8%e8>?mQKCY0o_+DI%n5XZp8MwZy^x4P{oK=G40ORRm$)
zC;k)493Ldg_xituGMOh3{|aRqN1OdP(lbuh{a>NX(y;OW3T2vr{dLN^J7n0@E-shY
zmix9i>T1w2{<C;{fpA4OVsrK*+>o$9SQJ^2BoPXJ(90iOxa<~!ap+?&6AZi5g%!Dy
zPe#!5?)qBIE1YRuS5yFLW7h`@uB64$MvKpu95|^J26<fWk^_?~y}a77AuXmet{ZcT
zc-#ZFfJ$O0o**p(qY6K2L5_qovO%3Z-|c?m%)dC=QTU3ZE2}Hax;-T=Bs;3=eH!hz
z_rU-xTLB;IMz`@<IE@s2L;VzxwOPr8@f;rQlv5pZ!dfMH@+1f=yqyrKpdWTDBh8A?
z5qntDBIBaL>PE!Vu{fdrA-rlK_K3UrNgx$o2|bIZfPrA{kcvsAcx-EoZlv~5r%Ez|
z(02w4ox%+k%RQivNv)nn+@jxwH$`ocDs1INMC|N$0oZ?TaX1O@z+DGr1hzLvl!VSX
zT1<ij4DDTm4T*(PO8Q<0v||D($NmS*iwjSac?Y#cQBu&LL+gu@Tj5Y~AI@JVb@O+<
z)^c_ic6hjXPPSo~A8qPq+Cq$o`#v?of()#DAesoM?M@G5UUujDF{t>YD!#pH_f+#o
zkzE?DhvhXBx*-;570-`-nN&xp81sY<;1$xadDZ<1({Zu|DALVDyvAONP8g5APyqHY
z-uhfZZaU(-$TJ}+r}7C*YZWV*9Z}4`T8~bLpqdx)e+p0d+U6n%7hFJuLIvUlAW&I^
zg|CaGp3Fjic?I^L1}h8I04bknVont?J1!LRPttLno86t%t}ngZ)^FQf{|1V9E^;0O
zO&cik$RSe*@ve2g7uJ2KPQCMW;3qP?%t1G_)WaMVTZYtOycsxT(8RlxfU~QZWwTm2
zY0!&I4YHe*R6MJIV>lR{W3}d;i8cZ-hVfc~8zN>U-Zi{9NX1n1aZ|cbryeSxQrs3`
z#1IGO?H9ypash+oqh?w$4d|wFVaEge!X{dG-+xC-1)MhV!Z<Wd`;j!(D+2s3#XR?D
z;qyWkOTJq`N1(0Qf@WBR(`AwZ6-9`90P9ns=*Bxw?8odz={&_u7LOGqnIFlXl;_Xg
zv8m3!mQ(af_GWlpG21G&3pU1TcWXrG@^OFtb=@L)<5eL?Cz`%ff|1`P%COpeV%5XE
zMEV8!*aMHj?l^-FY0rjGqzL;hA=S3-RW9j;=dB-a%Lh%B*K0TG^YM8R#bx=}8P+A(
z4bgwTTZ3Lo)Vr-kJ~E9)hBndj1Yt$UEU+0{D6iHrOdlfM%y*Skm=AtEG&SV7xOyWr
zGh$eK6I#URRz1ZDtA9r@qy#NU`#T8jKmhG}dITx!+dAD@sxx9;r;O@`4#+uacf<dj
zGikEOICLj=YnbBaHH@h%e|u=43G-}8P0oxwAFE-tA|LgbZMUdt6&;)PUX0B2-wi79
z9cl7>A{4>wdmSUJY}3zwObEmw-5{(>LQ<?O&vQoSFWl}gb5osC%?N}jx_I<@N&g5K
z%)e;WQfO7`v>6GEcrzYc#%!t{`!tf>){eu`KA);q+&M*n{9#Y-KM@M6P-4A$)g}{j
z8qDwcaZjECHZg^pNIsC2<_dF;j_hP|g4}>)I`N)u!h1e|gIEd!fh%3ze$voP0PelU
z^9aa@tu<sVYy?=18}F*t#<aitg|07y+8gb>hdAxRRAqoW!=y)K7)0Ki+o9fKUUd`N
zqr4UKF)&qRyqlV+_B>{n<jrWbGt$!aQkxK_u~u#Ze)z6nX8IQud7G}zvrA`%v$);p
z!P-kg<rT(u1gp8mg2rNgNfF*B5<S!p8bZzd(HfEUurVO@C1Jkh(0*iFLkh|M0(S0l
z-8_OQEOL?qvfx~Nx=3+VJtq!`AH9n%|8SecqQr`sSc<sbDVxLz{%&vf$||~JUp+cs
z=k`5_R4(6GP{sm9hIsr--Y0#Y=w?8_MO=7(wqfETxS)tN*+DpwmDKIK*XH{{!x69%
zXl+{<PDC>Y_lLChqzJ~@bh_YE)UsSTx0J|RvBvBhzvmT7wg`(YY=IFX2@m<m%p%Vb
zD1g!`9Z%>Y{jw^jZvQgY!dC%8!xjO*ah-K+Ah;wD{H38Y0)zl~0wxS0)F__SzQjj8
zy`YLr2iM)~V`nm6X<<Dqp|vHdeNZ=qIvaGO|M4M|)Xmh;DXv;eVak_j6j$J<>g7x}
zsu{(YU`&cX2VUM`Gl=HzZ!a4YUjEMBY*kEpp6;pT4<|-dbmvjpC^D)o8)z!0W+G=1
z9vXT<`B|!-k@dZTEER9V>Nm3LL@Z6`y_&I{qZ*kO2akq(74I}$l$z|{svCGFGUB-;
z?N)P@?6XhnVds}ITi`OHBS+NCcdt@3p`?kw=|_qLr3!)()C%JvmjDjZXGQBLElpV-
z<%0@S9bSFw=?Znr|HN*`I{~rVvH?KsHfXx6mU7>|Idw9nMJ0Tm0z8{ZCUFE*ufxrC
z<+#bD!rc)t@>S=YoQmrs7Q7xh!tjd7<G~2Vh)<~N;wb(qU2tcM-vCE-`@|mKwpcXy
z=6sq3L)x%VaCrpNJhCb+bV7V0wg-@l;%9m=ZE9{@65$cnf4Cidjfg@Zg|bRqb5?Qj
z;i0tSI#>#h`_zXJ+ZHhiEQfi1BVG-&SwA>Zr|}65aYS%hS8fGz;3;m*NVNd%{EFfg
zOS}bjQi|{`i;NGKL+lrk0_L!07A1<}r#`Y+s2=Aom)}xo7`+qkL_KM?`vsgC<uBe9
zO558zL-2$J8Tx!)L7wHl4;FbG%O8yXkLxnGv3kHkk!YCN4O#-<^0v>kL-A=Qr=Ls4
zSn4>UR<G1AS8fuMWGZ3fuNyaX@}@OgCG2qq8nTD=j;)R}!yXqA=pf6E$Q_$?_|zkL
zABbtA`6c59_Z>5jewAuQ3U$n;IRIKCW*QUyYXQs#D~zV3+HH=R=ncfI)Nud;QXHqW
z$1ZW;(LZhBg!D@1RtNA6w{JDy{&o+pB3ytIwX3vWGSKqQA~{aX8ePlV!d3o>o);o{
zBZX~M2A8w{5IH~1>reP|8BwXa#TCGi{mirN?n&iDx1N8L<7Nv==D%!4YiAk8ZIk(w
zS{rGOgRgW&x2UrN<bao=_T3=N%?H{;X){#=Hw02L5FVl6LpSwPH!osShR(C0qLm+}
zAD^?@A4FhHvCg#ORA(Vsu>=<b?JamV=?os}S+Nj6`EkX{Ig$(zP}o!1I3Sv&AP{AV
za`0-5uf9JiEq)ipFzp-RI=j9H`+flNVzZs>j$UQ50{|wcda+p89OF@j?D1%>zPX?&
zgv53Ce(TxuzMK;3|JDJYIhSk`u<BJUmpG>scv(EH1W2%C!aA>7*-Ufhvuc~gm+Gv}
zGiF4*iI<TE*=~N##D$GVvkOy4Z<!P<vDKoI|B2?)oGY$6D39*X5{SPMb+(ZzK5xkL
z1FWfDaNUwJZD_NdbVQ&BGkW5HcY9JF(l*h!j^+ogFV3Hn{a4`ps;7b3G3<MLNctR>
z6GWF7@SvJSGMH*AXmTaCYisQ~s7;3%R}^(sGF5sE(+6cZ;pKe!lp_YNxH#YS!Y#75
zbIIO$YAD(o4#Q0}`gpe5`*c#(37KXj(PYLWG97STbfrd*-vP3iHJbxXu=AL845AGd
zFl=Dx?_Z*rQ;7hP5&JX<mkNHF9W4hV0_A*>@(MNN>_=?~AyD9Y2~A+Zf}~n~G)PWD
zqpPS>64PsMl4^MAz{ZmSnz`}R<o%B9gH)95H>QA31m{Lv*+bF<(rMpl)hzir3h6xl
zJ6IIH{UR20&`7<+np)S{{d*&31*yZ6&(uk}nRQD0Bcu2fH#Qv~HsQGJV2mi=G}&rj
zf}xXVt|0y6pt_wag<~sjDzq5OSbCBBW1IU=(Q4OMoDS&6Ptl{J@~)Xk%Th&lbJP6G
zC7A$ek%J|4=8o%8nf4dTDjFZPoQ|@N#2b~j$>N6;|8%%0=`h1z$3&1|ilBA=XORXs
z=^PZE;~f`f{5zrTiyJR)0ih2VmJ4&bzhr(rVNmlHahglGN2H-ajTRwS%MJ6%`Q=mJ
z4^R}H&%(!%{e1J(IS8w!phP_L_WtC=@Tl`K8bleHZumZICe_y&VqAVGUxnLjQ{vVG
zEZv3X)~+uIwjAidp1aGqp-fRPGc3!pDr4P$QQX<T6p<GMLEq(sl`G065*XPV^zu@k
zuJxiDGln%qZ}z~&)-kwoa7$ea=fS<tt3tr&sxAz{?4+z|vZJ@-&ZmBEgc5dQ#U5V<
ztU>){voLT7wW^P{C8cmJi#5xRz?AS${kenmD!VmBLkFDT&^CVnTYCMZA-JrGx|HLG
zKYd%Ux|j|-C~!{>O&Kyi)mI=fE0ZuOr9QI^ToW#h6L<iiapNhdeO!@L(O)JI+%0hA
zi8$$&`5arv-BjhMb(9t*HBTmfI}D^ef>V%CC+Hqe#5XM6zHK&umnyO2Y6|E+%bZT?
z8*2<ht4J3_*xI4w(rVql+`XND=_sFrP&(Gmj7Y=b<i{@Gyg3OW30-@-Ba$+H74meS
zoqxP97y<mPHKXKJWwBjfeAhfg@IaT>IEpzem@!f~+<j=tKcPdWt_W73Z@#ZcpK-$U
zaA$@-%5iq!jM_DcY0!2(QL)I(!z;|^9c46)UsMb3a3wUn#cMFhwaIK*nMBOaas<3L
zom@(|oTz7)kAs6GwMYhP_NbeKDHex5Xc@(30ho<qk`3A1ViEwqHX(D-R>@Izt4i#m
zFc56V>^tZQ-Per69^92V_vM-&Lgt-=6snK*nM?I*9<=<xX3e<AkhlF1nJW>BA4xat
zvV>T82^;83QHMtNJd!(Vc)GOAZH>m~&&}1k@FT6URw5VnCE0=YWu1_~;wFKXJF_YH
ztNK}7NdycQtWue&j0@`P8c9zbK$@5exYd&yId^R6^>n%|l~go2dZHtA>Jqu|$iyfV
z?yRkzxry$9R~yCX5F6zMlZ=0!kP#KgvhO-_B2R`@ws|(-1mj9wi^q;C!78n31pPd<
z5*RFT?#E!>Opk-M4_w3rsV!}cAI#KG5ctGBYDw|KAG_Ld@%}hk@ziK65FAzTpAdot
zKQJA$q?3sv*=jCm%5lBrqAKmdlZ<@~U+8fx>o}Lr#=-DmQyc6-bc@!*rdBajgP&~0
z7|%uLPOfxe6V!EL;<`%>IynZ|rx2HwBD2izmG{o_u_Zu4YURWu<g$E?(_-Pjr^ltF
z2%dNo-tB=-I-!GK#E5_d#Qq}SqRYp0P&l$jJPpJ*o?*rUmgBX@xV%yjx2qu!wiyIA
zKb&PS_H}ExHQ8Lw?pT6wix%pFObNCRC;8KwO0j)>zMroww&rnKqa1B4WhThIyJqFE
z!^mKAg=cyG_{~Hz(2XR#K^T)k7|m=L3p*!U+TJ~xc%*LzpBEd?r6-$U?p^8#<Vly)
zr#02UcSkp{yYqhBKe);0lYd-P%GDt&I*Ef?Vxn{U%8#RvuMo@r!!hs%bdEv?*|*>X
z<ph@)$RH;>vz+-Dhm7})w4c%W*BO)$gpJzUZY`&;rYv{wFFLg5yfAKcB3itZ>)zt>
zZz~RmcJ&%$${mJS;Gd{yQz@Lgi=-2bdtbPe4jEI4CBbxEcW^JutrZORG7Dms6Klr0
zgW@#90r_%APWSK3&ZXBO03$>2_>9Sd<DJ#p!``#rDPL9fo}@Zlr~2#eS|NJ}nm<|v
zW+2G7Rxc2BqDQ*G39?F`s_rix34~<$ru$6Rx4?7FmVJfut8ww<?l9j{3x$7S6>4F<
zyilrE0e{C*ETiTbg%M@G7aD1PB+Oob7zVcF4?96hDn@k7;3Z)4f6BQ9AM_quMp6G>
z@~mKYK9ie9J8ML6RFsid2yA*0KD&Os=cV<^kjcLtmS@{|B0D_jp!k!}Z`*8p%1FsD
zT<W|E3@RLb(@=mvx!e&ALy;Koye|{C>Q_YEiQgEun|BJYhkirA1vqeRG0xnrTddlQ
z!Xj>gVq~;4%d19CXvawl8_!db2}h;Q_?y1Wl=C#)nBntWYLm!3o$YhFMqg}j6XIha
zq7C`9OC`N-6he2ZIF+M}sSmO&D=gx2teZx>L_!_Yt(v16io?*6v^3MLi*?fW>u}TN
zi5mdRk)0Bq;1k(Tze#55>6UCOknkdtEP|1ZHd9NA5c-EIA|vY=3NoIlbT#)-H*sCN
zpR5us+*!!<y-8i)4i2=m6^Uh5`ZD(+GHFD7EYc<Ismy~qTf6TpqoYkd+5&xGd*sH&
z*?cZC?*WY_<Is=OIZFonaWDRYf_i=esFl}RGm4Sbpm<C|a+=~7xMVMP&vU`>NQkRE
z@t6nNkSUkw;PQguJqm3Pa1_c<@!h}o0ob?~$o#{>on(t+w6hXbvC#p}k965zkCd9j
z+?)M>V&x}!Yky+pzyyq8Xfv8L$-WT231jxz$fEvJQ#p6=r=om(;nKkg%?3QCa<NUm
zWSTVjxt$JDetF1NaI4rPxXk|tRW!2zYR9QFy1F8@6wTtbbhg(wSLs2eR_^?TFnu&s
zg^4K!>1J+YEQo93A!kuz(<A`q_SH;+eDVKBv0O1jqQc3^t5{V5;-xS3Y}K={&wI$F
z06t&tF_HLn^vlDKr$l0N0ETInZ>;pEYf?vH;RAjt&=@VB!p8~7R%$A&;jmqsh?_a}
zMP@zN?6<@FbLAS16#OtH2_pytd;K4th!{aiG12o^X2~i4`3@scQS568?XYAJy`4|0
zvQWWmu3<w~{6C@c5%iV}T{E&}&^lIg081p<iXwYCOEzm+zpC`4tc*mjgU8)ad+xKF
zQD?MkA7}h8R77QFNA?@&*nL!7f$2Q10@aNO-hn4i_{L`4$i!$|hQfq+VSkR?LYR}*
zhQC1&O1!umduB{BB-NJCv6$1*aef;L5BQLnyG28dpl}7_Rk3+8I)yWAmC<zX!qR+x
z+F2EhcQCo+<@!=i6_Y=X9W=<1zlRL8!41Mn-eaeX1su!Xl)GI(=;6eA+DL<;B+&zR
z7K5!r&j)4$04|aA?^f}i$4s|#zRUe5iav~9QG)r^_+m2Xl2m7^sV3Wf)<%0{a-Dd4
znl^X4*q!ZDANmbDiLx`E6?}C{0F`E7!ryTSQIA7=nUDW9WHcXJM@#QZPx(=<o?lvb
zCr;^e)gNGKfH_3chnR1-gjRjW4=jd3Gy+<0pNkDDZ|zAx3TWdEXUl79$E@;fR&{DP
zL}$N2smrt=lIgfqKon~!@fSbY`9pG6x*`X*ubNJ9GGWC$<KqphU^IJLiIyr|`^_GO
zR=54!ZSDkFm=d=FecT<y>a)-?+%GT};@n$63f(uP%7NSz29e3uehFfOrc!G6+w<TG
zKhDyz)f}PfF-RbEHnZ2i0d&NG-@2mSB?&$iRXDcJAL(Mt%9zXSvXi-g5G9fB9?XIC
ze-Wk7=KI-`L^%<_k@1o-3LON<hfYyIRL!H%^yVh@1vw5sFrA_a{9WFlAV`nL#O0A~
z`|4+(!`5&d>L~W{2GBQXD<!^Akk$$*RMMO6X@9LTiMA6}fr4?*7)YSxX%Q%>DCYoR
z*IgRD&99=gFtsF&W%!JJA@FYhp_SmM|Du(y{-Kqmx5wG)wr>ZVCsWKK+Q93{!!#GL
z6k8GxNX-0*ukv9@*7}y0F}C<tx9}}H1N#+Bv!bTYwzwHH@44){`wJFAE4hPKRY0lE
zUrN5({vR!LKk|QD=#W<MX+`bnini^9=GgWBfJ$eb*_sVo&6O%WY)h#gxfr1E0|XpJ
z_`B&W+03!IWHaOKX>ZZft`4CNT&qC7VLJG~{$$Ycr++DD%M*9Qk*k72PU4Xfr{-jk
z&=l1T`BBo~nq?Q}ERjua&y_=1s(^MxY>hqt0hvCiJ4Q<hE9r$rtmWPlfma-PEkT)!
zYU2!C=Zra-QBC54M(YcsvlSfdW(p>n8A<1UOXp3Ka1v#Ef^mL>Mw1<&L`XGusXK^7
zm$fw-9OlB%!ljIpw-w2({jrTqLNAe|B?{AcoD#>u7`8Z^uT>>TI78xSa^n?PCD}a?
zAe@oYw+;zheW8W@%$>F-GBN&>6f~_?55`PHOy<lKeUTcrIxnnH2q(SMU1PR+apxS@
zGh)M|6XdS8p)a__V2XC#eGzE0x9}*OjYX4acsa0ter#Y^Xt6#dJCUJ%We8_(N0{m^
z{mF05#(k@Lw>$0s-bj}jMNK@7WM=u9KdHenz?L`O5qTN}ITOyvX^;6$#WJVY?hntD
z%%)=)WcnA+bcm*u<^|xH^#0+Q?j!$;X9_O~U<$fJsw1prNI}bJW#zi3XQ3twr{vrj
zF${eOx$^NJpcAe6-Nsfo(xly*QLA^1u1h!MeATP^a8GL~^Xq4*=K#5b-kPrlvsipn
zKF+|-V!m==oWW?G2mW#I$9Q3`EyyFip2c4v69Sj|^_{{;N3r#PgG@o_%0j%{Aw^5^
z$NAuQA88&HeRgA2JjokSCTv=b{LWMAO*|io1|i9xqc5Y?8GvnJz`*eMgW)9=xx?B)
z1&%JL^$(RQ*=Zq+V?8vm0Ur}iyRa2>%SOy##@Ri74cXtZclI^XSJNLx*)q%e1C(*?
zH@{S17c#E11j#3P?0HKH<Z0shuXM1%=CFFu+Z{hnL9VPEZFju6_w-KDmBt=_H%}Hf
z@U-#CG@C8d>Y1}S^bMA5#rARPl{z!u^XdYiDLwIGpGpVw%y`y3=#3GkM}sM)-cf?;
zB9XLKDVJSH?+xU|9;bqbF@dItxc+P~Oy51bXX!jzgHwsm`8vto^=5uo*J0gK<VlF%
z5sz)0w(<8w&V2!cV#NA9C$Vp69EF6d<Y$q|7xfOldAonQ?T><NX1DQdn0f9}8t^mc
zRLh+FI3xHlm=?NAuj5!75Gtz2X;El=cXpmT1vR%7y_!H6tWRs^dFG_Xcc{%SpU-!j
z_&?!dm!mdw(-j%h25r^5tCDA+7-KG`_^xKmhDF4Ito4K@uMz~(ylL21Ofo0iakkpf
zW?-?IHTHX$uYDzc&`H2+$;K2_qcGS{;{W`?t@A6*ZL<3<MV~U_2SvSf{+J5Vk2+r_
zkn3P0zW0doUSClY9Uot>{0O7h<h!kMs1iIG9bVM-g9tZ`Z##&6RiE!lzmIe~1B*j$
zYV6@~_E>l6Ggt6(R<iBmXENKMDmrTrr|QV%uDc+ovM<km2OhoTi%n&J9&C@q4@GD5
zdA+~i^yog~^LTq-pVLi#CLLyY_<%bb486dPU%{}-S+zAj=^iT);E~*d_sp!=`H6LF
zzwVZF@efd2C&eIq9>2bU_04Wi>%I}j{37l)sAoqpJjJ|nYDKxCX`dJQhJxsw6rw1P
z@Xq=2a3r3*DE(E_GDY;Ke<ozWwyrGHmT=Eu=%Yr424F~um^;H`2kI{U&%kgy`u_|J
z7g7`nA9Q3zP@oTk=Ve4l_K!qg<{|(W3pOD9H89+=+mbJ8`1J($@)rn*JK*UerOv>+
zl%w3>b0XUUyFICeBe{nX;<M2_%oA2i#11eptOZJ6^7Ln5m<5xWKu<AVJ@%z*L>ogW
z^b+*XzVPj;__im_`nk7{UN4~J=@LB!OLvOJWYxxMH}Yh+O#LZqmjfbg7;_RYdGW=A
zXg`tVA%&R@mF-2mpPe+M7tLg4fD8OpI^RuP((bFw$buF@Dk(Qy1L@H&Pgt|ag2cH3
z{Rri}X!FioEO?r6qUez~CE{Ngn(g@|;H3RN0^>roM1)8F>3KXjN44!zjM>ivVF(Ys
z93#7G%J3#@hc!SjuE84NY)o8bXAwqVe@g3FiY94<UR{@bgrPA3B-{p7t{@Ztci5go
z|BWal^+CJ$TIiOZfoPbQ1~AfF2PKaTryQEoYY~e35<!{uwPz46D#myDe@1#U6Oy=;
zB_jMdPvr8Yi;s=Vg<W(<KQj{4kMaMr3sn{F>f^p(f!cS3iN}rnn+Ig)n*ifYOoBt8
ztT)kobm`QWlssFX`4w{+iOS&Oqgh17b=<3{sm##uYZ0RGnv{EO6<fRf5Cwc5MFn;Y
znrL+qJ>@7q*N0nu&)3Iyed*H~N(+O%BNa8nwh*tfwA~?wTHxPfK6c}8pz}My3hZDx
zU>Oo<!uY}Jg4cw2JnRmAD&ivr!37|)_P3!3HVrKGAnK^vAV{Jp(kPN|Vp^nS#~`@o
z76B}n9A!Q+hw$7}L|(nvqh(~owktptD@)aRnha~Xwn>$eE#Kh^tLM7XQkRmg3Ulv}
z9Nu1~ebm2-nx2+4{^}|EZhcH1-eHMcrdp%6Q{gV1n<XmCwiUQCOtM!!3IoK>I9#-z
za?TbE+ZNEZdsfNuGm_<;eO02I{AX#@8lYySq!Lus=%(<sG~i*#woWmd6E(!m1>Gs^
zuAT)Z>p;eDz;ZBQO4N{1_7)20zMh2c(2~aT8)^^}Qe4czaBb1H9*_iCo{&gG*@`}S
zM65~@B}~Ck6&#W!2Jd%o8;^6VX!svbjYF$N5Wot9xsiCW7<PbNSrSnSAP>g5_*9Kw
z9*jzB^@-ytMSi9eRMzNrW{2z$Vk>GI-9W!66@cT<O?&i0b&!Qk&6xRWcnAnT;T1W#
z55>ERtZ7{=Z<snIs$2{ZnOJojq}#Zi79tz8Iolsv&PqRCTh2TbH6QK^8lfMv=5Oo1
ziZzM8;0SCxrWq^W7}HP&%gLdYWo7+80LVZ$zbZ7r-ctqRX1?2)Pb`Pl6L(R?58V{&
zq6y1}8#sr*ol8rVllb#c+CK32lfyT9Rvh))wpbx)!#+8-^Rx%BUW%@$C!_4qp(qwT
zBZyI)Y|H9nyuAOswPV%JNjAQtyw>^JnS^O7jVXMlI;6Cl*LN*NFw_*C>}#FUG3aZZ
z=AXXS=@)$0t%0UbU+dJkshN4M$=(K6jxalt{aq{HP_nPxCLP+=ym?Em@e=5K!Oz<x
zVyz5cmO;CIA~Ts2I1$J5A;lAy^u)WQsBbs8CV3=co~0|0*A%|Q#jW!|y7XnVDQ#{(
zxM#d1`PsWWIW`VDEJ2Or^DrAoY1geoq-~+cr>|t%`t+4dzm5CQ;^LA7N*&wHPXBp+
zu$}_+6kr=u=qZ3vb7KmSpf~u1RWV(B@{B5<|7@tblg~_<G~dg*e1Kz}bwFEKk(gj*
z3k=$cV$2<*vqp*MWzNf3KxhQK@5o)azegcf+!>!7z8SMO`WOo^zgqb-Z|u+BYlFPU
zq2B|{L**Pkx=I&;Nk#geQnfujrLvtzPpQ^!N&?*BZF1r+IE=zlt$Y9f3`vk4g2*@o
z(lO*whAh&!p;i|{RFPm>H@Oq0Evc&3oa7hKVXo)6n)#Pvp(sLv>kljgI9_g=y3=bJ
z1T*te*9RJh8UT&RVf+OWozaz>T=~-|UJ{|BsdEiA1Yitwurn0^jos!`T|y>f1iMk-
z$qj2LTo%Q-<-{Yb`chFTLm;>oBTRDP)3uW9arjw6l~I;a;7?J(dKaynTbDGbj63X%
zrRL=pmYLkRc3C&*F!f+jNZZsH)1v#&SGBmUbWV9!G{z`5_5b?qLg=3}t1SFBetU9!
zv^Aqk7JQM{vl91Uwa4DdVvZF96*Tdh_kB^vj;sp%4Z=o}mMK@@g<eYc{tq<r88`WW
z;V@mg3R+np@`OtvBGd4T>mMC3rLtf8T55AtY*hn(GDK8aD3ry9=-`Kv5$MCnIo9qP
zm%=N_zg}2OKG0G5fJ_DzI+K2#*l!toRB`GB7fLFQJvvm=6-9DQxHb#J#afq|nZd&Q
zxb!&-$T?@f*<jVPv8XP9mQv?)*#Ox>63Zz8ioHd2lLcQ~t}vP~zhMsc;SLQ~09Rw>
zO!;U@bDljhUb3bHI{LG@iSxWjeCU{J&NQjU$GRG=EYP^#1lpTGE1up2`fZ6(pWXy&
z4#BWYK6h(g7158tQEy_2MV{F{=n+2JZNQ^-xFdUQBlOZ5TH~^<1c3G3wzq61)%bqp
ztcrXN9k#^WaWxZvjQmxbC8IuSsCQbe2fKG#t!=uis3D`TWem5m)<u(?Oq4Gb+!fQH
zELnhDgIQ^_iUl%BmVl2b&7oV%tca?(L^C{Xa+g-4&hSdjK=_0=>tP{1c2She)Sz_7
zkn_<9deJWv%#Kq`4UyX!d6lTh=^+%Lo#hqS@Di5UOp4QQnit-@m3Bhtr$_&upb$*d
z8|!qakY8*Ptx~?`_nZ%OfIdi%FR@9fcNBV(2&(RT)C%8B02n3sX&HBPg-L&}_xE}|
z*!{g;+tesT%~GFMM}az0s@3VBbmFsD*+LLOzR8ig<#ev?RIYkV%sdvwih!+_%Rqxb
z%09VI2}StlVVL;Fbb_CUWuYT#+M)ihr>b3`#zxa-py%sY_);Q7OS_iDV@6N~Gk0k$
zp1p>~MuHi-4j|sf_`_`!&)|(8Yx<wp$A_m|vx-}(FcATp$X!)4F_5_Mv)##BJBv?O
z>nZOVnm&1ow4@)}bn)@&<%6oHmk*j?|H^MNWBEXmWGf2stLVfAkL;||Z<PnWaLTuC
z_vkPUlEl!aS88hP1)e`-xo*wZY?cmNI9GL{xip}dUpTciK3CQUrE>~t1*#Ec{GzF%
zAvz4sXKRzG`y&;tG)mHZ`tl8I{Aq*&ZdUG6QbtwmQa3W>s$4p6!$4HQ^)qP^8vT0q
znnS;EHU4^Wae9vDIE|)JFyinJmG7JKpNl0zwrm+-l5Fgwx*!V|!h`{4Qjw4f#N$lt
z$sMfN0)&Yumsl;KV3E>Hum@&n(*~@;lXM@O+@*CSwRKh7E0Jzkg|v2IYCdN|OIzq@
zB@NBw2>@452ZwdcfWlppc0EsAVSZdV>5aQ=IzL8dr;Xw@Qae$6A&AH^(Q$cWsg*zg
zIsvei&Q(Im1P38H)gj`t0aV?=iSQI^p;VNbTIc}bialbg)=>S<dOFRe%qnI=Afqq8
zngj3VWQET9i8Em62ISa3P#a^=1gRIU8q*UYSEN;ssc)n{w;5VYYH~JmXbmOW3@ATP
zj9WLJod7)#6CYN*zN~z1d44MQb5bt|5<y;IrNq!MLw7cGFY$`xLJL}<5zWXMa7c_$
zK;yC}{$d$m!53h%q|Tf6W)MY7aU&qD@WUzA>hmz>gD5bnjK$Rw5xjc73nqLC?5B~6
zi@CkM9g!b7>@=!c<3}6~BQv}c6F<gC8^O?j=LSJ^`(DfupnHGgyYD%yr*SPNQ3Nxs
z4rFdU?|H4vFB&=Gj9F@cQO4~gqPh&*fG<5arP2xlnT-3FSZik)`*>5JClpOiE~OXV
z_;D02u)+*gG+8Z|QJmr_!IGwLpp8F-4FG7r8wpiUm>dj5B$7KpQ)`%klOykR2edAO
zr{EiB1J!AgS`S^5uB<}uCCtL4)#9=o0_TjLpWi9nm#nTM6<(~O8gLfsn@8AG7<xFS
zNLEzJ%C-!~C^8KAGs)`m(*H=8`lXjnukZ}Wpd_m3!vJ6<AQixYH3o`S2%niBAwiLQ
zzcPj6hiX0J4XR7Jv%dik{TrU^TK1rj@>}l$h)8HV`biYfMOva3iMPNiH&afEOE&=`
zV&((C4fumDf&q85<H;plDf@|skzIo1Xl09#QNxD3Jw2>Fv~r1QWO6pWQ~JvdcdRz#
z+LVEbmf5Bi+_c!X8PkgKhgeuhafv!3D7UPf7)@&AeRP2Ydl)15;`>MY`-Anj%1w3Q
zv1|%LH+@rAt2iGXC=QO8q&kU}$4k2^U==+dMQLYnb1)#b;pPz>P_5jV65i-d4KU4I
zgjVdc@?~>5=2|2+vkDERyN6<tD_%A-2(ViK85cEdn_9ACAX$~~bH_d*wg5RgSyPUq
z=8)hyR74IgCS*iau`*RHaOC`WCqIWO5V7h5rj?1<-Z`p_wWa|4C7eCD41c>)F^Xi`
z<tSIuB8`!E5JFyIKx7)IqWEOR-2DK%W$$y92?VetI-+vQIi*UgEbU89hi_>l5SZeM
z83(C~pf`vMSpOB(MYF8r+*nJyN)>2ZV!N-<+gIrQ)}Ds?zcXMrqB~@Z?MwdVp62?$
z2L}g_pA_o<9z1%q-`D@$#Zw|ocv-w%^1W0p0lZAIlE24lf8>h%TGNbswlpGeCtjdc
z5U&3aw;bea2J;}L(!<$yKP=WCuB=;JRgO3tT2Lrifm5*V3C~Y_QT%vBf*19Sfp#OR
z|LWr{bNAX`_-Ua_xdC^T-f#>cF#pr5*BYMMFeSUcuE5wc{(__o;tPdhq$PYVqge@&
z_>_>@fY9%=ZiN!h`CYKt{Jz((o~n6pr~C!g4si))y&P-lGyVdYic>fk=RyKj;}qX)
zgtfd&=`ZbPwcJ6ST3XFj8j<FpDp`fTbMxbjRKGl|Ma+{9#!v5nS4jaheIB_N8{y<C
zO447v^frpGb0BNKXN?6@oGZyX%!uCT=*o>#qFm+ulAB#pH?_v;HB9l~QTdCxd8*9>
za<Dc{`U#0ql=w(gpu>yO>(rgYr=*M`W_h?=O2P8aKL^FH;FdkbV2ryQR(ZUodRYb<
z?jyK+9>@-?IDLud_hI%cTO-vCp}hg7e@gX*S;3F0{o1!OO+6nitr;vctN@xZwI5+6
zV)rnfClB*LyYSPC@+2xIkncBihC^okhumgJR0{C<L!rEG<ysa#Q@}|1Q|gxeK|hyG
zy_!CYs<^sA^1q+`cz9Ghab;b`bsA#L^Kj}1Ui`zQ8zf$Hp8~OJ>P<6&pYm|1$)NtQ
zVgGCneGM)R0LX9AR!A&x(y+d5do2qFqB7oPsImqC8MM&1Tw`aGuj3q1^ZUk2V}Dw8
zJ8OuMjfV?rJ!HN?ho^lwLzD=LQHc%lu7HQi9<^VK-Ei(X|3*Pw|8|3eI4^#1O4O-l
zi-{g3-~b{V5?&y1RjuldPrmmCJFD~~8ej_g_F;DQp2FMQodPEY9nid$;xk5M!YKgd
zDCdb6&c)Gb;T_-Myi1Y-fVrES5dAW|$q(;^H{D&+rEe<rQodb<)~Sn6=g(T~zKep@
z!h3`KS^<C??M?9tln~U8WCd9jTt|u-D|WB^xYk_b4C@*8(nn`u!dkPeh5D&w_E}dm
zrnG(;w7D|&b0S_n(i4j>=k{J0&Af9NY^9p%ziz~Sm%is-Uiu-%AZ1d9_@&$Lq*36-
zMe$VovFoobqad2!oiEV@2zvqbx_<6J)i&7}5^X0fV?QF%0`K0uoKkvKAhNX`d-d#>
z`ZVZ&LHwTiNxUKp*JL%Dduu9!oAtl@2agV(7WBW54<0}5^}oA#io_wB9ji6}k=I-^
zPU*^E%Cm5nse@0;T{qJU50|sar_c>cHJt%!7Jhhm<N5(2h`+D@lBb?V-E+j-1OWHr
zuc2E2A@^H55EVn@z}U8CIs4eBJ`CUB(?I{@i96lU^2bk${qO1HgZ(`HKY0H9$@8B6
z@8T)Y7+Q1TF)}O=e0ql-BESXyP8{;+`uhYu!r%^ATPetw2c-hnl??o|P=RG{nI>&^
ztz_z_jK;2`%q(0?HNA7UQ;x27a8<>tfTh2o11t54vcU6z!-`@2h;{S@rNK}-a*`4=
z8OR@nMzQjp99z6B_NjZlTqRez-)_8kl7Ru&k!p%LCDb3cc<Br_pJyFhh2O{Qxl{WZ
zgi$x}e+S$Q8ZoH<SR6C=u42F@>{q-i4qw%z{wsFNS@SIeES1(j|66fj{Z(<a{LWb|
zG4v<v*tB1i+Z}6u4Y!Uvjky{ixxZ<91Af<OV&V0rd#x?pyk-y?f}j0Do^-Q2pfUcm
z^Al4~21s`*(#T}MWIpNJhk+v!7VdH<^W6Zk3@u%i>d(S9oB_jNx+@LWgq=F8AkILs
z8J--&D=|=*S|jkAlHkTK*C2H`9DbGT33_jS@r((reeHs{^EtW)r`|A)XudC;0UEpq
zHvPOA`bOFJb7vrStB&;?l-0(r-`X|YLGvBo$}Ht+RFN>{sMc3~1sdbwYo!)=3ce+3
z(Vu$#b}Vrj+7D9{amkrTAH8rmvb*)`Clgyi+^*@$kMJ)HjcFt=xkkOpB(E|7{D>4j
za>F;Q+Gf+$u7jcrP5DYFOm(A0N>&uaBuJdWP>o)`wh=r$x4c8J-9gb1x7o&Jw@T?%
zS>A!$w<a~J=uCxR*@D2VmAbSY&?eH_=u6g<)SJc8X%t~_puX;PpP>b6mC>7JMlruN
z_n;)FU;I|IC4D*iwegJeM5&TUNNTeyYE@<Z5Q9&6(Pc;!wq9fV=mdVV?Nb1&up{zs
z5rm8u<k;m;Y-ljh{<LY{dS9b1p9cG{^rYR`1l;ET^X%E<g8$F{)BR_?{dX5n7H?DG
zOD#Qr<SXGDt$eI&JcAVV6V!b}%9nX$f1)taobzM}Ie%70h-wXi7;`lHU@WFGsA!Ua
zz>DbzG+JF4!_?`$EIuizqvVuYTv4~X(AUa1SWdAZZp9Pyz}Gze4RMW^fiW^fk7E2n
z#Rx@Il)CFawN-Hh#rT1|-_-g}Qct#d)wR=qVR_o%8fc;a`_G>|D$xH&`_KCL|D8O=
z7{Yv%ZjC2Uk-$s#-IC5Xu<@UO(pQG)=CDDr6#4M5W@=bL51YpCkoX#ti}v%sh(Zht
z-rD&;IN0AWo&N*)sXzZac&g9;8?okJ3xn5sy&CZ+l4<yU|NH$<#Rn915Cd^MQR<&Y
zu@_-j>0*3yFvu^FSkc@{bwD<ow~srU`JA{hqnhQ=ytYpNa%vc%PWM_hFrl{dRPuwy
zZ7Fxs_VckQ*v`wJ$|;Hsj*`smDRex%&-GAPAM-ulxIq)LWE*+;u}E{_FT7}#Hg(K3
zl)bN_P)@(8uhy*X9+zEsUVstog~~M9vGk%Uu(G@mCHbHYfVlkWc%zRZRVW-qk%&!G
zUv80ti;r!ek{7?!9>w#CDY^vsGo|bbyswACx9-Kyi_#nI=$_*D6yK>6@G6KuR+~6d
z2B6*C0r*Wl?aTJ>f|@UW{&zwF@Xz&bD1!O*+!4lm^)tIGY<7HqXY_YQ?VZtE&ijX+
z2L1017u15yCWVAGRlqIwpC|iIi}^nuJ$=&W|Jcc6r8Ph&`UL+Odvl-C(pULBy;J)}
z<f}i@iwsq8nVKj3P;5G{z^GKX7>$ABSw<libdt&N?}`6HC+YP%kOPjiuhe<7S9&?Y
z*Z*GW;`9%KEW-~p{rlkNU;^_y5HF*p$|Z%P9G$&9ym&d-a|XYj9*ch+zkK}?{`C(*
z-=)J8eKi*%@DFiYM##JJGf?;R48bp_^)ICKw@<~tw)ibMXHMfU7onJ)G8y{OP@rt6
z%@%E6a<3KY84!*UaXO~4+SSX;OY$yset}JaOg=LT=a~O;20uT&SFtI|u^3;<-l&Qq
zsoEk!%J~ZRM|sBE*(OC{YfDrw?+Up^!k7Qhm$JW$o}ynp`O8muJ6qdvE?qxZ#a=~T
zZh7_RTJ)mASN=5c|57o%aUGZz|BwCWk4pX@&z|=FzdL#C`2Vfcf6-{>maT?X^<ZS5
z-PeVYUtXg=OxATfbz+Rnnd{Yykt2Urbz_X?+gv|Jo7XPt$jHy_sGdw+?Gy=y_Fna|
ztwEzLLN~Q&s>d^`Nu#ai`7UbHG?kkv*V?NEH~CzO&E&RcebJeGv+jz|<j1WmLQ|~g
zGOR!~);>T3$PX2xmunAT>sgpk36>w$xEn{+*WsUkj*^>c;X7m`n)z`RWccpbkITRT
zb2GgjO503b*CT9oQZV3Tg9ua55DW4CP_>*!bsBJ_E6)wmtKWH~%KOcoVU5+~G>#_T
zNLK!>-b97Q<uBGSK>_@aizUzNXRMkuqON72%Cmz%HrM-*qko}wKP*dpSZyI1e~nTf
zh9Io@y)qHW@60?huu}CauRx8Ra@>;fE~nnCkifQgzvtdzeFfhQj=jLWQyPOu`?)qt
zFZSu)%k&BIsl9nVMX{6&CA%t`Qdb5gyR4CXCWX}?X5*BW#FSPu{O;^+7~JJb5KGW1
z=vYe$7k%EXJuUE3C{9w33cmXCXyf17dBbM?TRTEDT$tfu?J6pAtX)@Ak>A}_RTcTY
z-Bwr0zWRAoS;?-eHLI-{4A6x?hk^cY<2oR1@&8XA73)7gdHVcuum9V{Bet!c-KwAi
ztdM*^pAsQzk8ZP6h>7~J#Zu>F++R(3ktXz7lo_!brWBrP3Xomd5!<11VC_m_nSJzA
zpUGW52J~Opjkg#7|LjSj{>P((=g$s$`oD{3-Ka6LQGW$yA7c-TX5}h$?9e*2LzBDF
z`QI=PRLl8)^yG2L|MTEUpZ{Yg&u0)d`b80dN)fM^r>Oe)e<3NM<g`Ac)KD_i1ZV_(
z2u>`pjz;>~vR1aJixsP?Wk9Q6*j6Ov5>*-R7j9mWlgd!(-G+~*-ud0o07FxLtQG+3
zyB5?ab*q(W>KjCZj^ePtEq^!j`+xmBU~T%J{U@dRuTKwp{(mQrz5ZvHDZ)%VKRzk%
z&>$0RH+5K@3(FTNg!IoRdrI_w1XOO}&%-G0jMla4fA*gj>c2jFe9-Ivck+DaoVqD)
zfdr_6!|U$cUU{K2S@{7b6L)}!Ub}OkIrqMEF0TB<Nmff@&7A}=5;*f9ny_9LTJKSe
za_ZlB<ZGb)4p$5e5Mo6h^x1l_jJ-?$BQU>2*Z#-Dk%KmE2c$0Si6EiBffM+lH@Y`E
zK7W5sAwS<aN6}&d1H3yrcV>Q^+#AjPbWH!t;NKffevilWzw(Ex`56C4{+Zl_<7}V_
z%x|@HF8#nu?)|S(a=V28ow(QVzv%-19l<#F{@4Exdc1REKUyWu$?;40E^w=u(Ei@Y
zpLy<>o5N4{MmNbcnt9`U_>Hq;=j`R-@tc>U#q3_jTutLyGR|Invh^>We+5%_-)KJn
zkDnhrE!Ka23V-$Ie;3bp&P%Zagi<%Tckh2M9XEip^1~qTF4Muk|8IXWcanJe!vKAf
zk{9D~?B3#eyIM_Fz<{8~6h?<&3X;-(D*do<{c!9i3B63BVGzyXe^7uNEyMW$$iXbV
z`eAUezyERIjQ{<AkC*>`@7~|X<A1zxzH=U^?dgc(R6sx`cg{S5vlon<<G0Q)Z!ese
z$0rw~hxhLNkH24#R>578Cp{9Le>{+rfLV=_E8h!dq)eH(v$;3M_Cu}t&<`)8c;Rv`
zlK)83yTJS563*~2`R|n*dk>xe@pr}a?vK77J#P7cXgs90t)t(&r<RBD2Lv?)VvOMk
z4s>;XUQOV&2P6fk4bbP;|JU)^y$>HgOx)z^9$w`bVh}m*Y*x~9ITFq(`qNgH_~H@#
z5Y7k?`qBWci;a*FTqisPUMK05=a2{Qy^BZ<jXx3?d>i1OF*EYS-#Z_QBY$|2pXKH-
z0<8vG5G|ZD=^l3P$2;kCyqALzzEk@>AovNkhI?}A!sX&QDqoAZ>OP3R*z$uzZkHoM
z(yyUkgQiueBdUxHCks+3;3ex>IqwUc6<mWT|Ha-Sy73Z6ekR*mj#7uh+a!smKAk(Y
zRE!rKgDa>d`U3LYSZuj>?_bW(-W|vtc+TKI$HJ!@|CLN*pDe@9zwZ5Oh!6j-{7>#*
z^cRe#yqf;yL{we|{_)|DKR>{Ka2ThM3Cps%5N`kFOrj{jrl^U<#^+0K>R<XWQ{a_g
zva#b*U-)f`J+d4<+S1Twpb=-Is;^Z?8kHf{-==)F;Xhe8R@K;<ld##$mD}dO94x|u
zjsO0S#>NFVL91S79i;i-?Tr`5z;i*fB*h$9*ljSV>!yXEXe)V%k+#_7Y!&h*&h-L5
zlzzp|z_g0q<-tpV1UZ;aE`N#A)7VR3RchfYg+k<pm|sm}yggd!Sj+evLt%oiQsj`y
z+B8`UDt55S?j?hPoLq<Y@ulXxVnJWhE7WS;MJopw6c{_AGn!>hg98&Gl>-WWs<h*H
zirD5tOD{fY0*x@T_#w>^GshtyZ^Qs{iqtCmM#Z>m?CzX9soB{sMA(@UnA2!hGg{H9
zCqLvstkvKJEz#aU_d^=IIG|7B;F*`9!)}Joka(O0%A_+dg)WFpPcbgn>W0D-GK;1O
zmc5#KOE?~QV1vj7DGLBh#@X1(xMmhA(VQU;i}7EE9ZUY4<#k46$ac;Y8xj{(d1+Kw
zlPb;xTrIIT<(r52mx(9tdvT5LkDibA_vp0b(~uFT<GIyKUu$kGoP_Osp6ahzT+vwn
zj<^*3hbWbn1p_$ARkR9bZI^T|C|6DNpl-Qi@4r{x%2R<qxy63Es6EyhSZ3R*GT=7@
zZ$FO_ByTQ<I!2ey74`9_!1>bL&XMR}f3Gld?RiV*f&IbDm>@WRiaQy9HwC^h9Ilo_
z_78nnHJ?IE;s}`1==L=BZ~VZUdoPoz8?YX!VzZl!H+7fp#1G&Wf;r6MX!-a3f8-bE
z@b&B3)hUi9BQnmSDE$fbNO!Pl7Zsb*Xs}gynEVojIM^mb{0b*Y-vaylrrqIh<oMxc
zM5Wj$WnNvw4e(5uTtsm14QQ%0PMBUgxKkC2AjUEIlnUi7Bk)kZOR7e9sNghUjpU##
z{1y)iHeXiXg4I?rGr^$<ff*rcurQU8`x4(e;`PSZ4Xdv$6ej7FKvfyDNZ?1#$)y8J
z4X;^d6u1I`8IiOH2%$mX?@YzBN~BCIg#eXapb6lHY_bh3X&~CP4%=|yme(0(FJ|f%
z((|f2h`1eDejMhjv8D~oXkC8Q+yXt`X8}Q7L>V7yK6E|<Yi|5UPkDU#61Z<U?$izM
zr+nkX4<6q6aJuIH4IDG1B2ETz83H|u$V3jQkN>Ie4Y$@Rj=j=dp1&)@)nbA&;icX|
zYUWr>g3A-%A@MJ&THtRWu&5SsVaL;)NAl|eZsG<jjuae~ga*hd0TX7TfH<cp)d&-d
zP~bXbCrL8xjJpIr4cN(oUgCxg$qYz5OIpZt)(*zFVI^k80m$D{)SNcG@arnztlSSK
z%v3;}6;zVZu@D0k)zzb#5Aj<<#X4WnQCa%L=_<Lhp8)nM0F4daQkpc9-3;!Eu(%aO
znzg7=&(x`6X%;4&W36I<4B`*a>@CY%A8?Raeh{2RIP+#KA}gX?BBKJEH3tC21&}ME
z#exQNGPX3QPH+>=Z&HvYLF7jgnr7t~H8{$6fl6A^tTHpyk+mzuOtoO9YOi*c*E%|`
z&XrnCS}bHd=)HsQC7Xf2%A6s7qARLZ<`8NG6v9OXgMWGH5n<<{E(7-lZe`d$QdhAD
z%W;hj6T}$in?UwuHStHzDcdSgMtbF^e_c&7^F@T)5ea~TkpBdD67iK7_F-mgAV{^3
za6gy<%t{<+GZmd?XQ(DraJB3yO9stlIgj0$AX@2F9IfV84%rb1bNq2G>;5v}V^Viy
z_sXUbI<r8o(BvgXab$IPpjqjyM~pXs6QbY?>*$5aDn=Z#4v6%1=pY~);f-AS3{%AN
zZQHqu@)PSMJ5xfMP!kh1<A!?0FI17(syQ@Q6>h8>gli5?PGZVz`SPgZ)>4cFA5$L5
z5lMH87x2h=i7Vjv(j3Z;Lom*w3X(cL%mM&T&TR16ooGW#U)#3+lRvl{jVFCYfFU|1
zmZnf%H2OT8aFq3&!hn>;1XTmL$aR3U=vrHqq+h&Nl=2<VbYEsu2@zSE2p#HTDVLJi
zO)9K7y77@;*6P@(Z=L;kcvN*}-oT3D0wEK^d$s`Es3iJu1BXT=UdCC4c;}ODh~H%p
z;4bwSh-p6ssDaGVjhQ?C%y89^B)$|k)*ElADBesnypAf^R`=VPvUi)>-JPp*cc8!B
zs>1g3*U)yQlKnh%unqO4Dj<0ch}2XNxR|8ML2kjDy?59bn!t;~OQ3=D>H0};q~mR^
zb5#^3S%i?qrwBxU&bxBC1X_)sabc+e(G%|y88R5gOQ=kO^LNoZ`#|O(nU7|r3p4v^
zOpem&c&gV?DE##u1OHxt_FjPYuxg%R!zG%%yCr=93Td}49|$QQ=l4q`D&qzuo~?(y
z?Vv4>uS#_7Lf7A_+_%)`mr|Y8u!Z$0O{>iFf{aWBhe*@FlZqWlf)UPRNDryfL+Kls
z#V<GVI9)8qlm>552Fm8@5uKWpzs-5f*Hi+RbC0&5x>-5elyA_ic}vS&QH%Uq`~<HC
z)%eXSpvi$ML=|R+3w1ScPz)(QVF5J<ilP3tB7=7GB?ntkZU^LQ1fVEV>O%lfu)g`N
zv5tbbHj(qDir%W!&mAg!OP^>}qt<8fEdy4d73D6(U1*NNw8e;2X<zDGQ`wfTU`HCu
z#(V(lXf9PwO^fqnqRFhOMPRGZY{+}&d;yxxa^-?{bQx+obE!HsIrY)geR;llx#1s@
zsFC6f&nNN{QGS?B6{iikIkx9b*_NMUTW*vpJ@QVpi7hGH%L{cV-dvJYCOV<`H1V1S
zETQax*>1fNZz>!Z&qd&+g#nw@jpek`ExY@RS3lNgI5Q=M()N%aY%>*I-9VPAy1HTP
zRCcwa7^v<V`!=ZX>iVs%$}`9&v9U_8wdl&WRC~>dOFC8Y8D#(1T-8_ek<U=&SAcY5
z)nCncpGXB*1I<RdxtcL|p^T}@+ukS-St(~eb)0+uR6q6kA4VKg-@!N9@_#;h^t71&
z<@w|1eg21CJecL_-$+YxhIs;B{NN1Q(*g`A-4}I@;yHCH>2s*b*PUJBk3ZCX=M30E
z4q2`rG0y|1C#z^7T&J~0l>^PPaCq6OCA|X{WWv?>^H2I`wx-axIYmO&b6f#Qmaw(E
zYz~c|sY~t9*vWblUr@S-W^9?{erU(YZW2LMod*g-IA<?V0nn!=ir>&vBA`=$-1Rr`
zl7Ig6X>I;Dc<}yz^62T)gXh2t>>oUN3a_1~T?10}eB<|j)%xQdIuzkS>sNiqp0@md
z`;Q(M_`m1Rp7!})ck*zFR!qO`&R;mV@;&wamY$0I&k6i*r{A!r|4$zuJn!lME}ok8
zfB!xS-DPqWrSIQwycz7*|M~N$kNWlB#bdJm=&$fTvm3p~Cd3$wuu=OrTJHZR2c`V)
z&-R}@>hJ$uJi?GcG31V1bF>vmM;hh>kwZ9m;rxqIi0gUY-Q_aD0)O~BCw$L5#kgRb
zmhc@PJpnrpwjAXxmom8Tg>&}u^~=Nam&0EU-@I(-z$r0j!^zzX=dU36HZ<jw^QBzx
zR5Cr=;SB@as08<vz*DtEfqRr(vC^#K3wmn?LZ95w5F#ztJ$5@kJv?H>$RaBE2s3u_
z!Z}dCl<m;)Ru*^8m(id_D_7ZDYpph30;w&~Kr8I0sy($PtQ~9^eH~~(X~E2wLAXH6
zWvP5~X2L9%kapvF;Wz#r!Ki>DYcL#6<JnLop~`C1KV4L|6;`JqPWp%D{aLPMUOf!$
z)*telwcH-Z-2AI*l;)4J$m1BhCcY>fb#0VW<udug(cL5qZL_l1ReOdXRqUuZvqC+3
z^aU!lYN}{2hHt1&-&BPjpPEYaG;D1>`D|7M^Fit5|G&MjZEo8}7v0bMD>&|lq%)Qj
zCuz5nna;VYlcwG#smFGcyL0AD3`w-bHAU)>lpXin^WX3D0+8T~M1ZDbI{{{Pwy^*Z
zcmO=_FD3=&X^Qnl=do3MAnJ=;=U(#4BP(&OzwSlSv}JTGY5F^!)%e}J+Aq!SB(=vc
zJ8NDeo4TNL2x9POb$FGXK$=#{mA1;hAX+!gTeuFRdLb4A?0DZyj%#b15&z$v^{3Xt
z|Gzjm__4zO|M2X&<NtTk9RH6->GcD4#P5Ig{Qbk`=kJSu9}J3oaz9sDr2FDi*8+#z
zJu<3}*Q>PM^Lm@H*nLwo*KC^+|Ch|tZk!*tjr`vaKfZkN<3Y9l=Z^=j{`XGW-TA+O
zayjC^(&5!l%rxozAiG&9FDpPnB>2ZsBX?LUSBb5VKL(e6L<F6R)A>o2LpwMazAQ0a
z@>Wywn8pG}gy%G(UnDmzzK?#*nSTki^HW9tB=u1`;+=*85LV8RSw_ebomR25i8i=d
z@3od&ESl8M@UC>kU+nV)m`DFc9%zkoxmH}sWfHHJb>=|9P_9NhGz3|kR0!)JpP<TI
zsA{o!+SdFR^d<kj`s+LRW8PyKt`ZTJPrEq1Ij|!i%8SE=q*|9Cx?F`KDb1jmXG~NC
z09LS`$-iIM05<T7zy{z!P}h2hvFUZ7{yUAMV>+3kdH@`b0%OsSA5hX_*?3LHZ>uNF
z1RkdF*M9`&%T|=Qm)Dp6=YKr?Kjf?W^Ur%2A$Pm?{eNNHQ!1Zj^|PlmLF1P>6hZr`
z2vV#uH9Xn%fe4p#p|iUw;MRpGg9*SMjgOB$zBq085kHeV$d)b!ibu@crWCg`#RQUh
zs;DsLvThXOk;*7$dFcDz%^Z-t^5aZ=N(TxjP6=euu@TVXIo*vD|Ki-c;L2{*7nfij
zyJm(`L!3>_roN*mxOMJ}s2J6=<Vz{99W07r#$i1{T5Oy57h_Fl8CEl-Ko^XRlGt9N
z14<2c83ljkv!yEVh?9tLfC$2kr~uXQ1X6)H#VA~76=^f5eA4eZg~>(yDvwOO3^GL;
z(8qLzxj9&?6iil_Ol36lul;b82A2boOy@xcv%|TK0AK@JY(&>~xR`yH2VXu}%k9>#
zBsan^t#C(7gJDiW1=-NP3h*jt-IF(`XGO#i9f1sDDlT9Fcmx{2gp!{@&x<5p&@6s5
zTgDjTN8YnUI=pl>0r?$I^uJfgjKP@<y+fjmlz?qH<AAfH2>!b8!$b6~-8R?}vgrUp
zXb<=%5x+c;Ay*e~D$;o4iD_>iqrFP61v&-^-tG)Nj^RycovRNQ+os2ht>8qOf3IGq
zKQUPzMtYG3M&?@vX&?Uk&FLR{?&YU&FCvh^0Dc(!Je2>R2ef}rfqa!gaFbXGl4*X}
zg20CPCG@W3caP7Plg6hol{XQ%Jj(hUq-yWCO~+fD)S4rfz{9kHW}s1!QHhCsJu_jV
z*8-M*q9-)L_{I7?;kFQ8j*Ij2>J}&2Er?9IwOs{l;>y3p6wT{<RCYa<1Bz{@41A(0
zbW?7lX`axK11$4FABiDX0NL<OleO#XfBR{?4E{WMx4HMay}bS80kQJ_OhU$MOhq}?
zl=lJqf|I-OLB@bn$4*U;Pj9W4E#JZ_lezeTCfltaM(XD<k8jFpXmM)9fKy5)O>ax>
zxo!ET2Y{{6PvVN&`&YK11!rtnFh(&g0hK7~RaR%pNNT!-d6rPb7&8^WuLxb+#%(u`
zjdQ>ry*BGz**>l`-(&?A1B}{@Rg&33Ff;ss@#Rwuh%5?xq#^6FiDKOYq2Eeo<v8#<
z%C|Xq3+H<yZnw3Y)bu$u?uCm!6!j^HOIEsJynaGIrpi71=chAHFndvcf0Ti%^Z+ql
zy@*Md6i<>s41*RP^xXH(>1Lm+bWl>ML8B>;e9A%ZYPd{94ZloaJ$V?uMn_fJ70ShL
z2p`)Afelt~-nnuF$SJ^h74Z)+Om5YyuDs_bSg8Y8GbznTOwEM`PUA(9X+O;c4eltZ
zu>>eW4n9Enp;FAwEq_K978x*8NMW<Suh=4sr`HHCJw-wVMz9f1bOY>rLR`yEw!@m8
zu6rs{M$1iY*p19mH^bZkQtHjr(~!xQ2b`~YSoya)|6Fd2>YwHLwhXe3VnkCb+ctVY
zcIB)ZHLRCucTDJoYRVXplV~@j>Clnfeq#@bZ<&-MBGplq8A5HIR;Ef*xN@~zhT0+|
zttfv@C9U5gf)uM+fZ7?0AvFe&XUGA|G~yg)KF0)M!9vw(S(ABY4a5KfDW&EN!@*S)
z-$a^Ln`ZQfmjLdQ(=jGve0zB8eUjOkyrUVOPj-v*O0g{8XAWVpTynW1rK{0Zq3sQ%
z{Dl?JI^r-jOeBdhuhKgrFL4(Rp+6pkt~dvCcnxT++o2bBs~O}XjbV39elQqewRS6J
zzI5SEl>VD?QYoe=n~O}*HN{hN)=BK837~cYGq#<|jb}NZH<r_=3R^W&S+j}swE=97
z&v$&jBMaN(^BGB;;jk`fVqBO384c#T^(XN1o)D751ccSQw2#)AwDhp{y>l3H&bB4>
zVEC0eMS?>x+uM#qFuOr8$0896hh?mH@34$Lyd0MKmavRPcjK;8@yjZjH9L*#t#nMs
zZ{Cm4Yv9M1@Jy#MDxnU?-h?J%;RygMtEOmnIcc!c3tvbJKWhswN@hG|jrQ<=fwF@C
zc6N4rnnwqe@)eU3j+1mJm~C784A()dtqez;y*ougHsZ{4Z3m7ui$(Uzo7`q?GP?17
zn2O^Tmx;zhIMW;@at&p144lx}{2=-?Wt&lfM(j_{ZRBbNI2_A(s4U)Ur<Bc{H@DA~
zEsIi=dyE73sFU%7GJLY8$a*7^mcC)+e~2E1S$%URILCV7#%Q^5^^6;FrN^aXAjhNL
z*P9tiX|<)&ngGxRIQb2vtLYq_H`VpnM}_+y`)0ov%RQ4F_|eLcsT)X2Y}h$pM!#S*
zS5+D+Oa~^9%8=}sEpAYAOls?{I{|IzYqUy0niDZ;bXHWY%)E1dJC`mw<}i#`vtB*A
z3|xqsR<E3)Sgk8GyB_7jha*F6s0e%Yd`gmZBbb{Ptm~M?C9XHi;mOcFIXN9~L*X0;
zv#G*^<D}7tyQx|8hxi?eFvSo;a^c_Bm#~n}Hg}T38-`P}ag4J3hOK3$a)uV8N+)7C
zPQur)w+5|;V+PU?M2=#;c^uAC<#CYfF1Tb<jt|X|2DWb2pWpr4qu0j%pN$(t24Y-H
z=FC7&f8z8fUzh$w!xl0Cq(6)yZ;!(o4r@59@l|1sZcaaCj>L9o1wGx9ZaDET;eNDx
z)-=k&Cp1_?61k4jK+Y|e*?O|Zx`b5=yFSSGduP?bjYTNfr&BwX0rZzR=RM`SO72x}
z@Psr5daNbJo}!MNLRNgd&jKh))hjHQ*kL<?R&wwLc0apP#da`IR+Aq%uIv_26VR#a
zAc-R?M4$S85$uZfPKPkfP%Ok>aYW^!V8#I~YH*1uDLB{_!7;d80oX<g`T*Sl^c>E!
zMfe?CUT^Vl+5*<aMB0KG+rMubGih#wcC*q0K*)Ea(LH%9Qdd82^EG?-8b@8{Kkod;
zo&UJnmgDsvt^fG0bakIjE%bEAfM_&!5~IJirU=7q0lJGc{MB2)VM~!Nh&Wa_PNc<+
zv2b`>BKS`A*Vdd6?}T`V*tZ$!SwdlV#~4+d=&**v8V+lGRaj$tN;Nx`8n9@)Qm3&q
zfYtI&U;sOs(|?UmK4`gr_>ojqRV;*xG+ni_+Q#c%lUH-&(xqgVE3kOoN)nf8@+O7n
zDCI8Fa~idL%*<;{d5onJOa=oe$iRmeR?d;x+<Mle@(ph3Bw=`GRq9`>#J{>WSEpkC
z-#^-^RB?=lB)tF3TDwh4g&P?Hs!-t`&`sWOOhh^jmLjBaMt-I?><FhUJTelq>!KII
zUrnJXf_j8YUU|4CfknH^w(VZ9S+G@K2}@;7Ol?@H-LO%ewqV6ReHE;eC77&OCVs?x
zqIbXrhuSm_A2@vA@WG?R2gY6T0h`3;%e}v<aW(cPYl;<7Y(Ftq6$`ZlFTCDs;tD1H
z83L0S1}e=phLybnZg;P`pgr%YT<rIl<dzd2R!|r)V^1?b63F%J=lsup35kA>le1Vb
zQ&zn_HKY7{VeZ4so|jQ!(p$ze?`i7$o)EJE{9_Qvp5M1wvdsk-tAoHHmE9POP<Bnj
zA;uS4L8F~-EnT3a3vU4jOEjo<1SkjBPhlUu7AT{<mI4~{OBPtZXEE5^G~Xl;7o)YD
znvE80%mY-BlW)-I+>~UldX9ZcAXaw#Z`potVYlx@8O-eTy#!PCYM0+pNabVX67DbT
z(3pczbkr__ng_iuYm1Z+!oPCb{%BS%!_bq8#Tc-}g8Z3;R@-B3)_vq-H`OGnZQWH%
zcp<JfzQht(eud8Zi3_P5Boc)cB7!M$eIt%SUy2~vq~$fGQR@m{=*<u{+X=76qN^pg
zC-7`<=J#Sv#l>pVi!IsOPpu_HOZ!o+gjjEjvGHpf;2mh~XD!#Y5qeW3fG^{&2;g$M
zOgG9aB@6((*6DjI6T#a!z6^aCr+plX41Js*k{|XR-LT)*YOHo$IW{ZLHG9`%=g0B2
zC>gOiKMv=|@qqj|JnyEWrPu}%lVE)(%MfmjUy<M0V&aAT8^C=bc+K-LcgP~)f=<3s
zrIl(f=)_T{hfkdzR?vxU{Bngh*^M$xTBCW073ln)jE_rG!c|UzsYa>sX!b~yZVfN2
z%<<QcM$JqL4zf^8%*Eg!dnYD#axf41D3U--LO;EKnYZF1$IBfoq)6W2Bq!7+l&I6E
z70OB)?H2Du`KP*ZKE?PALas{>?WEl8ZO8Eu4?@bdG1Hl5A=w$hEkqvCNPIcjvn0R0
znc!BI);G*rU9l@x2oH7{dat$1rd4bQLQc6Wc5IPr$&zAp#=*o~6@T=LogyClKY(nh
zoj4D?0=Ry)BiXf2{$m%K_hsPJ?v5ep1~12uIEJLL*)Sw&-wcV=MA-V*NDZAVPl3nq
zCYmkd0FD*^My`=Xz22!hJQ?ekn~jwUR^fohNAQa>#>RACtNm_6{!2yU<s*57oIq(C
zrh15l_@a5Zcn59WgUF`4RkR;;w03-)3z=Jn-P;dg4oWS<|3nTzs1!BCUvRnUt=Qhw
z_xrIQxguST>DdS`$Mk$lOpjM!G>2cTckl3vJ-i%#`IhjDWe!2z#%j&8kuZ}=G-MF@
z)k$}Ax7@SN2gvyVwKnGiRNIxq>e~g`!}0;L>YkZ;7?jSJ3N3Q<6l0fatN}8vTObD$
zUnG8V2d@anZ##b53SN%ie$<%xLF9m3#F_uW^yKoiC-OgR6x1j5DZPqsLl#4d{q4(9
z0@+E+Qq~ne2~9c9lX>IW41Vmj>Zobq^V(t$$2^eHJeNTqXl2l~qS^*iTND(>W_91q
z3yaq_`J_}-#s32DI1=GN-j`tzkFK8$Uk(pONG(U-HFh`<;c_kxhKFOdjJB*Z*mj+o
z3oqQx3XWsDzsy=a6(8@siSD_z&PwzGSKYA?d8f5!2C1pmE}Pc3rK056%nOravno!`
z18fSEW3vRWZFqvQkYrS_9GewGVBiLbEhpK9ZG31(y?OK&h-0x;qq8xD$}as3;zUe0
z6YLV;{-Eww{snT#R`LMv$iq<I!Vpz_{$iQk?i0@8!~oL!G|xh}&%)SEAbUX1a@n;a
z1sDi!xUze5S*-ZqsQNZobw;FkzDc~g#01_z%Cq3Qlm=lNc|kAW()bBNvYR6M*J8Z#
zA=0K)bbEY!gr{|lS`=VeoG!uX61KM;r%TwTZ-9KpU4@oo9xnZ*6|#ocgec-PxQr0S
z^lRiDzj-gE%Y7H?<uHlEBwrIIv6Y%MuEKCcfvI}8FJWTEsS$Rlr)!+%m`_gQ{c(8o
zTE>47=URkb_n!6>=eJ(=pK?(mk`cVT;;LJ?w7%bCK2B4=dJ?S}_y#=@X8q~St!pRA
zx=HfR@C5R<a9(fo>tdI!(`uC;)lyg+3IBK^uZgODpl%B<dQGl@9R~{<6#}|$(Rmmh
zek(*9plKub|0dFT@JI#zk9m6feq#y6a(QA<3aq{p9@n&7UMho}1l#4(%lmo@e>xXY
zkS_L%%_a0}G*fq-4w3W_r5K6|!?O)he<|8ew19`y{s9be2VGeGC&%zX`Os^yDp+`L
zBBocEpBQfV0tpC1hakO=o?5TGJ-LcK6Y~o;YxV_aH!J>B+a_*F&%iuWe16-0Da(B7
zXOv!kwPYH)1~d{LTQd+?>9Fb`DEpsWvG|rdoRFg>z$e30on_F-N1>|I)!c2A77*nF
zc1@A8k1XF@DE9D)&3xdO^CEaGbV=`*CZR$F><V5KTrz&GyeKDHI?-}_+i{}h!x1f!
zFdBAcI$_w^TpY12Qr0DWk>eHXEX~=wQ~FJMe5BswmTVDtk2nxWcL>?n_4pkADD>ZJ
zpFuLV@UwYr0<|4SLLL@@oa73l@1shM3Z9SpGb7k_pI!Ef&Cv}<HyqvAo^j)DY;eh(
zTW5oFSW8w|L$EqdUC#zragf744*NLl^R-|ftM324v1b7PdDF=MF>2A6zFcGV&rfGE
z5~e^r@VC()N3Rce#^M$3XXRM3?(s5zEV<f_*Dzrv60zc{rpFkfEm{_&ial9c3vfNd
zi+)rZz;l}Ugu9%hq5EM+W#;fH0v{zJMm>&-fmA9RZR`GG87EkzWdqm>_%sD>=7CHz
zypZR$1k2~;Y=gqXdr2BL8Ay6gdiHZf_lPNS^^na|f7s!f{+DHt(3=C25J$5f&bgS<
z%L1aW$Oz%w5AVnio?%{~6?&su>|4bs1X1?mOX~xIQT}DC4X|jP%RFFfO3+mx9eRfv
z|CniPg3xef1-IG2steM=)(P>{cKnTogk$S~cd&KDJ;hKv{DaMwv&FXiFmY_1fzyfG
z#rD;3yx2N|&pvb<n^pLDu{sO!zFSaxmog8Xme<KZ3z9$|##!X`?d`Jg@$K4VJ6mK~
zp^LjBab~?XHy3E`uF>7G)m4*Ya=jC>YxLMta~)J6<{7D;HcNocYU=b)+uM%QKRr6D
zsnsgX^6;v*E+4OnlB<F1WE@!dXQ{KB)h@q0SR21JY_>R$sP1tWrl5dhAG|>`Xbo9}
zVkr-hQy5p0+*CztKH(F^L8R$w;SXUH{bdrMhNR-fSGrL$RdVW6Ae@ZJjKg3Wn5!@D
zi>Z*FSv9b1+Anevje$BaPWR?ILS+R}mq3rr#4hnFW42}AJEsSEuAGYH<)+bb<SS&H
z58vku0r1NN7LyC&xOBK5p`VoWSdLF|e9HE=<M@>ATIu^JqpM-Mo|LTXbdNfc+i&b4
zku7r|h(${(_jYXBJSQih&k^NnxeT=xD4DVJDMT5**eZ5(X+vGwP|u|e{aUg4!%7=!
zE7ay9mtlXy*chu-hcmIX7JuKtAS1ySqZtw2BmBcnoXp^tAkp-D?_Q6Ocjn#EN#%_I
z>O-z=+Nps=i=W?~EW2|T#QYv8nn_@xK;)LNoW3p%HYaB}Im=Pzt%A&2&QheJ6DImo
z4rW7Kfm7&jjfka!O?GaN+hW*|f@I&U0*NzLl}yWzx-@(<`v7kPe<KYbeRdlf@4Kc#
zeSFyb{&K1IhQW87N%gT}ZA&n1BWt&5#^`d!t~c*JEjjdrQ%5Tdel5aahS*y-hUtNH
zL+_6~<8V+&_s~g}9hLbj&d!cc5np8SG!8M~8-7}f1fZUA_L)E)C9<i@5SUjQlMg|b
zHUa=(QZQ8Tkjl&F1i|Sooa_RGwYU_^$Ys`RJHZhc6sb+v0xydc*v7ZOJoR<$mFJ0i
z6-Qqjn@rtnbZ{-7wZZL%c>Vs<TU$L+Q&hZ*l-AY@H%7qQNn>rbUeol|J560}p0?U5
zWwl+p>MbSGGU8Q@(o-ALCcsrUBAFclrGaM-__{qIZ8;HbeY}_XVVFt;hgBoE3qV55
z2I2yV{Y?^Nz6xl_X+4h!p&ODOHi_UhN`u7`&<h-8a;vN`q+SW*cqwVtR75ZYj$6Pz
z0|ZI50gV-s_{Fqdd?<b-CZRu*s25S&Ft1l|b8|DKP!_nk2s$iBFpH<@NTrz}acGqI
z%TS6&--$4cZ$8UC!s<R>2jcUb_F!~IlQ@PQZ%&3~j5x}Aw+|Y=<MdzoM8krgOIcKu
z-VztS$S9AL1Tvq=n<%3sfRyMNa3yV89kCx>2T2?)d|C1jEnabw;p>B$y!X&27|6VD
zL#fP*(u2LB_Z|~#i3vI%M8$IOD1oKFAa?@N8nzyfpRaFJOw^_;G=9V;+R_G%r*xno
zeJ0JJ&Vs@A`^Q}C>C5u(O4Z5A$UV-#bNw8<N>imDT?P^S4KHpS71`bPMkrkE@n_Q2
z#YOOi*bu7Nf^SAI*ivMTi}RQ>OpH{umj%quNg0&llX9mK{LrvB2qS9v7f2JI5HGYc
zHkBku`cME+O4m0?<B%wO4eO*nAO?`OIpYRVC<M?f00{)(>d*4}@Y*w{3T0Gt-SY(y
zF^Rh571ol4%j@i41H@K>*keYE)7xC5ea9QFP1zfU=}>#;iIgYgH80q9PjFp<oDbGn
zU3JCPhH0}y|BC<=?+>T(;?+;jpFP{_?`p}X(!Mom<+y%s1B8$AAxa?RFT3%%YNQHI
z-w#lU;q6@?>=7Gu{Tv>=nok#l>6ey8nQ=t}@A|-`QyU0+P6ydi;z0$2Y$T{g49|@}
znaA;!aX!dT+}|oAr0_2N$WJgos}FaYaFG1&hR>Qxb(473D$<p<@Cyv+Pd4739z%l2
zX)+$4CS$|VIbB9ebGi(t%V_WCbQwmv43@fEaS5=e0gFAy7Wl^kOr<;Y8!xJ_J+dX%
z3ZpA7=Dmp#*Ft1VZIhLs&=5)NvUWJykcWS#aby~^Q%=tV19RydUf3#$m{#=rbc_#J
za+6koJ(V0ND%((qM-!}MK2t<uX;H9M3Hj)LRJg>--pEH?tRgAJr9?ZKZlbdqa9R-|
zKp1ctfPicA#tpq^?JU;j#@Lz(Gq*0Q9QYcjjApd7CtCWIH5@BiJoS^+3alATY474?
z<>2*|I0STZ?Xh$1+LdEh$BkGzb$u1i0bOglnmP*E_%<2)W7}jnwsvP|k3PU$Rq@J>
z@}KdTzIYFVTB?m45RAjCGZkUDTMZX8OMSg#a3;~ewj0}-*b`1{+qP{#6Wg{X$;1=e
zcAnU_ZQFSB-}~L?RPCyBzI0cAT~%GZ)_q-l|LC#|UEI{{H{f!n4Fpj-()$gf7j(b!
zl&;*9lIx-*JgqIWT@?TJ;8|hRa$D=qTz_XwEY!b?ZD}@D;7C2e(2<Lu&*B5vqTkOK
z#!?vmd2cOUoU8Xj+UuZ<#8YqlLwV7Bg>~vwBj6Yy$8;U04x1)bh%tyt+-C55Z1?km
zb{lG~mJ@sLNv{ipV&PdDY&z7%13cYmwx&SuthSJnJHb}lY0O2>xemGR{cJ26PcE~)
zR{+W8{gtUfUH$!uiR@?yrhhcMAh?~PvKY75-$qh%-3k;*7T<UiP3BwaMeJH!4S7G7
zZv|P^o>xSq&TCGOg4(YZMmNF);oO2p4gTcbsDu5f9nL_>yFmeC1sh^u>!{2qLoDmh
zDLjNr%#y)xWACM%)AjNUok3O{!;-HvTZU?inBK3Fv@dTZDzzR?DXM63zOO2-#9DNc
z+(<x8QAfctwh9hVLd;00RxDW2`k9y172+8>!63UqY)TDPGP+!G#wdaZpEOOc(`8$s
zjAE71{%1$^j3Mkn_2N(^KSH)<Td>N@BqhdN#DuI>ex=bUkWJtQ-1ERpYQ#Rc4ZQ=~
zpQx|lzRx<3%HqI(KiA{y4)~G{O`b?@+_=w(q!D#Ghx<dF(XQp1C7@yv#V2oJ&3^<-
zEraofb@TZmV=!x%N9zk!|GdWi?CXU{;cE&-;`9BE(9?YL(&x)Sq-!=Nn-9Q!+Ne=_
zvu6B@LI|5U&+@&0=M~A7XtiTxP-cuKhu=K=5OfI|os(}vjUj9DBZP{GBWK9c+xz}z
zz^X6q3>KuVu}*@a-6t`z>5IHiaV0)WQgxT0qbvRHx~rmtgaEq{4J=T%ayZ~U^FBmV
z$Y1M8d$3c^U5_>>?(BnY?6SD!p;w2Q(tLIatrRDK9E<E0aQDers!B$5tLT|jsLvgz
zkr{G|E5k?r$=Vey2^gq9!2gAVz+%h<^V^hSgHpiyhd5fcuA_PaJGhG!Tgr|`>)MrB
zJYu!4^vs$YE(2yc)$nhLBw>cs3Xp#%mWKv!J5-4D&_B~A1Dxe&<oqB&@TQGP+tT_5
z&fD>;SzD)n_s?nw&4;Ir*?;kE^AZTllhXBbxvR0hjAYEQ(790(1~{w!KO}5?EWlaC
z!b-W!Ze%ER%oX%j7ecFSC=OvK&19AejWUI$%qkY_fuy7OTCw1Bu_rcO4jM+-tD8o5
z1LA$+d}}sao5^n)c(0v9`U}Hx((X)mi@OI*kn}n;#BI1PC$?_-HD{hm%zp@l(dO6y
z9$SpxYr34j3GYs;R6{H4UJ;<;nyCm??|p}@6_52ReR7ZU;Q<8enY0^q;dK))!YvtE
zqC3196-Jt)PXCb2B<(Iab5zwO1E-ytiaKK?>z@eIjR@P$;LG@ea(9WskzE&Yog{}|
zDVt3tl0`wt%GPz>Tws)~&mR^&Ms@Ctw?bfi_SJKr4f?_#hpv{$Rr`-XRsX;5g}O@_
zrK4S=n~@MOC%FEa`&sDOdI5DFN&@Q2`OpOt1r<`I1ywNct{cgh6)%sF2P(47rKBp;
zXALp<_vHNWF2G+z5Ss%YHA$;RNbM>eJreV7M=IByJdux`$PS@jPlq!8_efJ$F6YJ9
z8n0uEAU$KJ5Kx5D8XU$#QNmnoe@P~sEDwo;HU%4Y1onNMhAvd)bK#~X99XZh#?G4@
zkYFjE!;lIQ=SE7Y%>Dh0LYaOHZ%nGgl5!O&eRFP6%N@#;V+?5Q!5`0mJ;-=0aG58F
ztTNo7f7ci(xcvB_)&@LElzb8VL`7$Dqx3TzLoZXI&?nq`4AI;@dnOXyaTfYY;iG3d
zX{~51{-TJXd1d7UhvMi<6Q+#pjlDSlT_i&TtJgRoiFA@2N1dokhNM^y^1HZL(x2Z{
zY8dJ-d<=Dz7Uf+g{AhCHK(qFyiRSUe`SB724N@M^A*0m+Q$*3BJQlM&Or}&|Rqm96
z>dV;WL}7O@>B+1hbN9RdN<axgK*b4%Go9>t%TE4lx_(eVjO7G_`i9}A7wO=ODD<b?
z4BP|XM$IU3B!Lh;7d+>+ygHa-UC?53g@b!8Lm;CF?EOUPHy!QJG)MdEJ$2EhIKNo0
z*_1k{V@vCa5{D4j$NJW~p^M8m*Qi7Se<Rjsx!E>7C5Dpb%whx%X&8qhKeGH_OAD>(
zk#!JcY86J<Ik`V>ClHg;lTCSbzTPrlx9R(Hs$L*5{sCM0M<$m3v+YySws*s^NHKeX
z<$;g+d8eYA$lRn6;a1X#phzBf<B>k;hodYX`*lG%z{E)`{XO23TDl$)R9aSv!~VVv
zeJh4$f<r4{z&}519~!D>k-9?fBgq(MHLU6qZJ-TW7??auu590^+c?pq!?}gGS8!sW
zW|i^|+IC8R7Po!lNoC}u6{fdnq_JV9v7jdn)99hCu|0s{?f|Jz-R=nE(@yNQ4ym6c
zX;NlGzaQ3>Jgh$MP3|K!Qf<I2W@dwbH-Eilw5r?Fr)oIZq|$mrdvrJGh&x$1&!$*D
z235nwzjgBxOKTf9WkKd(o{9v!299Xgdx#P(!idyki(%>}$T*bhGh>8vw!uSdg3J(R
z)<sTRpQZTtdj%kI%yzvelStMa5|WCjPG|Ld2*c+7Fu0lCtkQ!$AO?D-_}3eflucA%
zX$=Oz=ivOttPaF$O2zLt`GHOGhWACQHPd5o=T>SS6t<6Z5S&fvo8A49+ppha6NN1o
z3=x7M_6;sedZFz1Y}({G%Mq#HJ+P(f<`1pFEbvtPz7@mQ`>#6rjR6{^DwPTd%ybNt
zk%Ygs^$NRx$WFu=IT%`g1*Ha3iahP_J9i*HIOC5O!TH1{E=J;)tw`8)yOs2xRtp_x
z970^)lhcX-C$b98O96Z0W-o|3Jn{z!bmGbK{q~u`)kb!R+Q>te1tj5lyH~tO79LQ$
zx^q2{PLAG|v8**N^%x(QTZElWqu&)9#LOsr#>^J1j;ol(fS0xgI^3rCTNyuWkxjxd
zHvC0<&Aswo+zs8}QT&LDX*ka|N;$_}gWeCzr#`EsAO*{sP%_7uqJT^tTBnqOmwDf-
z3htI#82mS9>tbgAPqd>Btb~^PMEwUS511R+a9Y;^oxy`z+mg&lNGnveCb;(zylijD
zMnmRJc^8gzj0|II{6B=fItt%s=K#r*z|)IepyXs2mky@&F|Lgsbnyn{qBi>7eyrB~
zO&~-FEaYWg%48LGdS<F*;xK2`6=r;={s%VHtC%AR?HYHmRj4t^XC!F_fIAQex~8PZ
zjJJ({dtcbS2P%bzv#n#8RnP&1FYL}1)pzKxU4<9lH0HEA;X;}7tej2c2W~^gf+UEr
zFCgY}M<>DL4OXY*1+T&($@TMX(r@eKsvN*|`7-l*btV1waxyP`7eSjPZbHfQI%ZQQ
zHolnCUeaf9hrmC29*O4o6ObAmk^nkelB`nH#8!;yV2%18^kk*;ztEG5W>CeNsW=dC
z)V-H8KlL|3)3$dw8`4=`@-GoAm5MSv$`Xeek2ZD0k(uX@a3`C%PYAAix?kdfD;9u1
zQ=AVLns>wsE^=jm*t5c|k=nV=4{O%cg&slHU)03FbyyH!a;bkcLm$W7-ia%R@ZW*(
zC1@z?oB&KxYcKjeBiifGYU45%ZiiKc#1YII7#p-0qu;cfRgJaj^vaeTX~3#=N=3{7
z;ZmslLa^`m{l0WWEKZ^7vD2jxi9H~Z4R<p@Z;?^21y6RA|KVHkJO9nMn$iA?Z)w4O
z^DSH1uM={&j0{wcKsGehaZ=|*4*YT$xghc!PU&h3G#4W^p~O>Xe4G>RvsZ>dV7f3W
z{R2!&$F02_X7OVS`C6x;Q!<lIMtSs$Bp0s?qn3l~d-#j!l|MXEqZK~C{d4zDkVFJ>
zbo(wiyObj7(`VV>!txuU5=?>dTSRMF3#`<2?^!2BmEtauS}l2XI0z5EVYjJ=kk_V4
z>+%)TTzdtDvba%qG~dL#B=J&x_MN~RIoT_p{G@S@Y^(ZtDbB$bd^WtSoevI%FUFYr
zA)lPj7P>LJzaIkF%H13LLR#y#u?q@kK^<NY>S$}fefUktB5!NO@2wkaG$@rwv4%Ex
zyV0$3_X{d^Y*Ks|A{I3i1~sL&A4XJtk2m^8pe02eMYM?Tj^&uK^Es&zm(T!FUngGQ
zEWfC758Zwv?5*wK0bIp7nkq4rNU87x<h~y^JkNxKRVk<E6B_8VSF_CGDNKhCP)RA~
z`BK;l;_#@V`R@v3hcOL$#eHMX?QYNlyh{O{S05g)>|KxOr$4`(Igx*oe7#j>(~63I
z9iIheWV1b1RZbbo)`A92t|Gm8Lc&ot$k-LGc{}gWZ7ZWvs*8x0AeQar`8ekk*g|Qu
zp~$l7Uvu-(1dVq>WXuZ>SkiTR=CcqK1y@)`Q4t7!FR5`o|A9SCO0V5Y@^o)V4Z5G{
zA@j0KV2r*Vgj<sN9@FjUQ;JG&2lwB7ii<xd*EvgOS*5!Y&l*+R5YghLV0H?T;wIf_
zq@NaO+JHEhwkM_ZA=T`vCKnC87g~LKj`@Q;dTvvFCqEiJE-?9+_9a$)oB2IITgA9D
z8zLg22T9k;cQb&C!mZ|rLw<eWK_mMJlp7Q6)J4h$+x}5R%G8HjE#adZ#uh4D#y<4*
z=xA@-KFJ@47yvLh$)eCqFG*&m#WrTL)8soSz9c}VMAMW2|0p8{aMt2SJq^S%`PAjv
zn5CcdP24R>@0XNS(+oj^tvvZKX)+JwPXziElK4X?5s{6N_$P&d;aB~j5tM-v&cSy_
z4eokMN||l4Rl%45s(=evbeL-GTY&d%`Z@!q&(vvURsRV}R=+w;3z6CX4W}B|s~gWO
zEhP@Pk_F>sYq5<YpSFKj=$%VT=QW!cbf(Xf8DL~V+RYi!vL~6r*~<Kf<lNYgvhvG&
z2%@FvqxTsK)rPDp+VNQr0fhf>sqCW*JDcJ9dk8r94kDLpb9jF7IGDKm16b^oX739I
z_nC5Fd>vv0_%G_*qT!L4;nY6J7B3X@_#GP_UXhPP0vnt0d2L4!h<_Io@A|Ze`Ip>_
zfU6oto4-f6oKE1tNu;P+qarAGXze$x4Ewc)v?3S~gF!vi?gQtv-vvL(5w0JvpYJ=9
zL-zpq2BBT!te)S5Q)-Q!CBj+R$63J(6vcx!9T|&bsR6dwvnD7-h0j~247&W114HGU
zJw6rUtUVQVZ1EZ6C5x^IX%gr#E*$Ey(Szg>ulFb0Zl1Y1UFLSLWUjAR9+_q&u5z<e
zIOAL#r$}!pum{e0lYxZevW=Bo_u!9$wQ7~#o;07;zY$H$<`anwa|%dkEh>sbWBd3{
zbaWoB)G+TP>D~KJv(3oX>=YhN$%KxcZHE6Qo8?)_tgCcDRky^i7Hr_i>Q#X*<-u<N
zPi&k!igHy9<T`6ylZSk0@A~qJZ0W>Jnml4$=t;JlJ1e($79O+8)rrF~JguqvgYoX?
ze*gYkzLjDm8@3Ph8dMz<3OG9);{7vxe5k26%F`@X(xbU2P<D6W_P9}x;-uLz{s*Gn
zQ=wOWFw%sShF5Fej~Usmk%5FE%)u9k>NdkK35I)y;R6;}`lB=i@PHxaRyA14aQM-l
z%}4f2hEit~P+{ac10$6N1D<O_H3^%aoHhQEv>k=SwxmLO{UGCDE#*u6#^eaoX_Fr(
z$z;7~hvxc4-+>=ZXBr!jMn~sdnzgRQn~yAUEra7~bT$FYCRbfIiRPT(Kd6>1scL|<
z^ayBjw8?L~+0(zi?ea}&Tj9ScZJB4*v)BJn+KXVU-6(T`N2Jv@=ma^p@&+7T!D)p-
zD3CsNo>LLFK9DFhCt_l7XmqSB^5OIG>(cza1@@nN;I;0gLEz0ri2Ap;JW|4^v8sZ#
zY}KGYT5VlE3L(pT8g6B!?BP{2yKfJ+QXIT$42ubtt>ga=Zm;WuoyM9Um~GpR%CBBR
zF;D_{tloa>6-uwOr^}^B#$zF+LaWcGJexQ!Av$uIm4VRRjU9Z-jAE8-p6%^LRC^QE
zkmcN}%^J5b^jx{&x>AQ}g>|WgK8-W$9EF#!Hs6`}fx&#h-UO&dbp_@<3e`Q#qIGRP
zO&Sez6+4Xkgu!||m9laas2G6y)FBmIk|1?JbMNm0-#}uRFj~Sz1c@#pGw6u7+3Bu`
z4c4=i9;|mM6S4u~C}yl#$hE>Vd93kQy`=LtNlix9?cRdgh{u*OsE5LfUpwa-VT{l;
z@+a9pgepd15|%?>Om-iiGwDA)Pv1VCGdJMnF55h8<^MX@6(o{3Yb=otSt0>7uQqqE
zyxh6oZ|QchWZ2p-Q>-THF-FM5HXb@i$n`0cTN=+YEBij0FKz8kEVo|ZGI*AsQl;B0
zhCEZ0J@E|d*tl`Ir*(3B$LE)toCQ;3H4ahZwW_I=nulWnpd)hL3G3wKse3;Ou&kgN
zhQ#<0=2uZok-K-(o})PL1XBO${sZWJhQ+Kt1oIbywwF3%wYELxyIIJuGGnL=q$sJp
z+?sB>vj-9Be27-6*6*gMv9dT7Qqw)!kAve(<X5l6F+dCQ8}D-=4;9>ry@Ik%8Cs`V
zjAyLlx-_?4sW{MLd@g2qD^shNox&m|0e}C0;%S6L>caLaiN4KF_lr>riIEj1Jo@Xg
zdN?VF*8TXZbFW(OXEjr7l3&GU3Z|njS!c-U`{Z476m2XY7UawU<@}2pF$|31p_?R`
zs`w$1V>!~DNlyPn0mhq1X_z-JO1a&Y04|o2>{{3620G5>UFVi*u{N-1I^~M0K%Vb;
z);ujK2EBZ98>t6bDsmw`nh3)w_a*zJ(oWDcCpt;Y_UA)?(Vu(yd0F!xcs=0@8kViI
z%|G?p#0C<8Kdd~_De(j}0yl{g{Ah<Xc|-~JNr@y;gr52}xv`O2JCJ_GYoojUrZZS<
zQ^7q`6Z?-^mSoj|a;7p%jX9K`tg<DJ?O!1=FH-AC1{1bwi-%vP<>F9tIG_30V@32I
zl<nirdD4fMpa9gJ@Hs*q`uM;sc2$}W8)!k((^WX38rAwFk9t#%RSZZ}KVPM5r(yUR
z&J66d_w1yXP45c<FLoK$JyM{25CancgFDc_E;nMo(z^*=rRkpgeKNw+&QhKheqt`C
zoaUE%sg6*DUzc2V&I6~g(99^hR|C{EZ+;`&WR9X1Nx4hUd6O-+16u+2q~LxkO3n*{
zkDxhI5n9d?pu<)k=KzU=QP1u#ALGJ|mEJKkNWs1ZFy>zW*`Y%Dv*FF*M>kl0j0=z!
zV;LHfaMxa<;sGH#T9zF$|82(;JF#9wQ}j*i8&8IKb;UoZO%bbMmHMshaY&+1mWFwJ
z@AT989`(5C!=&&jUeXyOD!a=ZFhWV;WEYy7{#l30^8}mSa)!L@vu+ZFNmLhlBycYM
z<T1b63F8Dl)O{sIp(V)H4bxOX$;tpHyei<o4+q3FNZ?yJl)V)UjiS2-xMW<VoaWmo
zE*9=!9y(R6qMbJ`wR8NMmACoYaP)sd1rnA-jdS0duJe`(f;JqAeuWlA9Q$dE2xLW0
z15po^o{Aj>iR#*=8;mKt&rY<$Yx)zM*SZmYx7t$v4Tz9!wu#WLKZP+K817(LQuy~c
zikzt_li+An2pC>=d*Jo(mfin&sktBI<ZgZd_>V+RFjwWO=Zb2k%5$4xL;`Wvx2!NX
z>m0ekb-OXn6)&)>BaQu{NiJzxL5Wq??%9bsZAt;^QYED3k8sxV*Dye246R<)I3Fft
z>PB;#F?ClmT1T7FN(h$q5xNdAw!+Z`IKO;ws5IiImW)9q+^}?pymt|+C{nH&nBRg>
zZ<1^Hh%p=+0kvL^d3TNtQ=#j*1EJ=hjYK~Wq{h5%^HB|tPB4g{$?$xJXmG+U*`H}*
z-#1-TDbZ?VyT~NC=y#EHdJbE{7Y|!thQ#JqIflfr*M^e)mu4A?k9=U}xG-Al1urC=
z5?)ivO-**T;q<45G;tOh?KXgNdL9NK55X2GB$1VE7GSpvf7eN+4tVh|G6~q*VSc1*
zdTzKCtszs2&Y?av9fr4G@Z&pFv*WG#3+oN)(F~U`zzXC9amn@d{R|%Gthy5pw$eG5
z;@a}*TXKX0bKASW*ZcJs0IC6Mz*0S1!JQ%18Y9N5(-@}s_wVPwP}NLC7wK^)b@Za{
z%Ff^=I#_puUb~cDyldU@((B)IkS17A1~Qb(PkK0w>N?6n1S6qbZ*m29+n+0S@>Q`N
z-;Je@y`hCDV+T^}B&HtYd+C42Wa#ozbIMbm9xy+@cZS4z=U5ps$4iz)^W@Iq%;U=N
z9OdzQ0DBD?BX#QF9TEq+ZWOoa5M==_Oig7nWNi8#>8OG4cQZMTdOS}PQt&^X#!8I7
zhnFLU7X|9fa)k$4=0<dGH2}TY`M#~?rIo%30Q{b=t5&mVJp$LwmXmP3jH?j(c7^Na
zqWqWL@ngHRh$!j7dY0J`#5PiU!EuXf%3@zf3nsz4rC=h29gJvc9Qq%9aU3m(Bv*07
zidurv&t&T*a^PII**}LWXPxy}r^2-&m8#@Ya2*9pS>?yDkkN6M>ScUxr{nS5`pQ7t
zv41_o8+fj4ZYYhqF2(O3nKeLq>#R<m2UZ`sNHJ3;ZiH&6vm)oLi7rB|ftN2asbZB6
zgt{eofegHbzBPwm{(X6WK&>_(d{kj&NurefFcsS`>&NtKxs<mh14to}lk4dqmlwI#
z@E8BIFQ8P!sw_D*sp0R}#Qn$I@TOZHD)S<azCB2;bTXdl|8fY99=w;5fI{`$Qz*XI
z^^VV;+x~-wy^HeBqh7t3NLT{Ah<s3K<y(`fX9ELIc@vipcvW()4m<#ZQHNiqxP%yZ
zV^92Ny|}cu#j&Bes4{D`&OYz7oxZD?-5u9YX3JJwwitqzG^VUMJ+|s=EzfF04Yu5|
zK+n@_u9uqUA+e<&0JlI3uU4`cfqx=00k2VFE|XDv(G(wI{U4FyyDrPxlD#Q*yM7L?
z)I4EX%^)kpf0jHXG?~jYQ4dG5h!sdGH<Xy1RP<Y-ORCvYgdNV;Y8{P*wKBHPO)E2(
zR1{!k5uR)|4@ZX{15f)(Rb;wr5N{F*Q!R-UtrHY-)sV~s*Y`(h#zRyOx2f%3kIM7X
z-uHf$d&>&I5q>!|5R9k%@6unPHmMJf<Idg8!Pf0(B;VWz;en%V?B*79=apbMM&S62
zuz==a18->`E7BaN>>i_BI@oj@x!sVu`8m$i50xspEqU2e$804w*=+=8br?XmT0scv
zK^jnV5ccqn;Xr%={&{@YiW@@9hzfJJnltbDHvi^LDSUOrHaIP3vnnu60M0zSQHp<W
zKHF#l+{J8mhgT=K2o0J&43$8<f-MY{2v)p-P&n}RnSu`uelmY^#`b#u3rTW@2?W&#
zq{O<r9#NC5Kgq=-*4ge7o;F#u#l?|Eu4Pm-FNw+?3Le|Obcrhs66;pbA^SU2^~33{
z$IzlE(m0v+ii`A5%Z>oCr?$4lMRP+q!Y*fyNhBvx2LsJrN2ND}aCftz#(n*3B`b+I
zjPMJezh801W|0<FJ;Ht}LSY&y$v7jLD6o<fi_q2=6~#m5sdJ1>pH8Jrw(;96iG=fz
zJ#i$J+?!+^=t)9UI*3aY67Y3~Wwqlmtb5=c3s`MtnwiE_<IeZnWaUouslY|QtI729
z<xYHz>5T&YWPjZ|e%P6e4izIQuj}ga%Gwn8d)vq%t62-87O8*IL}1#vjEqBHP}c$n
z%kZic!j&~QPPu-7KgR@^duT}%tB7WF0>Qwf9GRTIT}gWSS09JBtqxK$V*FPJ6ZY%h
zQuN=W16ehH{%vDr{Dg+>thq!Ui6Yn&>q~*yy}uC*EEGy49jEJk4qbZvCxURcEpter
z4Lqm@JmBeHW;kT`$^qa}`C3HH`Kfbbfg!TgLWu%NQOfw7wX4=bnygQ4Fyif+X5|Hc
zz%I6Nrk^cC4(@E}1Il`EMZdR<m2vYG+tM?yEGOCO33z;N6DM?Y&+fT9`*27u6n+-B
z20Zg=?|A9xBDFr>&u__yr^oL`Em*^rZt<M2*OG#1z5K%j{9PL$Pm?<r_#uJq%8OrY
zBvh^2&QFX<1nrQPx5}5aaqk3tkMrveT_}_>?*|+*>GYm+ToZP7Jd;+RGh%kym3b(J
z6^)kZ{nmN1Hrw1d(3m5?=T|1IQw#_z<j{!!f7~KwQFXC1VITR1giPo##>h`*Sj9qR
zsR-3JB{Q`)+KXQpM>=CsbLc80ETZ$>bymP(Db`h>QRY9jU6^DHQ9ZEE{^HRA8QZZg
zH+ke+T@T06F}eJ`VU1x<qArEb>l9d83aoyI6MF$+fnUG6@UwTnZK7{W_tzRC-DQb^
zUf7AJa$VIN->KwpU~O2Lj37RY@ywstE`kj9DI74tJu-=;@&o31^&Hc|+2VqL10%fN
zE+vASz9!R$=z-=OWY=YHtmTfV&;{YEcC%b|tX70KJPO=KZ5K{-8Jn9Y0t99>?-@4e
z9ll<H_5KkAUsyCb;M3*9v%7^pS(fT1Ob-A4YEc%hWW)2z#Yi2`RK}kza4{BG+Wnq|
zKZG^aGC>m~TJn>QNgn0I^?&PslpY61d?p30plEFWc-0{_E;UTdTH9+%?NSt~vr{Lj
zk2U@!a5{TEaSq;r_#VURf3Kw>H>5Uq(gpc_FKI_5WW40Y09NFsnQ^7;aa`>P$(g9?
z;>UKvPQ;sB+n_?R^l!E?$xeN8-G7Gn>XhnH7kC|$MQx256I)me6^Ap_x#Nb3Af=4a
z6dDO=t%NSmo576J#EgUy%iw{67)}(RktSo2_dIsqW6HaN_G;@&caI)u|Hmpy9Z}1u
zfz%)Ebau>W%yr+>VZ<1!V~$*~+M&@PS96T*;$)})Zms(ty{Hql80!|-Rz!h@#)elv
zzOgv^+-NIIb$z!}^HFzf1|Qt6zw2FFt<q58T5LiA39BJF1aEI+aDfG^Kbi21rtk=M
z>JmksY;dV6q(ylIrBnxMaVNgEqGBeb>2b4JDy#iGzA2DN;brr=v494_TDp@@|A7!v
z@Ztc=cFGjmw}DxjC4Bv--(ZbXSF~@BrAqEZcs;@N(p#SC_wV+i%si1bn(iPR)YdWW
z)C5n}4>$UUVMf$5B$*xW5dUp4X$57F4SQoSBsf9w{@h0qvl7h3HSRHnwF8a)&MnyS
zJi(3d8OTFK@G(X0*TF7va#ZrjELY<Tn2R1xUvjaPitPo$JTiADCMM!{ZA=H2j8L4M
z^UAJ8dgowBi3*7yvS9k259`-SD=zO`i20pT3ukcB=3`j~In3xbpb_O9#V5S;jCwu_
zX*H#{BH;~8ReNQ?(x&$1Ac~u0!3x}uailWTCC(+5gwQ15IX$_h8{!6}LaUL@Z#PA<
z4MDKLWA|LC)clk@YbZ&@2O#t?@{GC29YtBoAKc%)ee#X-Hcz`Uj@9w*^Jg~#8?sr$
zxZ$DJu85one!bh_Kr2;Yn=Kp=Y9O}y#_AOsC7KBEwY4~?s=969<x({bWlL#bVfA1c
zYtz5mawC`cGeF1blidi@gDhel1=wpQmRak;r@kbj(S!&b&{I6;E)J8J{Fk^iO!yyh
zsZJ<)mhS%*m#_nI7o~gz5r{LKltA+oVRE!UZsEEyLM1^5=l*fo20rWh2gD_`qPdLF
z;ERs87)x|bezFPLl82|6H*j`NJZ!mj?5rkr8exlvx~Aw#6Wyj`$?^|o^r04TEmg1#
zo<^1<&Y6dOVu4a^4y9ge2=Mtm+ExS0$+M;377OI|Ut1AT_(#L20^)(^gGXfv)SNy7
zg2`dcZay^<w$l$z?$_4*dX_~7+L&g87>FHb;ED18;$@#w`7T~OZX70Fj!#p<A&rbh
z74D61bEyow_`l305K0pisy*VD4a97=WKhbR3N;W~zz!DnbT(NhUu76X!kiZ`f9FtW
zz87&ivbldB#z}#ZNhB(b73}`vqt<ni2>C=Onz~#+y{$Z?antJrHA?Xq6<hHb<Fr}L
z{6?fqq_gDz@|rgO$7>q-kJqGAmcE4PC@ex&JGQ!GDMI*}HJD%(tiWZ3f-qj_<Ze_>
zW~@DPHOItnI3lMF`l#xdQ(`MZLg@1R=S3DZqEPIXihMu6UU^55#*385r8ctQM+(}7
zX<I}Upxa6;7{sXC3<Rud1drpsv9aDRBjdLX)YLjA9XTt3syK_bHW6LtG;S=$MgHrE
zwG?GcQG**yy(9FS^g1**7uX6{;Ke9n#hy5=UUwIqMj%pmog+=%O)&H0X49`->x=hk
z!gBx8n%!iA1A#pzpBut*vh#k>9?lMK71Yr71$(CY`B_+XHx0<8N)WgYvBYkypJ*u=
zY#`*4A5j$3(pOzauobF?yb=1{ODc0zzsjK1QZ=FM3O4#rnXgYn!;Cu8jjDRrUw8Qm
zYYHeCZ|oz1NI02&!&Ca5-Y>f&Pd*z4s_xpA9?>gWE2#b$6Kw+|w@d?U6dC2*fo1!Z
zXUGK-Nccc}${vHy@uo|`7)DGLRF0X>MSrIZTboJ1tSeDm@{$M2??fJDsTBKn*N0h7
zfSaub4O^PdeKrWchjL4ss{R;1MXtQevGEp97|GH3gwo{T4(~WY*?AXa7<EkBQv|hF
zU8c@3f)Q`$x3onI8REuU7Ui51${peV*H-{7fER)iGAW%DP&tvnF0tC?>Y^;@Vj~Y{
zUs8u7j-=+>SK{cVENFw}PmsC#4%0ae3arvmVsilPT-4=^Hx9^*Dht>))z(YSeKM~d
z|2>m@iqlR#tOAe}9+|7+8Gj5U{UPssnn*gTZM#%Qa&KH5!RUgkyYgQ`6&4=)dK-#?
zynCBmSe2TQN9~BlTE!_GXx@cs)CoI(_}{387ja~E*dRQM!Q*H((qUYDYAVg!B=ID&
z5_e(V-e?oPQB601zu8)@{D87-Amg(0`Prg-Neo@3GfuG;BP>(d#8G?$s|AuJ*#P$V
zB3kfbQ2&r5zoX64`tFj+phWP`iAgln!h1SaG&^yZ(@j!04ndxKbCE`zPyL({@0D9K
z6R#S{HDfu1Vr{>|%3|v$AGY-2V0^^=HV)U7<2x(a%0&-q+f>5|h4*s<4=v@}R}t$F
zto+BP1+wZJozM_omMg!{rz<}vIlIpk1oWq1@KShuBc=oA`xhtN2s7@u`l)OQ=GbkP
zPu32MDEn}MbiX~E1|oy5{x5;&A>^t1uc61=p(AKN9`~2qfhfQC>s=xSq|e9mm$9R-
z=b^0*i?ub^8Gkj5h@%exs_c>ParMR0;~Oc!zMlqdr0!&0#UhqW{l;zITzcwcJNfDB
zSS`YgxNk?_NY<MBPmhg;5JcQVBM@Ov2Z6gtfc{-JC#i(cl#0T)gij&WP?HRQutu7k
zz3Wzfv%`yp--qRy(f7-|59F~h4UwYxc!7YP-I+XXs$Bn7hz+TNUr~(4b7?A60MTHd
zZ%3Xs^u(JrD~ik}RqJYkXo-W(QcH?t%VYWD-ralHUyv_2FgH3B^4>N6>wvp^;S-a%
ztiuP37EE)kryfYtFzS&QC6cq}r@@tmWHE=cKf0iyqkOQ*x{(!Y)6q9Dy(5oaS(myy
zoFUz>ev&9Fr4<znBE)3%#~I3I4;^~b&_DNGfQZ-Yv#)+I+d_%ETkgZwc`Nkg0k>#r
zZV*-}kv$c1WGdgb7JmnLIu7xW@itc;@Q1|j(`aVdCZKnomB3K)cB<Of^HJrF{;&(C
z{>4D7**ev>hFE^vkzei_+h)JwHB2M<seHn*1Fp}cLJ!n(|9Dp<lfcQ_r;uSQ=`gW}
z#fo?M{W#7<6g}omO+{v!b&T}~>dPn(5AW|U>AQpFj-aL~!+HKlo)ZT&1>97PA01n-
zG3NZEi`y~wp=-c&UyYp7FkxsVf8U4d55@H|=DN+h*KbD&c2{e2FHAb@2f6{o$^}U`
zEWNl-LK6QTCu~&^3fUdUiE40QArKz5$YrxdE<7`!p;5ko5a^}x25A%|)JW-&`2lCM
zeZ7eLGa*Z3hVuhOV%b9lYg{EFWk-uZA0*zYL$g;)A7WysZ#*p<L>|0UezCODxjnXT
zq1P|Yz53=7OU$<eu|z~~%mqk2J@3jLH+LSCz0p6S_K`Xo@`FE>#G|ngH(ehn{I9Ib
z>+=m7z87fnX@~d~=k>08d=Iw>9OKY_{yGxqdd}_r67YNJ3-~THnVD6K&n1gFsJ)qX
z5xcC|-oI0%?broB<)ZRLiu~s+^(mhc-v0B*ipsRcKB1^fToju3R2AtbY8NxzAy^5D
zy(&~(AD+XQQ_;X&e=^Y_Jke~+j&lC{YR#(h`<H$)My>2@{4acJ7{n6;$nvM`sZSeC
zt*lr}`@K~O89bY1RU`Jq8$UL2Gq<QJ@3sbK+2uq-LBEjwCj6m4;chH3i<T>Qfq&H~
zG-Y-gXBg&>dHl<)bhz!MgL6C%HWUU=_t<GCC|rxul1uBE25DvC-)5Z+%K+v&i#4<p
zPbzza+Lz`LQ^P4<VLYlI4Zgwe0R-D$F84snS%u1&&oBGyI^i#5{Vw;z<1c#ch|i4p
z&moah0szop^|!(}!Gr63JHzRR%b&B&HSX8!@mWGDfo9BCKl|%*kC4y4tJu%0g5+ZX
zd{4RAFksC72C+uQ2Kt9qys@#Rse-Dfo}Nju(|OIZ(F}l!Mfz;G?(v2A1H{=L5sK>Y
z)yqZAn0+qNV(|f?=Euaamh(K&8Fi?-BVxL<jAEDJJ@NjLQA}f0lYO3_HF)JLyzDuB
z!?dQVXv8q<$tOs!T}CJ9%Z8rF?M1x&{mEqEYi~v1-^cd#7kzr{ms;2KLvQx^P56E1
zXxBw>&l?8R0@pHph;;!vQkMO4ihapt5;~fm(*)a+?*F|s+7*BJxqyPEfG{F}{2#cU
BSDpX>

diff --git a/golang-external-secrets/charts/external-secrets-0.8.5.tgz b/golang-external-secrets/charts/external-secrets-0.8.5.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..af7525bf38dd4b6bea620632fd055a0e412e4f81
GIT binary patch
literal 78631
zcmV)5K*_%!iwFP!000001ML0ldfP~rAd1#+KLv)_^Vyywl9F$k$9uB7m6Fq?PG9s%
zO6Sy9r;ZJh5QP#5umMoAGAqwp?HAZjcGe{#5V%K>AbkU7y3!&d0xMQTtXTKueN4SL
zbc12yO=B-j#((Ml*@x%*r%&;}2j4&4*Z(V@zZ^Vy^6cRI$4?I)!S4r84xW7f7w72~
zU@1MTBz0rQ`OCteUU`96+pg{X7y5X`^*_3D<8*ZAE`rX!feZZX$&=dk|NhY<T>qz!
z_Mbg|{21CDJlp^N*<YOf&LC)bzVY>Um;O61PW&i*?%X`O=PsAopZlX9Mo;g}ykr{t
z%ane5A-0Rd+r?S9p*!~$UYI(UQSAJ(n!sx>^^$v6(ZYM~T&3wUc|IP`{q$-z8BL?b
zxU}PnKiu=D_$k>nc5g@AeU*4Iyh`C~W+ROkt{;xwB%zl{Gz_9S{Er*Yz0oq9-@Eqi
zZlidXJij+|t`+FR5<o+z;wSkp?5J>d|KERf4n_z6@6rBn|NcGvd<y>uZ}Afz{2e@Z
zuDu}e!^PCSiSGV$j=$k-?m15ABFgy1^*#Qp^x^bw2|vR+1^(2<MY(q)KhEoAxBexR
z-MGQZOFAV0&FBB|{`YX^^Ys7O<0l9G`QOD8d$f^`qE(nacMk5|`_35-o%5wP^)G!d
zandW#aToa3i7uThKS`t5pE_sU?HqQDbNxf&Bv;WYn8DWemd=C3^VI3hj@8JI#<OUe
zjNu4Ry(MflID6MY<j&})G>(D*cJg=zLq~T=QpVp+1J4bItL1PR!RPKC-iy5(A2<77
z36Q&2{=!GF_wU{F7eI)f!zqFpMTw7ZpF8ubX^h`(r#X(ZTm``?edf7ya``4oPh&3u
zDBu<0<N`23A8}H5?xc|e<Y+{{&b&)^6{L>O=$hgU>SUC3L?b}M7*GlSH}fwq;opE!
z9_})L1HXzB$Grhs;7$T>&k6i%Y?vTcyaZl_GiNpNd8kvsO5!<)=9hl@*VP2(%s+(@
zAetz#f|UORxDxTDIN?!#x>JB7)Y`|mFU$sJIK##;%yVZj5S!!V5<Z>oIerL7CkPm}
z<vez0o^y0|j7W&1)%?nV^Ri%UjP8lX`2M+*#w+jMy(v*%fn69Bf8BFnIownXgpeNv
za6-K}yLrxO#SkoRDjLZ5{91g&ba3wEoWrj1N+a`2dS^K7=_<J@!HGW>fOA7wFe2iB
zlt2E&rco%#IsD}~UWof)CQ(K!a|#=k2ZCOI{|8+ZZ=qN0&pcYDOK4E~@m?O};sJ1O
zeOSt+7X$nY2X@m8&;q+^iqJU|FTM4=ke3`zZ-V>Z3zJohd(K$^YGC~I$_<?;^i(q>
z8Kn<J@DUfcsSAh1N&N+2oWJ)1Klj|Zbc4jp?KL%slY{os4{-4oZaTg4;X3~=w~p8-
zy<!5kT*lEd_HmIiQsaoL?q2rOQ2@+B8C^BshvNY!5AJRtRx@v=u@KN(TU*CX8~|Y9
z0W7P;f&U^2g_G_D@O2y;yT7KNU(v5-NI+r|g~1&G5l(&BD1dsLG4z8E-uMU=?u2CN
zPQ81{6mUO#BmdUs`5HDlEHWK<Mq8onsI=L+fphlL;gLgh!&!y6XAs}wUH0Ygh)DPg
zyfpk2AO>oK8{3(R1DNoNVJrDlak>J0{9qnEzJv@v&ASWEAn)fmnj%H38FS>kfMI}=
zrQF<~hX4kSvl!hIeVfRO_4jF-7GKqgPVr{Gy~6zz1I~)m%7Do3Qe0hLIiTqLkGG;#
z&G<N*aJ7IfjmH=_*ea%5D~}3b1;pk{if0}E_NFU7>bM2OVb6vlh69-T8-MB@PN&3!
zNa9*CQAad&Ty8754t;8p+U6<s;VO-YiQ#D#$4R4WB5n>|XGjg0XUBPC^JO$cVlBrg
z46U7WAd2p6hX1Mf%BYgy(-?r!*md~mw-4fBYe^@vL68%{6DOfAPm(wmY7U1P03oVE
zM~;s)@-MWJT^<Pjo_irtYq;SPAh9&Cyk4Btg98mOM@n`<f)Y>MX~QZat)P$MKPG-S
z!(rj<0|$inO8b(+-(qT_cfwa??XD4rk3I}YnEN+gaRdOsogt?1uvUUl1mZhw;k@w1
zkE4)|*^LX=%p~yibyPcwh<)t72yf`(7K6NYm*S#?u|PIm;Xu@X3Aa(z0Eh9Mmp%u^
zO%y=aTu0csqRTseseiZBYa#auaj}JO@&K>t5S2&K4o!alW)K{yCZc=&={Z(p>t05|
z4hv_eX@FBWvGC<m7x+y(IQS<Ju~qD+cL*JTsSea-@)DTX<#Xo|h^R=U^3Cup2SIdu
z8v8du`sUt?Wa<VkD@pirf*s>7-H9LgDeOnyqcdPb_+O3#u)lgm@`^iq3%B@L6s12S
z8NGwux==(WUWJFrn<&KB8s(v%e}!#~(hoq0zx^6AFM<p`oLv;NoF}7$eLTp~iUc^i
zL#Z*$2wE>s;|SO&j}I(x`lMYrgGB~Xeazwk9k^U$xEF!|PP#m`3Tv_V-@s9&i5zaa
zTp@f5@#n%@kXZKk(QE(Sy^JMN<N{V3co{l#d^b*z!&*c)k}cUEeLvdYBhE`4;nz`!
z!XELQfJq{dl4+I;A)0D*qMHwa&=|$ADnIQ1u&*vM(XN36;)!O8>jKA`8(gB4#E2>K
zq`-g!fjlj;k4br+@`H-)!VdytaTl$eTbEC^l-cs1O#}hg*g|=`&1ODsYTzxHU&W2D
ze$&sA=-`~d0f~XL#;+yQ*j;)W#J+e5TVOv?eJ)_H;r;|hN;HL|6W&jGQQ!yfhB;d#
z-63%iY9w4;`id9?4(!ux<X3RPX`DAw2V$3S*}U0%c;{XE9|eiM1m={Gt!8=^0cTd=
z$i>Lat)t+Luc^B~XA-nr0)vaQcj0=3WuJJL$lt-pa5PXK;QU?mKI7i-<{uBF!XyJ%
zDNM4T#(3Q(>6kyaiizM9{`!t__+EhaUV!%So+GfEeU&LO%?K_(CSIrzLYAFRYz(CB
z<8$Z1=zl#_ztH;yv2Xu&Ab#atD^MkV8)k^kBmqHYPz9S(^XHnFAd!2v9#*%5&O9C;
z62-1UU=9V&-`~H7kGStMneaW_Ht)k|<`FjjAra>-UBQL_UwNGWe-Y{bR*5he1jlGx
zk>YyZ6G!WLB|UsWqy$eOQVXPdE?k{RtQJfni1~}6fQ5XG9A(EGulww%SCOaO*+~?K
zikl=Gr$kp(KaChE<~F<Gsa=u5zK6IvCp`wD7=KBD4~%6KWJJ<v83ob&?tF<?G2HM8
za4WuIbKJ{IA5d_oF&)5O0O{}}<OqPhL}m-u1En|qk@N^}6ici+f!G_bmaI})&0s}g
z-yo$&1q$3rz#j#PW3N7iot2EUv6C@!HplAkpXgK1t8T`HA0A4rBT8e4>4p38*U;5}
z<p}^+pg2RJL5cX6t0+kwfD$3Phkv}`f2*ax^(I$QbloW2i8ggIYqek}2AT?am97S)
z=2zbIngnx%*NaIv3%7-jf*k&RgbhyAZ8Uhg7}N|I08H)`Yz%d=(bWuNU?aT5X<S%z
z7@*Xc)}N1PPRm}x!)K;vN093@?To==AI{S_T`b4=S5m*SgdUeJR<XntA{H}Um$2tn
zu_v|gKf|96Ap3+AB=Cib_vP=xs>`her$BxRNt(7Zaaf=fBf8{E`_*xjHDP^w!j>%x
znO0svTT}}(OPA9DJ5Hr)SObSiG5kZKkeK5D_5d<o(LG6-5B48DMWJI0!hY$XmlZ^t
zs)$OT=uk~mr6^iQRaB)cT1#D2r7*Hq8Er>tq^XS@r+ibx7BAk__*3I;4QR{V*J`e{
zcedly+}c{lo!#4bzAA6-io3h&_O8Ca9VahqcP0ea0hVJhyZu^`H!MrtTbH{VSlcRj
zxn5#6l9?-{=5FNXI>}iR6slKp8^S_0PR#{|vdCaAG*pNULN5pOJxKumi7qR_h%xGk
zFKOS1MtH&|o?LBwFUXn_Y4y=~1~>o`ioi?rLeIfHvC8WynFYmHYUXSxD^;@?CQ~*S
zL8?<Yi;g*!b3@-cwR3J5UGdy<p)wOhqyhg?QUbSh*ObqW)1ZEC8RnF@fhr|5{hB8P
zwTfu|NI@A*Gb^g2O%&2qD(SpZI#WxxDyC~x)78r98Wl1(x6oTxYpxq~*L0BcYH9(a
zrmB`BXzFVDQ(k3FqN9?b8pT;%LewN?Q|Xq#TX`iB^(&Jkw=HLNDkb&8PA}|y=E6>1
zQJ14umCCwG^+zu>3Ch|_O}*6AOHJld6LtT*WR@>QXz8VnUh2qx%1a#u!u(+tCU5!f
z`+#dc)4Zj^<cQ4F^ih-ej}nJ1S(XkXLG9x|pB+4T+Q)zH;%Qj_H*YUqoR89v>89Uk
ziT^y<e{xWW|NQ>x_mBJduU$N)@Qf=LeQSX6VX^|OP_iPwSQKjR{>Qz0C!rI?GiD4Y
z-W(Vu7JTw<;mIERogvE_dLCU)C`_%E#73%!ntNFkj`nNDSw2A4()&nGKYPyPj(Ji1
zp6lGdL1KGfAMWAk-o4lC7leT<bQ4LzCyTp6noW|d){}z|uA*D%4Tdg2?3I5H_(S9l
zFX1{T&JaMu$g8W>1nBG^&WK~C{|XG7^C#S_@Dp%(&gdP-muN0Xf?IQj&`fgn2;r?8
zhcKt-_x_#4)XTt~J0HsZKH%MyNdyFOQ7GU55WxAzREC8iS0ZA@7XBQCRTg#;i-Nmb
z6rCGk4jzpD=bxW?gZ9r>p9cE>9_ZcDi<42h+$<Ehh5mp4?D6+``u}ME>HgE6{_o=X
z<B#$Gy7%Ja5=lu~(2$AH&Hpt9YW2q-sEfD+A;%dM_sj@84Tz|TX5_pg$Rg^76fM-X
zs?NWVdk?41v&ZyLe{sILM0ec5aNvlsm<Az91u&1K8bW@7t|aHbS8jlu@eDm=gnsHb
zkH@C=DSiPbgE!mMB~=O1>MUCUPaDPvW*k-*ppx1XnnobH58&oOlpMb~$F@W{fgy+M
z=HxPqzQsX=ESLzV9aa;jicC|49bB<40WY9!$FS5WW>|(BMk2MSu9nEFeQ$zzklp0J
z|BWW`{73VZ&0tjM;6X-b;!2{v63*O@mcT7zKTI#3!T(H#|1%jB#^R5f@3ZQE=60X9
ztaxTbv@R|wEv?um+=`T0Cd*6Bv$ZYGNk=#TTR4Kje1w0mGx&cEoWc8n{h<OO7zPr0
zw{}puA;XFR-lODdOyCnM<cHH>HEWpSh=FKmm<YA_EAgR`wwuK450xhzzJpUg%Bzl5
zMvRO()4Kc%C`Oce1#FZ@;oK&(;pC17k~>Q%LCe^z$J$W1(`_Al>O)^M7KcIwn#1P$
zSgC+n=yIKb=r}Nk5sfax%sRUL6)%49t6cfQB<**A5tf>ELSca7jsQw3?Rn<3v<Sqo
z5(YLKHf|PX4Ql2fvoYjXLBD{tE3cJ;Z2@LE_SRr;Tl_BOQ254XbII6^B2QjzwKm#o
zx?{ncI$kp0Y$Pmy1<w9KJw`G{b@Z@q&`_VU#>&az2jU+CqXC-PwXX1|?SCUYRyVJ~
zXYJPpZR6Ra(qy0=p|pG~jZm9+YgiY<MS5;HygkA##w+7}>+*kt{-=27W_Bja>~PKc
zpM(7;kDnFvKTjS%e$?xKcJVZyt?V%Ac_QIzOU5?`_pbeL_FT7IW5nysP2K1Bq_b1w
z?Wx@rRX1oZCcSuNa)7(WiaLVrV#_K`%a|Dq6chL_Cxl6%jo=9niUX0KO$~-BP4(PW
zcaKm&rP1Hu?9_cp9D7tPJ<psy6P|uG0J=jc4^-`M*)&4AJ&z>$BnF@IY`xNuY>VbH
z&z&LR8GlhyAMr(PKgrKEEk@q&fk!MlswkI(n$`Fr>!z&;{}ALR-{thRuNqBL_(N))
zOeR#ClH6z}UoE=NX2X^oYd67hnF(m7B1T-qNZSk2Vf8%M?gHIin@&mL-d4lpr_!=)
z1$P^L))lTbYhp0x(OEwsJsMW^%^ZDo-yEjpW%_KoVUxOPH%`4_`Uj87TR(>bwJkw%
zuSWs37-f#<(EoW`YYf%>S5Xt5Q>YAzFq~@s>21SjzU=wQxbZyEQ8T3Fs9cSqGaOFi
z*-(TK45jnpk4;xVF4`dfX&g`N{vqy!A8jsmDcaW$M>qM8)%SY^9Qc*)z)+(ZL&3&<
z^bJ?IjAzNHE@LPOFy*zOPyQ&OmOz(g;YYQ7MH6yeXz3_V$FOu}VmF+7&c9uIcYDsi
zQ94XC^VDn-<yo0Wh`0tX<p8Dm0><zQ@B;B$)k=UU#HqU8<qpLYU-=_?xF&h3GR)}Q
zX%sgyN179c*t8?^qb-0#zT#;#je_US#nEZuok;ARbKJ$JD#TDe=oJ6bE0Dunj9}q~
zn_fM4#yI5N@40svAmF>fu@|^^=a{T<mY`2(uFcYmeY&3b?NbZlF8y}%DDlFZ?kIU1
z2w9L#u3P4U*(oIT;!?@=H{bb2cM7gy+)M|yfZG^m4P4>rtn-G(5GICvO53XHF)~@N
zT;$9qY*O3jWoV7YI?7<1ZGKjZ0?In+p+VdIcul;K4oY1}(x!mb@6l4MQP!~{45^8j
z*N#)IfBV$hne9Io`ah6gval<T=rU6Tw)y`)d0MFd^61&4Cw={wojl^;p({(X4zOOR
zEk@ocFV}+FkRyUK#o=kWYquK2;c_<l9JGj1%hE#RDln<XDl&Na=*0$7XEa)l4zB@T
zE@)B!SO}!F1hHbo9FV(KNoF7a)F*X2j|Kh5@b|Uq0=3Zp$B!O8DbWAN`%ioNzmsQE
z`cIoeG#M5MKD~2S=@l?tzZ3U5y8eM3jN~046eefD-*#?2+5#nyR{;w}LkA{G;gRA4
zLuUZLP%RIfd?IGby1;@U3T>w_?Pwu?Ckr{n+a}!M#)~IeV<3zJ`EN|cr~bG_@~8e<
zEdhI;`g18?R>C@4_z40Udvh%OqpwaK%vmBwp-syr%H0*@b<hEkUPdT~RKbz^whq+o
zTA#Y{YQDn<VY7*dO}Qg<PNOKE`Ju`B6Wi1ZR{;gpundR84JgG=oLl9KAQ%AdnRiL`
z0tD_GW(%##WU-66C9BClfzJ`7t9?8>qnaIqE$5iGzkOR$_viCi@PAVOZOsC<@PCgE
z4)%-u-?RPwp8wm$Bly24b{?#+11JTmKHOk5>Dn!~n;NpfU8<Ww5R#5{2bs0T_*!W5
zBWhA`mO_N9U5N7K4A|x~kY4J8iYA=w1sY+ZjH(99H4R`nnw~e`m9)&oC3U-Vm8$fc
z;+!1f5<Nj{oH7Egw+=&RT{Kmor+u&@z6v8{iu1D3v1n?{>r1**jy(D1H059CV}Jk4
zY<uQxK%4&m;87v}$D^kQz5Zu6&!+mHYVZ4^Ca8E<OQzrM%C?b8KDp9g4%O@zmqVVG
zx>6sZ{vNEj2`xU?;Vs->1YhdYME~PiH%Y+k^M8GRfbw6T|7-hC+xoj8KT!H7$_Kob
z`KRUnhg<)knE&O`_s{zLUpsjU@{p(xNtNtNQ9ot#hNhk+gT|Rq8XqfzM(&EQykPP-
z7W&ebE~fgMsOlPYw0!HsIc!=C!=0@BVCKcS==Pia(ZRv!iQ+x-dp#M6)Xq^{?O-dV
z%{gmzTUra2gy)TUY35O^rNbN+zOE@s50B0c>BWV5fy)11Dqg;V-&rsWRxzf&Eli2t
zC08I$zHt{VAIJ1ytH6zmgP>4}c`=_mikZTkqXMhSD8MMaIdFsJl`EZ96F5T)70%;e
zq4MzX^yJ;+^TG?vftpNXf61vt2l;7Yp59d)Viujl-!V(uk#y&E&e)!HC-Rr4S8nQv
z^lg-%1=GnbSIHGjZj8S6n8}Ac?~{@9Cc-S~le?_^mdM+~pTp9j00(^HGWL=yhe6@O
zWthuHl#hNe^I%q#{9PoT^Kq~G>D@yt?&T*E9<FEa%%a;+CX&@c5d!bV3q+E(5pJ~+
zwI4YrAq<d+?wk+~<7;O%&@$Q>*pc)934sOo9L%l#T;<)KQ!2aBG+K-aok;Y@lOURm
z7l2ew#C>>pJbZh&O0PzXnI7P<jIr3fp4gQijdJ9EFD&eRTzwHa!Smp3^kO$*_CeYi
z9Bb@jq3$Io_ZO-CP;_x3vTlq>y1*RuA`d>0fg7y-7kkra9{Rtl(GrPouK&sDoiW!j
z`KIrYG_-K<pd*g!tU_&s8zxka$}*V4qoj+NT6TrLqFgA!pRABDjAyv0<HVm2-FSNC
zr!YF<d+84e*pP@Gp!hpwe!E{lAM3VYi=zche?i2e5!XmDaKpHwJI^IUsZ3vg_Tu~^
z%fQIlaS6j&(<DPSA`0+;2_doNWgIPN6lsv<d`N+h^g3Bh7JizjG`O%1Bj<?dJ)KZ8
z7S3po9|8Rcj!<UXHmWHb<Pgzkj_hJ&V!i`oEB8u|w5vG@ITDBIe$|N(St(_y0WR^u
z=bFi!H=2)RD>N+P>^S!sW{A83*2Rf4!pL<76VF?p1bi3WpfKs(7BN;w4~Ql}-}0}`
zeF)i{NajS4(dtG8biU5_!6_%=vJkHv^{$9CBI(q2RP(7ei1CqB|D<#(Yk@wwbQW;$
z_{*RIN<6p;?B~!^1u&M;jMJ>*jl$Ym`W*--XJ@55ui@*p`@7hrVn@qIXcbOjjH$l_
zro&`;&I_IN^^y63vX{U_5f)rg0;K!JVn$6^>g%4|432c?7v?SML6gZ=@z$E=rb7W-
zl(p4$kUsy&v14^}F`W-SOmmyJUujyHewIO&-HT~Hmb@&1#!zXqR@F&2haaD7ulBe%
zP5~pv1l#~vd?(Z5GIrJFb|15;0~!CoxgWJd1NU1*g&#O)PofwQZituOMAd2a;22_B
zV65hlARi`P<2C2UvJ6l2V{jC+hnVYi@S^8!Dc}MC=7L3VmB+N3w*odRWo=>4^tJ-{
z2B<~7;2Fxb^gD7MuyV*`OxY$lWZrvJ_*<^0;t#{}XL-DiQPWCf<->=PS8mO7eWVT1
zpY8r^cL;WWwriWVo^69>a?90Yc$hIV>#}pQ(3Taq{ac}v&d$kq+vd0P)-4-W?!4HO
zq%}?{U76qvl}cHyJtCF2Fr6H&#B%pIuOe!?;OyMh3}|>Mu(@TLhoYC79jjVCz-S+^
zxSPKqf?r<@@T5B58?CkL+<HMUybe*Dl__v(M3PQV&dv|f&FtmTY1NjvB4r)QIC5?(
zWwyISeOe~<1X9Ua|A4r^Ft~xNPq7=v?p<R`6YAYUx%JJs0R=anoH6D8qN%naI@)P0
zKCIr}jGDJJX?(2}R=dD<75xR`o;#<jN#IY9f@oEx3CQc9UgXCuPzos*!brK&ZYuOb
z=$1q|z%Uf$08t55MH-ppJ3r+V?%7DB;UM6}HxCbw)wf1mC?&$`V>n<21E%j+5rlgV
z2-y)=nS^c9pzxYUL(J&}yExSpU+O298fmjmM)T;qR|iiY=?LC)em#GQsxfLJemc7H
zLs$I!r57*Ukp3uY&Ujr{i|U;>Y*|NaQTldGy9}V31{##LJG15_Ni}2jmelqdRpf~f
z$vN_eCJUviq>JM+iYBn8TmooB>p;bUZ6RZ$RU24?W6oAe7adtx<ejK1T=y6>G$4)9
znj~M6z@%AmMlx3r-0V00tinix^oy)Xn!O53Fp)(`SbW$ng?c_&NofgKgOQp{M|=2d
z>@k_eZ_cJ}Jj+f7*@6UCljnN%<;C4l`wQo|M{{g!f}<tEvP5VQ1zxighi^vkKiB9}
z2FFgW@)(H>9<-}5&38PoUD?zN-8w~A{;uVQ$60+Rov`s+E>wk8oOK(;nYb2cY9-|*
z0#6`TT|y0@*Izb68nfbOi8V93L&eX?y<xpjRXEWh9VDen(|=n{D$?hm0&~R`4U3M{
zlmv?mZfLm6yH97oi}I)#aOlnNKyc9Va*3!y`L(RmnTM8!cR2$yW8+2|mRT<%Y9D6c
z=F70+V;>k$P90_&@5GNt&?JnKH3@%r?*Gx||0CG3e5SHa^Z!2EfBNWYG5_zAN8k7U
zKf8D||KA4{PCyT{U(0Fk@)iF|0Xkp5!%*enFme`J%R{K}9r`^NFPdKvdY^d;RkkTP
z3{_8wsdk0m5Zn&@PB{xz4scKT3<)Uil^uq%a^HBdLYpJZCYGo7|4gFrl<25%iOCWz
zo_Uv}f>6eb#APOncVgi_E)OmEvJ<`Xw?3@&0;*_W@CCX@@xJ6aCx8Es2md+3en0*=
zIKvcvgNOeB5M1a|F(K@{h3_TBf#po$ee>s}v)2U9?xwz8mHQOgSkjKLH<0AXt9Ppd
zpV2w7-bbnTQR;n^3LVz*QK~$eIZq{$>b-<SB_t;#*H?Bcib_qoZ!g#LO^u4RQLQS6
za3qajb0G6G)oMoBwf=H7T!``%&MPooIR#u2MePa|mh)4n7_H5mP_;QKAvuPIxh0m$
zy$Bsy(_7DD3#?X9Q;_Xz?~V&A<Lgsag2eRUn(ww~?sH(}@v#w*&I7vi5wOw!hQI&)
zVKvnCT4pob4OVGRy%ytCVVY;MPeC`zV~Gt-;L6#v$DerdK-^Pf0pZ<vG<t|*TzcvB
zs#$GrZqCo7^>ZoQx0+v+iu#!UVbDQC%df)aN|YCJH4q#LLzfny8Qibv)xF02-T;@d
z;pF7kw=y*&PmCOVzj$|&CBxH0CQ#vqA<xSm`fbiIAfi)P<*g<X>f3=WGV3EjrQJ{5
zggZ~h9LC9v!BQUhL{_q2MoHphKEi0pLMGZ6e#QazXl+Mw2h-U!T5XFN%X4cvSGk3R
zU#KgMIa4*Dyx<gtV_xe4>H}c$mJjz(HIS^9n17(rkJNfjH`RRi+EbDTzj8*~nueLJ
z5JfRKBaLkgeMERe{?c|@3(gIqPwsBSLks7XFA8y43JnOmqzVxS(I=u-{9I4ENi%;{
zgW0trlzDl(yYXE1aa^<nCS)an9TLe()MUqDA%PBeHe=rGWQ;)r2I}^qLGyjMa6g`A
zSE5tQ!JmK3FHaRZ);jqT0$yreHU7ZO#&kH>U?wd2Ve2Ps-1wU0=(-7rd$BoWZd?c+
zYa3MG7DN}g6n6%lqz)NsBu<RJVC4>1E$do>PQq}(y+W8CPu(QBjpEr}Ap+2WTgk+M
z&3ZbfZix-k(S@pAtbr+g#%D<DWz?|6^+N~Lz@wMVZ|!6cp9;b*b)N;^U#~zTS^Wwb
zvPGtmj~zK!bK~oqT?b#$tq1zAuyM-8b{^*Vun*ds51-MIcvJGz%}?}GAB1lAw^2hA
z0Ee0I+}KJnNwuwvowMrQ{qWrU4D5oj`UD#z3nc@E_(ZzMe5k|49E!%(=2Q>4=rDAA
z#~vt%C}-6@-SwL_FYtQd#q&%$%RF1*^2n79)1MYCj2S(kbT-qLFonGKS2FmbYc^k)
z&6pXsrR&E6QyAtZlpO3L^Fnl+MIJjB3Z_3}Ek}x9LJCsxGyYNKnPoe9e0rTo!~A-k
zNO!RIIuXOU_BxTTPA78N%57F(G1yNTgC;Kiis?FF<2xjjkUIlhL}*MTKLv5e{EYqj
z3#PwdHl3Q8^pFD(_g+%5X@zXvwIBzF0QUbH5>6S;?qwPa0h>H8?J#}l#1Xn}yXe>(
zp(#6NCjlZGh(vZbYe%_FjFCGxSQp(-%4RjKuv=QrYEo%B{jTIh+>^JlpSB#F%2O?R
zN{QhYl8-J^xDe-FD*Z|pnQw?_r>@P{QWiNA17*8FW^|HX{uG>Y$B`(@W#G#M4}p8<
z#ZvTg9$bPXL;mK0o1_mLXJi!6W^=mD&vqj+$rrQYvgGg__zRH+s6~cY#`95zl2y7~
zQTVwlKpCBR%fOv_htNo2)<lzON7JO4!K`ib1;J|B;@st=Mn}<N>0{ni!%taipO9XF
zWZ#+wz;q@&8j?KJ5b`Y6U6VDYW22)YHIKQjY$)btOeBqN6-&z27CO3_^-H(>BvL_|
z>DXB*EQ(&sn_0LCQWfefEfnkwc9H{%HH{V%Q5%R)x>T^hkaQ_f<c}C8lIK|oAewS>
z<ot#azDXs(8JxxO{T!Dq2y4!EAoBo<)H)!cArK5wZ_2X*9iQHmSM~I!yxx@8oAS)(
z)0^@>lY{UHOnDs`*9xIG^)@zf_Z*Z1Wo3(;8*Oe>sj7DulxG7M(O+Qlic30Z(m{yz
z+Q=d~?i_>Fm3*kLw^EP4!y1`968igd??IRh_ME{g88{DMvk(5C|2r8xgdZ04GyTs3
z|L1DpyyoOmiAQqb?_L~f#zHt$qP~U?0Eg3pj{Tt4nYVR^<>ROfGdOOUW|>f`Hv05=
zP$i=S-bR7CqB{n_nB<vipe(HvpjmE}$GZ08bOrzo!rJA$y$x#(**IL_>8;N&FF_sK
z+z?)H!Q!#*L|Kj`$On~NPyz;_8;Zi<juW#AIope!=7<>im>h%xP8#=-pqkBSD@Ok0
z##dONddR2@6uE~5c}jD-AAuYF<lLu^H<>}|Goi?5*g6Ah6NA{%EF}${*XSbA(x%0n
zV06X{d(mW-8n-LA)ICjdAE;d>g2QB)`0Jal6G7F6Uz0UxMTXHT_>09V#q1Qu<n~1N
zP#E<ur8Pi>lqvnD8ow3LNfZTM!|t@d6Lj*_ln;^#l}N13{@tAX5*0scw#S92xRG=;
z80ljd?(}Z%Ak6B*i71Q_a3MM<B)HB5I5^B{nr0Ehf;Ja`?IJ5*Q#hS`)-&F0Ba^Hb
z&H+h=${t0IZXOwZ-vCr{OEYs=(TE|bqq_s4IzYDk{d%rI?77!sD7E+G*nF%Kwg1Gv
zQya6(gu10{87<A%G$dLJ*A@ztd?~&!4}No5T5OyqCsO$sX0x<Y?QjaL*RG*`-`2`z
z4E37L*MW#1!?e@-V{MsJ9mOgiTEeK&ym#%UjEe8B2e6$DPCo6fTvfmsl7oDw_WY~a
zW3JN6#<#$jEv|;V!;M=TsqXNxL}vhC#Pv$Gs<Dl+k{IQs=cgwqJwd5?dV*r|d@cmV
z#tS8LKCRCHQUy%+K7ppopVp*TUIWH0=Y&>SDbL9hJc^AH%m^p{%z=Dzr@W(4UQtOc
zlY)M)n2g4+bPQ@Q?UhciUSxh_My7{iC(ajzneI>}K{FDwA)7QED^A%gywb8?$UbxU
z=D5C&hfPA7!-kKGq*n3`7p9aBIc#d$g9bqPIJXz33|k7jIyH_x$^@q3OR$kh^i>O;
z*_GCMf#oK7orSsZZ1D$zki90w1ljR1X-!mbcz7f(EC5yL%QAv7g6}7cOx!zH{!(~N
zaWx#7I*ko^atPihCn1Kmr1+l~AAL*>hHG#fc?tYVzjQKH2Ek&Y!cd7DEM$^~Gtu*>
z!GuKd289%8eG;OTOUx)|@x&n(tArAsg;6*Jt|Psx977-i{?PHzFq{~QRF3?HGv=XU
zXXeaS1hgwt1fxqADvHo8u`OAV5yNMEpO{<_W?`$%%*;@svtARrxk;T!=Bq~4ik&*e
z0FPyw%>XbZ6rOs2Ai<-J@+XIOj)00{HqpS#y%T|S`Y<>G425d|jXX}>4JQC75D{D$
zy?9gXIk#6)!t_(=y9e;sV6U{Z2PffRPh|ni?PW!`$*4D=cY}2<mrd?_$N4zCRu;%1
zU}GqDK^iUmX{o*Ns<`kCv*(c$Lv4;2&R&T*C&Q^9phv=enSqhXBD}itrq>x;!a7jq
zH#*FdUQVo6(Wt~5724FNMC63$h2{oH5vgC!91~4A^?HYS5wm=*RV&&+58L?yz*mAf
z;Wr@w)yT6NqM7|}9iWXs51mrZ+x%<%Lgh=NlUq%XFI_k=vy8EBJ&iw82mK_u!bM5@
zi8wGGn&=>~U&tdmt!XP8wn_UwSF=DESFxApwJr;Q!+^^mx+Ch0G=hi*XF0B>knQ`_
zpm<SD*&;v5qcDd-D(98PcN7+6gH3*noNRE~hEShTV+8s3>aNP@T3q;IwWMtxq2`Zl
za8Ssrj#DgKoR-t7UR5XNmfUk{GrUq67CrxY{%JTiEjX>8a$m)xui~-e$FTl~cuS!?
zcEvyb(o+B9>ErL8e!pL+{{g=}>g#{(;@PDBN6s<!TP^;fos3Ud`9oU@dRZ#_p*5(h
z`JvB*34B$-kEEvHht~UE_tid><C%1HMKKn3>0(*B6%Jp%DBYcyvcG!ZtykihAw!I7
zn!l}O#f)57+=eAH@}A%t9}a7Syt&GOA4JovIx8+2vbid=j|diJw`EaY6LoXI4lOYa
z0!XeOWT2BMuALL;`*It7xsATuMxnzx<u<hQ++Jiu54N^bA&JYcRj|5WNHxVO!8pc$
zzc_!Zs|O#zx`)@#VTI<XdL4=X9tCca;Dz##G>nB#6mt&qfn^{UUApSEaB{6FxgX<^
zyz~RSdtfL%9S)2n^LbVIt~bhOGL)+o9TFR=mLwOf72QY9TN&`7g2NUnxT|7pgLw3X
zAGS4VQ<%8d-dzAIVPt1L6pi!cG6A`X4D3qo!l}v(vqGLA>-3H)`pU`Ie9y!{DPey3
z+u_px_3V|gL%0Iv<!@LL%K0@8ib=rp)nF)2%^(rDkr4?Cc=DmNsYQQ?r9?G+Q^baD
zna~O;Q;l@2qb%mxg%f*bQ9wwnJfpR6s0JX>!C(nwK;A5cdgojQmo}Kno`|R2%46SV
z!uW9Y-jib!CzetXV>PkD{D*KMTtzc6_|P|rNVoEKfy)k6C3WSH8UfE>9lH9CV-||Y
zD<EG^ZTJ$_@z%&u%4!CQ$?>R!|Lu~62N`?A#ynw{V+(RFIxn}!{_D33&dzz6KTla<
za(ST8;_V7_BwFrVY=!wwguliI+O;2~N?CY0QE$8eWEPWro?d)20eEJT^VIG)8A^mu
zZX*Yhh09{eE{L{MSyU^;D&69g7S8AW#QA{ikdP1rg{28O=Mn8Myz5aBD;ariC~irC
zM8p<+Ac8NzHSeeLwNy)QExD47w_juBv0~`e#KV0?a#c(m#8#)!VjF3gN2UlZq%EnK
zfpansnPOi`i7}PiUg!sgq!NI|&;KpgIVqVevd{8(TSAkSw_}ncBpVVg8VaumB1$C+
zribvk+Pz$$X38t4IG|3j_9|N>GH4mETqKG**)b!I)x!!GFfDsipaCIhe*SAn4Lo-%
z#LivKeAHkVyG$1tGVZOA$u#~0jQRogvg<EYY*!HxjMy41!K_j2zV(7&cpXN!p{DPo
z5h*v&$=UfKI#<0sI(2@F;_D!CXU+*~GeNq=afP^}=BTjhE|(x~d+K%xq}H$fvGkl@
z!#CX4`MN`5oZ|#~qWpOhW!q$chQ93<wB8(op%Nbqnrb|IOKW3TjhX0THXPRLviGaZ
zUy<`lW?mNl%?{$aP-iZ9;<FQ3>_YKchhhj-Z=-mXMa>Bz?19Fo=c!wto~Qmc$hQ?w
z%?JL%AkGG#VwUba8B@CA`{?FRM2ZqG7xv2@S`(7ofdL^Nx_n?;h&%{<dU^r8Cl>2Z
zp(hqb&8>;WsT;eknG^8oDMn8*3~<y_jIWVm7&bL(Hg$hmg)@t^VW%%%kI^dq><JvZ
zX@ts{qeEvxgQ!A)HyCJ$5>;lcWMhjnMe=Y-;+C)`v!?7aXLgcSQ3wCemsZ%nUR<1>
zBaKO;X%vvEj#P1;h|;`+^;~d`6YVqXCS8IIdtAIaN5L=z1hv!v0AXw4rq7+pU1QES
zqcxwprw!)#N~B+CMtG%}%h1kg?#&V3g-NxYa#vDp6?TSn7i(FI)1_vIC=?Ug<4`nO
zIugwXOv48C5iHqbeEduZY$IV6K11Yxh8|^Uc|vV8!wOg<Qd$YI3<=TdrV+aRx=8o6
zU^K}tP!7yPH~^s;+IUYVD@+ocsHNXS#qr=s=6M>lLEWCp5uc%BQ1P7`s!w-=E;E&!
zfikcmtV;)|@j5Wcky~_JX=<uFi`2Ahg$fAT#GTZpv&%EW+}6&uNAx)gqSdSu&z=?+
zlPZX%gAA)EUCo|^#2)@l#u2wV#?%HleBwB<%MN&`>qseKc#<l-F&59x&JVj(m`46=
zDrwYVY*e?yir>QVsUF48e&C%Nl~S|KX&(jNHXu(p>f6*o#$s$6>p)?B4144-ZqP^I
z(4eJ;l}~Ge&<?aBea=-BsM3L%tj@9Hie{M|a(wJ955IVKC&xy9dzF*I3;Hk{s5e3M
zI)ZIXq1O=@HMi0#!hsb|^xd3(u|s+a&{KddOrfU$M$Nb6?2+dZY`PUl%ntRJu{VeH
zZ}zOHlo8LUqju1hUadt2%s|_?-V9RChSzd#Ym3geh9NP(o!g1b&|c7q*HmmF-nra-
zpCo2Ib`0a@P)AFy{vPg2H@+)*_$cWWrr>AlW5AS?%&ytbkc0d*ew^cL?tq-Y9dhHx
zQAo*N63@#5^=8pD8No0kcj5jXg`;V-7{iD|0BShLAaM@VLo^KMD?rs)VjM6!gqEYL
zbP;^VmOISQGSmQQs#Rionf~*(HJzz}&<|+iJy7Wu+NtESxm$9{E?VO#+56}A{<#%T
z@1Of^@m8PSKX==@so%~m^is$aXm{WwLf=?T351c#x@#)@s`8=o#Z0k|Q7o)EOhGZ@
zn0B-DsxJNM1>M%C7j(Z3Vr&_~mLo%(o&F+C>nT7_0k$xOo&p#(-?>8^D_zXhNx&v;
zTb0DdWMh!dqQGMZUi#PJ*&8i42ygnL+J*%<H%V5FEUgi&6`3s?!4=YxQsywMQgRh3
zt|plWUsiX!K98w<ObWS*S|0)>Ese=R+rzYEDl1*}(~*XdcVj~Xfv2@qgukz1@A}3}
zO^9uOd1t38#6AvQqupiB*<A`61bzg^Te`tRGqGDSzu(kfx&ifT_3<-h12}!yNvjB2
z7Fh_-vb&_v@(?W<+Mp%~zS;HF27Y`DS(vYYeX+XGOxc$0vn<wN8?!23Jey*H8e{f^
z59PU06~UTweWVT1pY8r^cL;WWwriVqBTwLAY>NX{6$Fdig`GK+eCQ<`O$<)K`YF%|
zr}2ikF+oFQVK7w=2xc`zkNZ3@1LuJN^dTmS6eX?lWC$3d2dNjj$c5}Feq=941Rvty
z%x=%5RcRnc6u)QYCd{fg4>Oa}GMYIL63=s7cQ%AShQ4U|u*phlCI}cKADb6u(9&Ak
z(F~d!ZB#kyW?nJ3Nlq@E1uP!j6(uyIyjaHc9$LLAYqFLe6?430l({2u(ag+SB{*h1
zwOn?UmQl<DQjjO9BuZ66sN#Bc!QC6%guhi=u%Qjunv%EMd^ZjP>&(Wx<xsFM?dINX
z7?shDF7G$<=uPf$oY$O4=APej3Ti4br=<+<K=ojRKw<}ejT;N7=cdHkoL%M~Hqn;J
zX{@UayL7K>Pg9|I*|n#yrYn?Sbai0%a({|k)|ew*sRZN(8n3DZ?D}IsHqC`RBN5Mn
z0uu_lAMv%jH1G(ps{XkaFjjVoo9apt8vtPHv(jFD-b&_ax=>9H>a4y}dMh0B=`yM1
z<#VSLc$V|mR_f}PQG_*GITrLZa8vXt{nWm$8@jpz7CPWvjXjR+Ts(Wb{g<d5!>6~~
z+s@-lW4+fz(>DAaZwu0RmqbXQ@0BPY)j5A4#@|A~wi+9_8$_X5eo@P4^WF*n8&JH+
zr+32dZ;x-?3Ew7evT%2p_b^CQp?UXY<adXLtEI`MQY=!<J!D@|jXF^=<041aW}2XO
z3DHjjcVZ?Y`spioVkaYVmv?ULV;$+_)5wDbS0)B=xDX<0g)@^Y0heMz7Zwd;iOoKa
zgL1{#a~oOT1_7{7W!g)C>rbJ-!;PAEDFK?AcT6%6Z2j`f#09tVBIJam;ws$ObhEOs
z+F&--f(@#0DPWV4bF6J3tr9I<sub7014~XrW`x%D^CxEN;gg^2l*8Em6J-fp>&D0B
zMVRF*MAI(r{cUQ4mwvAb?iqo49QBMq&j_?K0!delfRMm#d?SRWNu(}EG{2A~;_)|f
zL(A$IPUYf=I3#6elxjnHmOt-HH!J06boXj?Y;CUKTmf9M*}st6I0w3k3~o?6T{Ug5
zp>Bf>d@x<Sm1EhJD{@4ztM3u?rxX$VC*H!YOf^CGJD1b!)Q%&+ySa^`FQC#h8$Gk}
z)iN7SMwNP6(K_RvR+!<arxjl#t+2?+rQ7PPcqbAL5<yN3qE@W+80+U<?EO7@e-HKa
z{vJIg?ifv<-rvKxX=-AT&aEL8u;OSCrVv#H$2%n56VHvkcumWB&)4>RZ6%I+zV?fu
zrk^Zl+9FE5Hzq5jQXPnYm?~Y*=o5Ms!-`B`6lb`pK^@sQi_)A0d%C9N<$;{T*$iHG
zQn}5fSZfKuqeJe*<d{ph4z<#)T4B(ZVGWC*;$ysT&5EIxCUrlTeBb*BXE1bwq1Xo_
zKN{cckDiPU#(0a3zpHF;;0DVp_h58%C_!k-Ac4=WQsv-A+DVaAe0HDdrh|g1YXQDq
zuA7S-9Y;vlD4uE!Z`zVFrWRC!X$yr^@i8l=ijQ$YRc>rrR23f!G}^dw8wnPzMOHHa
z4KCpp*DZY1b(z^$N9{K!_w4wR%BI$edjkw?+a4Xo?zH}*%pvD3HMO!si!Pn!wA_I=
zm<~3TPxltf^lp!fhhJq<OqR`QkA;<6U$lUh`O-L9${i4F5VD=RmlgajWL*QSHsB_>
zj&Zb_V=`H|MpOSL7dqW#Uc5`#6kd#2vsak@ob{FdBHD2B&OAIl!Bx3ItpTtIy&T=k
z(d$p4m!plE8`_e^v0R7YKjp5%M^zG7I3;-8&;5CbIHk9tbNb@7kiho(xR#zObU%fj
zDi}5IJcv}g?G0LI)TT4L1|}ezwx05GO0%h=T4D(2?a|4xh;<=OF$?+ZEbSeRYX$1B
z0uVP8k%bIp(fw9fYj>QF&csid#7;(VODn|9=DJ*~`WK@1h1dt&S?mDLF>AI3%(K)P
zL-tO7p0#Q4$9=K%GK03<0SstOtnv<momz`L+%(Aht&7@-wF->c$iaVglPmuV5`f>S
zw8!1VLAlH2Sxae_GW6W13Pc8vQA<MKa_OkH&cd5sxuKsd_Oc1Z^fsKyeM^f)vUtwl
zyues=Df%wm=9SBEAT(KkGlbffRla`;9}<VOgqw^7b|&uh8uMtv&RrluXKWB=_t4Yk
zxib(D4BFKF_*k(BIBI+Gj?&a{8hUonndFn(=1AF#6ECH-#j7RXV>RdyIOtqaZLF&)
zPdo2#aLr<laxfsrH^51XY3%ao5Sv|A1S+{yNDUYA*X)WQ<ONZlGE-XN(V2O`d#b`i
zET{-?hbpFA1{1mr6l^9wg$z_Lg7qTU`cvpdFr((3i(q((88l=1ZqU$-t+y#6V;hde
z@mFOQ<Kophy%QGy#F^ZYt{nFW2Sw-(0eia6nZvnU{e9^(c;zg-^eSq@(vBj#j<R4h
za(~caFWwv(-$m`28Cz#=w)4ZMr}3>%Pvd(UUwYPOKXc~7GW)4;D_BsCK<YHHp8YJ+
zlb(|Fl%(4!^pwP?dACsj|Gc$h#Qy8Hk`H4Np)p@dlk;D{U5IFbjDWyz<F_ZrM_XsL
zGB=}q{LFeW1#g#JeZi?1tPo{Ya7ohRr_jzR3XDXKD31bknsG!gr8evXjeN#UKA;ix
z^NTW5ILQLJ1QA7jhm7fxsts+r-eMWWnCQO&RT)mI0?|}}#|$^#hf;FU5Bbbru7mrJ
zv`->1?gQzPKOm{b)34MhrpNd53pevVF8!F!5|HvJoNc(K*>Fzk(>;g`3Xc2vE$_iT
z<_%e)N1@@IrT@1drq7;OEeQ1R+KOw-XRVau_*7OES44!)n8wSc+Ewmqbgw|GOmSmN
zMDVdDB&At?gCVQ<Ske)E)}SR>H*<P|j}3Q;&u+t5vsqap!<yqP&FxF&I@d&*U1%#l
z#^J3QM22FreW0yv>Tzq3tPO|2d2eboMBduoUI-uFj;(MlOCc*VaV8`()N3)7(6E^%
zb4S)dO;%8P8DyF0uqNg@noN8$Qq43=R=qW^*Uzj!g<d~n)cjLe^NhdTp4U=7b@?q#
zls^@m9@DVQpGU6GthA}c;+gt3;bTLy=vF+ny{t35ZF*-{qtfu|&cOIgZt%lGLX4tF
z%By%LZ}ucvExZx*qF*LHY7z>bUAbK&QjI1a1rCY$v?%bWzL}W6>&sqv@{~}~G)KJQ
zD+3^8?e;9b&E?y`*W=W%Nwi9to!E0e&_Vkk9Yw_krrucSUJz2%eUBrU;mrhqQ35Q2
z4*MbS;+&4B=O23hVf`ue{DV<*V@vU-r3^Ky)sb?sPXDG8ti8$>f^agIfD|#OT5hL|
z)njr}W<~T?%VnTJAmy^$r;rqQ?p7#WpU%%xH~RV6SNe2*-xfvw^y&O;1Vts<7_>Er
zSuln&n7K<Uaq<;(FcKs&0t|6F#vg8@cm{9$SkrgCIzBwzx)*`9Y8Mf*shn6fGXn_`
zKi$1-xKp<@wbt@JBUDfTW=n`f7aIegUWRFVdKt!c9^c4~X(hu*@@`F4eia?rc$Cox
z`mK^k6ez>aY)D%O+mKl6>iQ<}z_>zP{&42HHeczm-|-!3!|0P;YIQeBPxxg~-`(do
z?1bX(D7)d8NM$Wh(`A-hlkBVc>^?7EJ6fXE38!I|)b_>={25YO-EgA^D2<%ADzm4b
zNx{%al$H}Q_!k$a=XmzhXc`3=^a`(*ZVVVsIrD`tmJQj%WdKYg^-*1rl?-9xm_P`X
z9;Ev5I4Ngx2dlUM;U~()g>ebn(oC=i2AF9BHsH!IovhJno28L0om!P7Q*zGPGKsXA
zMhn&ONmH6^K#xCds#xPgXF@`^ogUT-SR=yOeM(qk7)?^a?ko+gSqfO=^snZrUpr2`
z)5;IFrg}BHGk~t#y7BA;ZUH!+KuenwMCKDimis!X7X*nQM3@1co4~By+0ebj3->nm
zQ%^dUtNWIF1kenx1XkJO_DKB25=a6pReUF{1f*^VqG&1ZlBpX)7g$ag_74y<qT8rg
z7nf2*@ZzTTLU$5)GeIJe9F0_t?%Uhj5rq$klIWO%dlpTTu}phGBE>lNmVpp2zH@^h
zx_vL^2++O1@!j`VG>6u8nM4uHwmzwj(ZSE_o8D+Nic<!uK}H!Lm9U5<Eby0}n^KM%
zfmmLL7hy^XzbL6H&^MZ>Tvji<@#835c%mc}T4AC%#S;Z1Ij^COKNR_(MnZ`dCI^F&
z^BNQNxDzyPhZ#7ye84halDV3+Wvxr%Dfq_OKutO_qr=&z6|B(i38Ose?x?@SKcniG
zcS^(Oi4wa~t;Y(u0p|d@d4x@c$;=Dqeh9ze293fj3)EnY0?U9uldLW;{g1>JP?Z5Z
z8+ws}EW1>s;(0J3OVNhoGdm?@If@5SjtKan(Z*QCqyIPH*nh)w-^gSXlCS9904WJ=
zQ$L9Ux^+twCGp_UgQUtC1L#&kq|AKa@Bx?JOx5Gnjxbffp?bHD=fcG!$dcHqS~6a-
zZM_@7(#j>4lu6$7PHAj6+{xOI8&eO<8WHye-!8Uu#vVH^=iOHPr_N%^tt=-=6C8OT
zT_D-sXc{e^|L|ykf3W!$5=WtVIzm%_^T>44@5BKUlU66T@)&AY4Xm)|qrmSBZVm>-
zp4>cwgDl6>MM-+o08l%(GIVa5$|X~SrYU!n0<Iy|xpc;_z4Tfcky~$a6-C!ZIpBWd
zww6`7=U(W=m`l-vy-D;#e6!}0CQ{KPnl*|<Ik10%#+%EK+mY`DDtZZj!`0b=gx|1K
zy^OCty^P<>_`QrT9&Ej1aAg6vZXI`=j_qW}wr$(CZM$RJwr$%sJGR})m-pOz?mb`C
z{j=8pRkf@3oX>d1OcBSP<*oDJjf5%<Z5sHE+Rk&Q24TGTR;MzXHX#|a?~=(dC!Zx@
zo$#5X;N&o0G~LEXy7)tz%#rL6<{pD`Qb3`~4pYLXo4Pd~MWe~un~aQcp=;w%Cdk{1
zDCOwyA(7BasH)3Bx13rgv;!hm#tOA-1PSL!oXzfhLT1GJhJ%H(@&>nl0oPt>W4SYA
zXmL)%dXgrlHAqf)&tX|=iZ#~BX}m(IP~&P&KQ1pqKQzIcoirF-);*wNL{;msPwBY0
z?w2(}+@i^H>UG_@XLEW3WC=@rsYH2eOE872r#7c`H`8hXn(4b;=v%&vA3enox}>GR
zKK4}7+XQPprlFV#p%6gR9TDkV=(Z!V1YkOH1+k*%>AecEYFmSn5`#Rr>&=l_|D?V{
z<~p$H2!$9pe>O`|5jYav-4Ff)fa}4$LW&+-21n8SR9?UP!@GZBnb*u8NTB>~pYp-c
zryb{WgN#IJmF1_*Co>Eh9-92Fzql!UNhAL4cCXXzY-iM%spYW3Zcnn96lscHZBJF?
z>`YfdJ=4W2y&Bt^a>+X%pWeDQWwUR2CY{qunULN8mc+jD$%A=eA`2OST62;WBpb*5
z;8FMvu)cpA``F2BA#-}te=)9Uu|PMr?L5lG)=R8i<UpS;=iV6ZgW|M{SO(;RVu2Ay
z7+lfn@ZDBC=GcH4@B4E9H8`)!Bi-`WHVd|utCK+H6%d0Y_;$&)TnC54sMeb>$WBt=
z!s>{uk~}S&^Uf|Ta+0lfvi4-opR^u{A@e{I^obxVu!yI3penzjLN61LS@(4TvrW()
zqD?N25lkw+kPF-bcXvQgkgiSL-;BKnAx-rdT#XtsWwUTZXTT`%%&!hLXH9R0pA!uT
z1sT~`Z7v}uK2R=>DnC=dW3szHk;S3{1)cb6tK*Li6#mziF@`NJ)WYBMFq-?~PTAoB
zO(Efp0$v%?a}}1ZGK5LfwIt$d9L$^V_&tyZv)v=+*6Z|oFJb{`i>>@++9$f+{_)|*
z{W^>I{C+nI>{+!9hxcVPv|0OD{&3)^VjD1V(=O$9@QW93ZJ|zVnQr=*U5>Ox;+@*r
z4-?h4Kiv<eD%3$wx=3ZWZ#oHKO#U-ec)YxJ-4-YV!d_vbWed>pxo8^LsNQls@s*;A
zVAgEu9(49*7C(t!gd1G<CyPyrUB|6LJ`MTeDxeb;nMyOHWL3m?w~N1PHdJVCY{Hmk
zvWAzo3ACqg9SN+-bv0y?Pl7qL1RZun2MEa=5-QDyC3J1;GQ=)r3O&R#Q1E0JjEspT
z&qM**@ub$VTSD=>F+BI)>LDADOC<AMM7dP6Bkj2{HGblA`3_h#Xq9tvHzP?l6S-AD
zVdL({+wT4BcPBz@IlBGT%p$RW83?Sz`$C)EL?hSTB2Z9xAgscVn(<R0jqz4{UvYGA
zBCZE+OXVqp#AkK0^vo$PeqRmzBH1*@Y(P}-|J8u?KJYgsge0GagiW$$1ccdkzcl>%
zo;Oe_l0!pWQgfy(ifSTM%-%SVnC-45#&XD<QTQ>PSSw+fXyBrq^mk;m2dQ}`7u;N&
zvB5C8O^8Ir-(rJz+L}Tw5l{I58q%++Z*MSRhFe?hQxRI(xr(jT7&)u_05M0)g8g8m
z?=q-D;-(5IhVF=hp~ZjK`(l0As9C;*rzOm7AJXhpWOO2Lmh;uwjmp2XBCTbgxD|ch
zL!iiaXZo_;18}NbshMn`ZtE8-(edy4$Xv8aAbJed0Gw$!P;7L->7;c?Q`>>%6T``=
zA0gV<2)j6~7Ti$_6sXK<PyS<VzwZEgJ4tr_Jn2cl>0r8ofQoA@al9_m<8@7rUWcad
z!c{bqibxP!@n>?o(L&U6Ga97Mh7xSbtVv3$1k}i9?zqZKr7`x~R%<?s<%J!UW4mg1
z^Ep-E`ajM|ww!i^DZWmI#qe*4wM+kwN$sh<7e9<Mv9Bnd*f!A!rHGLeNq3GQCsWGi
zLun3*K!5*sQtl}a#}HgugDbQ@rAax{Il=&8xebd+58WS<KYX9EOLKtHKBP9QObbWd
zp(<w!i!|CFc5>zisW1q%k6f~_B7LQoNH<M<2XQSEpbEdYee^7GB2@eb4JDANvbaIB
z0P=CP86;rH*=3*Fw)xHPD2073=c+oW-C1xM|0R2R^kiTU7UdDl5+sU}g}E;QVkvfr
zCrY=YL5{Ug8hIFx`bggg^o4bqEIYPGf^#b(&xw4#LcnXze*<x$=OkKbw{-fKUdn|7
z>=Sm_SE4Y4&*rZhmTFJDLcV{KXl}+zqfJxk#`D*PCBE1s-qwWBZmKl%ZUs>eb<Eu^
z-OTQJ_#gbd<V!4<L8mQ$;=A3#J{crtW$q$erBh+stFeF*-qE{1!3zoas~HLL5NxN#
z_(kN+-Ry1v+CcR1!<4|Aw#o>3tD(1sevplVoYlXO!rpMER;tGe1`m>yxU1;bV$nz(
zD)9y|eAZSABew1K2cYUu#Id<T^J^39VlGISeO&g>h{QdgSN3P$p3f6oiK2n`_iT=@
zKPjeq4tl|&%CYg3sZ2zx2r&(_C6V@sET5?8X~Row=uPD*t6VPCJ?prKD-wB8*{MO~
zq9WAe@c^hL17`)#T=Cw%tb!^pN6WDhBIkeQl{ixb5cu!e=w0n!g#D)}Y!~VsOzL4Z
zJ%58!(<i~fj+R2{3~=qD@2`DPH9nUE&XM2z;9`hhA0_B*PVPuKld68cMtrXc(Kn7m
z6<*8i(eBAT+v&o|eQVAvn_yCJmG+mSH~oCJDYutegn|*E<9BzKlM|Y><PPId7xgEX
zcm;BMCS=a*r7&8jeAh}oM&M#v6|$Kj3^Ol}-1hq;_fxAtPqn)x?=3onhWPCpY$40-
zS-8mNA~MXT$Kz1Jr}5AMN@Cm-N}<aL&oKR<f*eDSXvDmYbCplR2!m#EE)T=_a+(I!
z`r1N5^<AAls?E&inwf4Dg1D`)H#%UM#fi@J=?KUhuEd-1fSV%hts=@T+mxXxr++og
z5z*&k{UO|r3!j+NRso92c`ey@*{5X0j#sHrVag#OkBwznN6K=eSrGit?m$+O5dVI>
zar!4lLKJ`87e>%|1=cW`->;Q&!%{Wx$asRPg`ly}K@aAQNz`;!1=UFI6FZ2mcXxI5
zT`Trvxi?di*ns~#GIViY{}38>SH7_IlOClPH8g#Js19yJ971_bWOOX5N7)!jkyphU
z#Nv#=y+h()H7(WMTfm`h1k6NW=!*19lTIin@T@Y+Gf!T|{WY>HeI4%P;$W3!QOZEk
zoeNv%@9r;HCAT($?iTGYYfpw(BptjseT>9iQ1Z_Ku{MC_0jIa@Azh8*PSszm<~MXL
zyNc@OsPb#X7cGu*7sYK3s%f&PVbq7%XtBZ?Z?C4|+{J>J`*gJ>V-)fdAk*#qktiL=
z9-5+_yF*y_dc=GUdh@Y5%hYNwc#faCc^~2AbW1elVdV%qKwPG$=~uuWj0ACw$|Nj<
zK#h|oBMkM5ABQkt`!n0iHBs8kU51($yR`Kh-0N-u`Ic0K`5copT8-e4k<J%k#+Y<~
z8djm(2FK{8sDn|>N9(7>ciQ{K3Q}*gh9ZUmE!pEm+rhKfL)sSXdxK9FSsH>Iht4@V
zC({PrtVu?gaE4(4$t>?iQR!~6n%dJEv}u}vnEypqJ`3C|-)e1#aUX}!`J1%yA^6fW
z_mefj{IhW=$=yNs+|20y$(oux#}qC8lQr=f%Y=j~>~~<(e^xMhh$rGoCe+u3Fo27g
z3U_LFisXMiS_ZC^sv&!053Mn3(u;+%a{Uv@Sot4c+g2KQ%v17s{VDd_hxdD3-i0jJ
zDJi)vdr}nwYWu5hOdqAtRq&)%vl)sktadcZ&GnON%!N)Od~bH=hwB*4-vyl#N`^>T
zf|hv)eS1u*xH_XqzT)<jY&KOYG-Xt3jXnbk=1ebJ0Y(yOrxnV_%i-WR95X8J?y|QE
z+4T^CxDl;uv6<HQ0~p1LZ_7rwm%Fnqbu!Vig{Y8UNA;sp0*VpM)QjKc4q0-IX-|^;
zrR1iTZ}VM$DW7>~KqfUYm;50@@Nu(R;Fv5WCPuv(355WWv(hT})f?V<icT+v-u$|s
znb8dK!7;|~ka}wA%(8&wK7LAZ(3+FJRHYVXcuM7uAZJm{bn9?XV4T48Tc{YNy72i=
ztkuPRNT|u!Bp|bra;y%A{d#v68Lh(WQ(sT#AJo7f&2TdG|16BS5}*GBSyI}B$8TLj
zI%{u9@))Vch2i}aZE=vy0~TF`w$gJyMIe5YyHE`{hEpnpsXh+^AfG?!(ITQB+?XJt
zrvm38w2p*c5%}wqi2Y&g?2VgD78&?sh{HGO(|C)0GlNsKy-}wBQDWh&X2b2r=F@5N
zS}UTaLxGHpjUI<!HZ`TpKtfDMvsN5W8+CQcswMX2Dpn=mjd;d?%l20aHDqIS7k{9S
z3yOzFkratjB4R~-K*0P_K7uoj`6%UrVphDdCeifE2!1`@->-j1GfV4@3MA+l24=#L
zcRJf?^Zn6UQM;g$q~&fo(Yvy$>77}!5c-e?Fyx4(y`YJ!CB%>kFk{kb^WjwHiaTRj
z{g3X)pa1H9U~aoJupsi`>b&Jsef?XAM7I_9v+f9(UP0GN(YLh71>Rba&zvsd($2Xs
zwIFZRlKV;Gtg#M4C4<3Oh)gsa!e$&$XsS)BMw>b@Z|36#ho-QrBv}%kmKI>tIOPp2
zTLMRd1!F5`G~<a}2z#+QV|*%UjY4Y-SGpuSt=2|>-?Q5TZ8)UArT)seVOQF!%81z8
zA49RU4Lazuk-vfZPO1p(9n7i-Uh=n_{$z3Pe$iGi(y1jw?-M#HLG<&#CV#THn{1Iu
z6B*o8B#4;y>f|1DM3Rpy?yO$X;g1%9;mScTch7}>RP)PS^FlYoNzu@M%_wlA8$fWj
z0_q1#lbQF!rQvj{zA5TTkDY;f0XQ;S<87!S4np^M;_b5Ksl-{0IO?fyNRU3EO*@ah
zUnri7y$TOAg_uvo+tC@*Ne>E1Zc5K#H^2XSk@?ASA}HsG3CtN6Yg(KFmbkZ)@)0SP
zqys+FGeGwRasP;K!XY6-b3x*&uArc|M=~xJBM?1;LgYg!BR7MgW!qUWMlQ@rg+b7C
z-<A{)XLp(_ZTAnmcDE}*;H^cj!69oyM_xK*NW#6guZ^MxOgE|z@I-u*U}a1MAg7%F
zR211$r^pte;bAl1QUfn<W7h2JRi$7bG7U-ZQ&Ipnfv0Ftx~ICW$Fm(cAhc605)XLv
znp}I>abW7X4)b<wVcvt}$EuocP?LrvP@k}HE;Adbj6n5s>iOHbL~hIgP!M#=ZU3`c
zO2%3~2u>8ImbpKKO>G)b;M=jU8#-9Rh}8<UD@YhrE&CAct7v+hQb5v}@y{Sbs(>EA
zRmM2sFmCrXVYXbV1kLhH_Cl&y=}B#M(bG?|nH<dVv174U;vQm6-09zp(d+BZt-tS-
zeDI;3s~g2Ss6Z#`7j4+&u(%m$Q6oh}GWSAhcrf?B0?i0%mS+m4ebc90>IbjqaIPL;
zsw(gIA>4mgchzLqb@Nwf*YFQ`5aj{Q`YBPLu1@(_ELs`bly3{T4Pgt=4lJR<CTA$a
zu&j$9%~F4SvD%QC5a;Fe+L5_1<2$>MBPI?T=`R@n42Jwxpn~nJ0n?6v(rIJEl(K$q
z*IQw_!ZY>Btm^0nTa)s)`oCeOCbx`ZPsXs38KAs*N?r5&rHS&7XHRNYVdC9<J)<+}
zOweMVQ+=EC{9^ECVqy46bgA!5tLG=KH0s#L9BxCuLD@%U5DDP{Zd)?Ed_#S?3!Yfz
z(RjUw>QZV!(C^~w=iraDKFDaXO_%lp=Th(81Q^Vh>8N@JTfNkOlUaS8By1gPxq8I|
z%ee4;hq4fv$mj*~+fBP}nFPxS0k7|8v-D6Ixg3;o5j-q+C~Gt%=Q9hWmV|Q|Z+x@f
zYmsbtim0&cX}TVZRt^HtpDkXOG6j$=Ry>uRP@8GfL)FHF9&g~t?e)J7CkEaSFNRRH
zIbbePSTQ+9vCftc$PXEI0)!3$&vJf-rs^DT<1<x(S9}U0h0X3J+Pc9SGlI-En%yBE
z3XKe$zhq?o%{7%fq;aEL-5(619VY!2mLm2-sJ|upMZ`cvA3i1$H8l(yOTpRijLCD+
z8Hr9rUhXt~l+fRtLU6c&Ub5Z3j3I)8o$UlKz8;?^Q{2?ZPYUc$?W-p`-7m2sziBR-
zB5HoYD{+o>JX*ZFiRU%mh$q&4_y#AHBRU<Nu>!~tO(PcmXCNHi1r@$Zf-c54PFW2T
z9I+)mfiAL<a`^Vq^)_iW3pxQ|?1svQ;o#){9@3E&NxPEI7IKYSpR4MT67ek8T=Wv~
zx<kerX}O0cK8YvpDVtDO?KSi3^gci-ox)Fws42JM@IKYaPaRy-76ZFupJ#qFxF!gm
z*wP0RoF60u6$KY*5@2&E58TKqp(E49{<!cym`zq%(T+;t;)LrF-TPaE_a}C~x<Hn?
zpBp<T(Q7Zr0X0kF2>hzrD&(VBkWUFAVEE<4DLm}}-twh%-<kOVarJ4dZ8q@w$f$O)
zIH|3-hT93qsB-M2s#sc#SiyX08h{n!seZ+>2nn%Ne~E8A$Zim}v|SHrC2~n>=3Je)
z8XwVk({fdAu~*c!^2*>Kb4xmC5-L69UA90kt7mY;WXH!&tX~@1WoZ4KCaO4u6$#4}
z0?BV2&PgKw6GyMgv@bf@@w});7v^|<gtoI4n%1}eQM`#Bhc2J$IlwQe7-o784xOuL
zpgeSJOP@(=SBYFA2hU}aNgf9^==N}5KW#Ou@^t=T*cx3^({cR8!nVT48Qu|iycoe4
z@d@?ZoW<XziyrLpn_;Q$U)U2nS4u`cT+ef$Nt>68u1}!b#y6ye&WO*%{{Ga=6X*Le
z?CS5_lHuUD^gWL7qGI4lA#IX3T~*xtc_<yYj#k4Gz6>G6_C(A=DxqILh&Li?w~tOV
zX#B(fIK#VaDR%%l@sze?rCWja;350O6YoNvmBUly0Qhh?#OjC?FvhfUD3KMv43Wgb
z4LA?D0$0N$=v{cHn@Dp#uV5`G>v-2G?e8Cq!IPF{=nHuTdDaI1vB+av>oW#DZ^_)p
z8vut!qhjPXYYR{m>|N-D<I~K{y_QX~G;+jj+-O{{-zBHWRKq0RwruMb%xQH<IARYs
z=Z+bi+MH%bJg>mh{i--2b8ge+(}?DMBBqVymrNKrbk07hE7yt^>R!ljLIr2C(3~FH
z3}!Z3XEZ0(>2%IUYbIu;PKXqK7soE|cSs(7{*jcNk>2Ru>-s@=AKEN+eLRAz2p3_;
z94H-@4Yz-?NKO&6#y0S_b5(w!75tIBlfts8fXzF6ie8%I4I=bgLr|)1cemnb^((ON
z>rdxIvt4?Y<7Nv@<-cx2?P3|j>6H1B+8l37fU9;#vubpx=c-<fIrM<Av>fjG(T%Ex
zYzw4i!9PR7h3^=q?_9;Fjb7$L#wtI}J-_C3J&C}WV_s+{s4o0s#S~l#akS#up)-1>
zXT^jE<;M}L<VZ1sM`llF<A7+Df<TZZ%EPTUy-|B{T2T{4Hy<45y10D=Q#*oqv)fDc
zM5{5|U&$4m9l&H^b52Aab;PB)p>RW0_><5#K+*r#_j*=nh@u-Vdl9`hWW%RcE_qQY
z<ht~yv;C73!?<qP*v)Ykvg%kQmg{aTF=j=5h*yw?+V9|H<G>`MIz(uowa*Ba*=tkD
z`=R=`<%_G1$fE_Zgy3(-Tx_R{FB$XbgS9pZZdp@ijP7)ijtlf-#7-aa?#&qfvQIW`
zq|v7h!2VBQj|W^>^D?|JiS_9Ci$0I#48bi9JhXlV09{K3MW)1dYpc`vQ{A0+N7hgU
zsM4dGKPkfsuNBItoiK1EBm`^~?*cw9B?p$MA!&cwayzK>iEIsznWU=IGHt&_QyEVH
zy5M?fN-bXB!Lk_jJHxFoOBjs|qRm#&Y+z`gh%wCRL{<<Vju{YcRs1sh+D;|}%7r48
zRq9B&&pHr7pukNMTEK!uDGi3Gzc>j^Zeq?!%x`^3YT=|qTF!=P7N^ov54&@Z(vkN*
zn1a9HU0ZNuk4ckA=K^9?bL1Dvr3?5UV37F^OIXlAqYaYl8{8KTA5EAQq>j(N(r4)A
zw<sM?OcK*P*mV8bgcEYZ&|?BJWNQNmM$cZkLJdzt8~1M%PHniUP~)uQ=|vt-?H<2G
zYu(?myP=-HL{CmCd*`FA%N5xz%?qzrWrC$ej#kl_yKg6Cy51;jX#Calx+}Vq?^Hf!
zN}tk#GGSw+BaG`#iGG18f;I+SL>t{@a*%sZbzfQV?}vA-Y`=K~hd-fPFE8rV$<)1|
zQ}dQ^T1t3EWuQV%lpxj0jq%9^7E(VBlb2jBz$F0uKD>30B5KJg5iWdvzbMhY8vRX1
zkjLkm)y6EO27CUPRvydO;I!42d-MZK_o8}q847}}g*dV2A24n!lQ+qX$+B$7*bZHl
z_6)5?6@)_2_qt%_i*kvCL=S|%y;Wvvzv;zIV$RZAJaMsgk8B^^Q#ZhRaUb%k5HPxH
z2tzQtC~KMR8|-`XX<V8hN1WNPCsqJ!QX}pZhm4}s4AQoz6>sLS<~R_T6Yjz0w{(-<
z<aVTK>Vgv-+ZPUFNpGDshgGyvmviU`(RYSvh~;pB0{7?9R3PC~;Q@)+m_<k_4O(R3
zm~m;I!TsPFciw_Jr&TFcLlpvHeF7)m2s0kpuknrCtu@ZtCmAtPO91ivF(Bn}?4qPb
zLC-`YzA@>pJ&R%7bcua;b5p!qne!P#Q_V3b73rcVdk5rvTJ8I{hmT9d?#e|7rBj{k
zs0?gQeyqx!yR$ze;hQfHL{g^jLf)PWOV5u*<F0r-7L>fIEcRO~pIXQ8UTE@~CvnF`
z^Ck+%2g~h+XLLx^RbdMBZI4x%^DY=(p3G1ud9F^JF$ZRG%{uO9DpuJAxW$FM6O87G
zE9zn0?u5qoxXotycG>OgGYGjk&aJ#WXV(&LXBxScQ{W&e?UEr{{Th~FilyOC+9vTi
zKg32U$+m2MDT(NG=d{dKXEjH~y(+Pr!f==abHIo<)L<JndsuJwBH}GSgv=)gDdZsS
zE0^lc5@_X--KJ^3F>lu~5?3-L|8KoN*JZ@Qt5`sYCEc2ROTRr)A~U6B?&~$b{B|}P
zBTuv^JBZxaS7nF0)^z`bl(q`AKUmDd-83!WNW!DDV3y0wW?fO=)=PTp@<iHE0e5&)
zBjrzyzMs!^rjv@M#!h#K&t4-HpO~41!(MbYF}Kn^@#-L(9AhEBVF37-2pLg;tOswS
zrwe3QW!n~l&(Lo)w0Rt;l58?s$I&j+tAW9i7xhO9=KGy={9&W6NbPCk0-<O9K;V-9
zQcH>->mTSOBnDw?CsL!bKycK+eL)Bo>0>zONT(7-v(;bGRO0x`#Z)_jr<nR1ztLk`
zH*&6COo8FUq&GW)=#^|m%x<8ohP~K}F<y!;p55rdBx&fzCG?dW^>7Tc&mycTMdw&P
zD*wGG#F7B{(;z1vC6^Omnh_7DmYI;2CV1vc`0y8W#sv-hDoz9>IKGa6i>?sEN#Vp1
z;XDNYKgcn#9Iqq#^^JnKL;Zg?Ccu`*3k;?K9_{yLJ8QY!s}LTsLcPDz!W<(>{=*%o
z*+0KNE>)M>^0;hLPPCLW6XZYKvT`_}XEC|MvAq8KW+EBx`z^dp7?(vD%WNDEvnX5M
z)i;xTVrT(Z5TD3pAe&_ATkZ_xO_w*QJ=@IpKsS7_|9Ltzvcu?Kcv@1<)h#PJV}(*?
zrhER*kF8Ls5YMjf9C8P`NUn<%P;`cThC>Wwl$V=b$$W|p;Qb&SVsx#$fE0qTQ~x+<
z;0(}`<sPV`Lv1UF;MO3b#Z9{%D6OPecRF@x(gY}X8)Jfhp`gyDaUQIYPBZ>R<Wf3j
zOedBE({ta)xvsQTF#4Na6t|XKKiL<WpcVPuQSHp>smAPDe*5S9{Yvokg2{^GlhxPD
z(Ywi|P*wGjq&8Bw7VluQn7tb{2(=0$1cai)2SkJDnJ#1+Q0-sShuED&2*5W#WU{>n
zUTm`-EMD43NF?)wrbsUquEQ+W#(aCDRILG4!&I!G=9z#NWquSIZ+j-pU4|F~w&ssG
z`<+sX;GD%vz!db7cMm?|JGq9ep;q>);BYygpFz7|LU2-&RZt9UeigZ}b^F&x`<)@1
ze=nlIzU54IY{W^?k1%l0VsF+&$v9H#vIYz?5^cv=fIqd;85LcT825588>gl&D&Z_}
z63fFkjn~VtIrs`3xS<q#@!lg|eO_S&r${k6)|KU5GcUaRteuVLrNoS*T6gNhP-fP3
z4tCP`buqnFWQorHHB)miKCBhtIRwFuY|gEkUM~i|FI}9<S;pKSNtP7`VJ+T6Gf^U`
zk?CIDSsmGF^h8>k>E6vYW$%5gb?40E2g;G16`kf2In2CEW$N#f>@1S-0Z5iW%f?!$
zr$h<;H&X-v^pA#`&i|~py)?|+Hy>weM2q*AvjgtZxAww9tnEeOnUxS1|B1|)5TA<l
zN_#8wpe!^Ty2|M4P*1c&9oe6FaB;R>iY$3Sp~^T7VfQQmVE#RdzagVsp0VCOHP|wW
z0qT)|MiNeQ{35s9wZ0`TXdVf1l@}h%5IcZ!nJx}581A#s-Y`e8{4C$&=im<+_x7vs
zcw|4->J;^&OjT@RnDbxef3<VQxOav~2}GvO3N|T>p3;B`7$Z>UwP;cUAOeym9dnUH
zgJx&*9^lSJ`S>EG!;;#Jc+BPETLS=EG==#+PEvsdNH(w=SR^>i|39W^ei_t(Q+Hxx
zU1~L!#b>qh@8Dv!7nORYD<Wa$M7RnQQ{3;n#qG&ZuIZ<|70n&9VCegI3kkB7;gP=5
zRD+Ei-O&2%Q8q^-&2jpKE-j^GJrOZhJd?)&-%1iB@QFGm>;*K%EQu-?7oSp91&Fu7
z^otGe;z8e0w<5Sgx#wi!_X)(G$UB+X@(04SC^S`iDOF)_B)9ShzZPhTl~3d2bOtPG
zDQsf1-I|G8xC}<;JlP#~!3A;Un~WFfo0CKkM1Z~jUz&&*UP>|9yDq!zod0s45vU~o
zy^MBDGL+uIKV4a<=sn-KIVW+epOTjUHQaF=tvyT60<Z?!$ZGjR5=nL-%U&-47Oa~#
zlwOpTf79#YayK_z`X6L9njAPLnEoH6h|0nN@C|h8IU%mVbeT|v;z0!G#8V)ASG#Ru
zW-=v1ZbrO(xJYIt%t>p<-z*3zUfPE>KPmYq-Ja07l+)RHX%7+?_?VcxT~nQ)cpd#+
zv27+cjWc3{(fsd~wdK;Bt11}pNNU;J?X{dL27dxOXs9!PKLE7Z1Hwk$Yrld89MjR9
zyGuam>CAS{M3bQ`*$Za@ovquzAA0)-TOt`csNubgo9p8IoIUE1JqH&c8bhlp!@x7W
znhCuo)t&t*{d+Fh>1@wz5%0~>=I@nyvV9psePE?f_9U``Z_Emy&<sxpIgcV3aOkY@
z@xT9>D8$m$HbCsJJjpi*%;@XEE`P2053V%K{72HCnD3yBR%1U9ERI1m3d-P+iw&}1
z^TjX*X!`?u*JpO$qWWS%b$0BJ?qRc%9rMBn=Hn7UVbq1BIsx+YyVR^qIZiY`b?so}
zZ&gdo4|nW*F&r6X+Di1DR|gbY{dSADIaB0eiX3u`aSu3~PeN-5^}x<}d5@6setzNA
zc4X#|A5f{?D(E_8h4c=^`>%CgwAEwF*>5W6fPrAS4Bm6PyV<h$qwIxW1K%{ne9Dsi
zs;hA9onO<$)|9Z;IAkYtKY&sd(Vl+P!Sw$Dl!X5y6qzV3h`}*;!xV!72I@mECm^os
zR&08Go$`hnj~$Rn+63_}V^AEd%W35Lz`lLy-EX%umVh>ad$jdW3T`RS6$aK>A&p3I
zw?7rAIV#$At|U-2<sAd{mpUZ^0~6yK0OGz&p|?XIMhDkG(ppAHHy8@-`roV)M9P0y
zr8BqxW|aW;$C(=TZ-!iEQ_LgVAREZT)#tF~TN926%>D5%^WX_r2G*Ak_;^=02&}t;
z2jt9hVy91bc<Hk5+3fm;3+F?sctTed0jSU3$_VU1nL)tyWNfi}1e15p{fRrwKua^#
zu-TbGEf6wFJ2DjPJHJ`r{tu?)vO8P7VYjtXv6p!<)jby(5Na5QvxsmvogtSoCZA|-
zsyqFU%)G08s2$hFpI@XFVa?vfH4njDy+W=GQ9l&9G63`hJ~3WeUN!-3aotED87-!1
zR&mY>+3faA1+=9iKzHQE#QQ%OlW&Ud(Ndf$MgdVP+1G@>H79-xFqV?WI762$6E0Q+
zlZ24T#=_`qS$muLf~j_T!kHgH!5j%UUXB+eJ1H2t)DSgHy0LTpUKEC`jnU{Z8-^Ah
zRf4>&Kvsj^9ttUqM2eOeT+3N{90yax>QI4JEkDj2siX0=M^KG)&rpy^cFy2B$bZ$9
z7S0=Q`l`V6xHkb<W}QBysi3gLg&D>wB}7eOcp*PpMvsTaLi@tr6`ptGnny3dV|`<P
zaI4-7-Im7+$Zmh(VK_5`2GRIZ(D3}o@Q~0-b7*z~W9Ra3^qGA@^4qjm{}o&Jjhci0
zv;{x@7PJx@WJ_(jL1<AvFn?o>;qgpJ=3ODcBtr5@G$W%|!K^y#z)InGN7Q97=u`v~
zmm?~Pl2v}c?LRcrBsLwR5c7X%CfJ7vis_yonu-3uX{Pu8Ni&Hk4`2>@{8|6Kjxhx-
ztCNZAnTCayD1w@OYuqs8Ipo&Ye}G=N_Pw3Cez-}iBfC!T99f%c)ahnW>FJ5y0$A%6
z?m0+oue;)>$tWD(oR2=Rzfh=99A_|@??!Om_dQ;aX9xC5t7G{uj43Re`t_~sYe%W|
ze_~8RFcpOOc*2Vp5|8tNZ@$AkEBkFGt2vXl!Hw9oS_GXZRhv0q6AVLAen;L%YO=E$
zFIg^f$DWKY$%*Y(jw{i%z-)DtYGkMRFpqW6frfod+3dsCFsxcpLYQX`1T>}JV;=SD
zC2pr*4YL62dP7u+9rv}05KCEixqRdkJPv$i#j+HMJU2SHz_TcQ7~KwEmw*>m&j09d
z?&w`2%S}G~v`-c{a<+2;TTPbh^v#*=21ZLaV+PrE%3N5UxwSvY6n&9W-wH?bj0E<4
z@bw|)NBs$ffk~X&B9Y8?G1nbvuPxNY9_PaQQJ&V15J(Ors_%~78=#QN@I>Nwu0d*G
zt4+YoeORjuWftTo`k{l{CgF+LX(0Hw5V1bzaqM42*23?r#HW!-*Nt|51&5tm7Gkgb
zOy;+7Y*>YE(jTzu8P)oye1C`l9@SiH<#QZm8$|i@KWH=}_l=#`Z9&~bb)Uu`CiBCF
zMWGp~(F1ym%kR_UCYCQ$+*<5rPKE+g#;A>2e|6Fv40G)HB=_Z%`H+YNsI`vp#BG8=
zrWY;ivQgG-C;DbP;uIVXi{@S*>$Q)hF0}}PmP~wcH5`NEB$kgJk4}A>+icHAngLam
z9!0Zc{)iH?ZoLl^_;s)W-*-f1pTCfauCK30VTAGD<lBu3*isCD4j+2QafG`%={C$j
z&F`!H`++WZTuFFB{mnMop?LJRa;fk4`k^+C+cgpW_XscdYz}w-H=g&mv)(t|*Tedv
zncTPI?cw;M*vIUTb{O^wkH_Qw_3Y=Y(3K3Am%r41-zMsRUum)O`VQd@S(H)K_>Gf|
zOV%c}T}&tY*J&yHz!d7t`akFty(8?*4+aI2%mKnJ8p$Le5p#E5Y<00SAf<x>c4uwc
zPBgqfQk!_;6VqWneK<Z4YVpXn=4!9{eH45vlf;u_UOU{6gd%cVG01VLDlNdN@djKc
z1lE`}KmB#Oryo3=m8PzI{bVeR$VD4BW2{U>=<AF?>XQYhLgIbh)PyD+QX1<S=~48M
zKWIsCN<;iUJing*^(ELns-51u)apU1WI-FG0()sb?VN5qSbLTUJ7?M_uh9#=)n+Pg
zE+m)-up(OYO(cF0s)u0vWn0(fNZKy9H%GG-RWnGxzkfE~IeHR;4xUqo1bR}ZnAMM>
zF_5aOX)6frOKBQ<&>t-Z&iABBgsC9QQr*pOk;bfAw8-gxsNL@&PMPtry7sZ2S>Ip=
zk~-N)MkyPCiTpFz&-*gP>KOppq{thf$<zu^!xV6EwunZCV5cZ)#;a03AJ@SgbRvpQ
zaYYImpW&_OyUqw_8unEFl4(vyILq~S(a6VKl$|aYY{ZyFFHY-Cr0*KN!<T$QMA+-%
zFImks!~g@l25C^((?_NXiR8Kfx?`eO$kh_1o$%R|&}hmJ!Rt93P|XV|NL4PwflNf9
zOW5JTcUh1SEuipnQBQ<L;ep<zfABc~ES`*o0EPy2tdTx*d*IFdeL(@$Gx?(#swMFj
zeg4!yU}Hy}6JN43rdvNW`R#U^c|M;8p~%5R{r{F^f-j7t2wji*R}lhZBhBN|nC?>K
z)L}4cO)?{USProuks;pCYGv~5qDq>~G&iE3plgQw67GZyRFp}CUH?Pg2iiXUL3Eha
zoH!sYwgF>^9lx&gYEf|FotH#f)+hLMh;&qnxm?Nv;)sGn*x72MOe~s6STKvT{$8#5
zV^Z0T)ROee5T4^)H0mC|qwJ`bZSi>Be8b|*2u)}q#gH74el4maR5NX@sfI8p;BS>I
z-mxYr8^72Jp%`TMd2P*L-J;iNYp!VL;dvcF%+D?c-F4JHO*PeAvym<i7|(B(u##5(
za{hLWSz?^*^Y~dvqqY{CBbTo6BUOM)a3n%XyrFE1``%s4#)M1k=P%XHfS`%aeuk8E
zst0c}9zi>Lo6wXqIUbMuGcazX%p~z*PY~!|Xf|A#KhurQbadLkM%z^K%xnF^MN?=#
zSFd)XjASn6OaC`s1=P%!-fmh=#w3x1HTAB(bK;Z^r{G4!u`3%6(`IdgLmvdMiC2K(
zqwLZ{eAgv?S)<64jnk7NNv4b#A8LO2KhTQe6#^Y)CC<8>z_HR&0v_=7DK87%M8?{<
zT(C@3W`r$t#Qqp;T^T_BNcze$<#gwp7}Y|9)3U-+veLZ54N|fn%nQ~k`e4~|1;5?>
zl(2xrDHk=N)&1^%_{+%m&TH>>>GBud&V!ZIV6S_|)%Pynrr&*;{<mM(_o;^6_wMlG
z<~PfSpKUF+#>Xnt-AQjD_RBCfjZT*7@@zMC<^z>zb<<xmkwTxE!u)1kxkb_A$wG2<
zntNw0lV47ve_9k0+O+~787NQ1Jm5}k&TOf)bC2?2@D_><W`j?hL_mY+=6u*Ew0XY2
z@DaY8g8%t`I{2^W-#{RIGZ@B>MnIu*gHiRc2{i(W-KMr@wmpRpU1OzLrhbs#(zfh*
z+=AAYmzC$8jh^=A?tSJ2qXb`qBI|tbvxh4i?X$`~+5jimXh$G(k5w{V&kK*LyjKyr
zV;SeejZUdkuwu^*wNLY5Hf-w}xV3di_7mW31jxBlzro$_uR5#^ON9;{C=@T4IAE+~
z3mPS^MB*}zW1zo7y}nA%=1eLo0E=v?AKimb-u)W>1D__An(+0lw?B|cuIphdwiwfr
zR#U}}qdb(BAmyXof{*Mjlox!*O#Xu@*=@K>J+NXyOy&HALy;qWIjCZ0@c29E&sGb_
z@68_J%|ijIn2~eB6AwZJA*z({Mc|0K17dqfk#Fe7JGsNpGE%ibC*xHg#E&duW~oKa
zPN`LeYd^p?HfukNy-l<xpMFWdOPLbfU%`WwY*-_(iQ*CH=6FV3=Qzu#|I|jucv<O4
z@72+eMn|wT?{UY?wV-i@;mCjb$hZ+@*s5fOE&21~=`5Us5UY)6v<srd?pu<L=0hZ9
z_3uswxruvs<)1nyzlIQ=AQ#reNe-&OxC*2pV$0adr&U`OynKT(!6AT3ITS7sQiqSg
zRbV<3M_^XbpxaT%0*Vesf_uRW9@n46tV#%Y0Fpxd<okAG^p9p%pPPN;gZa#@40y<x
zc2~|OarAvT5GQWy`)i2F$(#n%N4TQHwK667OKn9psq1+JK&e)m)T+koU;0<5Kk5&q
zImJ2q11pv$DXyBJgrFmbDo0`%{%Nn_)tutpL>R}A@7#`eSwP+s7z?JN)qSm6P%j?P
z^sly+`ue-a656eqWV~&-)GKh8iE&>O!r1DAu5~kW#Tb=;Y85v~{otc|qY+Uw3Cz4U
znUTEUb2*{`eAV5uD9s*T*el1>lhgmm*=jOex}fL!@FjnFIaGzbVPY2B(>mne41GNA
zbE1c>@SM`2RiadTiDKUgx2Wnz63N{Dnv>f%q}*;^UW@KyQAug!B7BFiyl3019!f7Z
zyPO<=M^*0^oxW|;&%u{?niI$G<R53{ijScz|B-*g%&W_6xd80>XcUxcoxAUcP=L0E
zh+Ab>Nph=~T^a5J4j4UIJkPh7mBD*UJl#Axieq(d4dSHKs7oaRd;~ps#-acG91>hW
z=&FC2&#V~|P!lpXgsVd@S}v&cCBe>neR}a@eha}cXp-I6;QQv@Mw{zG8!Yo7A3ZWk
zUUo$BlDAoqCDM-=83`>}`9R9OZv1U96B~~1&2Wpwve;^h90vi+0rOJGYEasabu@r5
zjh$&Gn>hiZa|PL2iEV@tXS}|I2JIVVwRUTyAqI}Wh()lzSXEXDGPc)s#MLxvduOCO
zJOa(c%8q#tptrP;7a4{&nVNq3(Bt{{Wrz1tx$&)ohGZ!%XOgpTNi(_yxLNF~DJ=ko
zSqec<89&N^KORD;H}$OS*(0+pZKurZNW>K!#vtZ16e+c5K%8%UQ@4iKtSO&g7Zr#K
zng8hM5#?}D^WfH|VhO95<rSgXVU!tB7sAsq8EsXFvK<$C%)@5fNMv}+iS8}@W=FS+
z-TgUYXvXyXC5HLe5f$><tEm0zGJe8(R^zSlTV2Uyt^t`3zL5hC{o0WnUi`mQRX(|@
zwH*?<s&-r!Pf5V}wtR;(^((3w5aQ9X1#K1oXnf9+?k8o`=V|U=<mpzVBG3j1D-JFI
zAN1Pbz-JfE=mYnc7fl~-{5qx!eysu$32OIhPawR*S|F;1Zk{yZxOkj*aOK~1L3NpP
zVN#Ed$$TxtynDIbg;u38HC8^g!mx+`ONt75H6-Qry}sk8>No!}`~1~dJ(|F~`7!G&
z`_-6!gNlnTlIe~!E`dm#^1%L^4i8e1BSn_`@BC@Lqrj<-^(20_D7moK%n6*fD7Lhy
z?^EVIT8ePPdUYO%@;;qEH{_LJN7|MLqp1<nF2lryxIMtjQ_?#g0slHW*TJ7hv$tzd
z{vzU;ciu|wZ{}lojXl~RQ|Ydf`|aKo1F+l!i+EX{M8exn^qS7#>{F2z9D6eU?1i$|
zdsId<U}z_OSLvjI=bcxqHQWiknmihq+7-5P5=-nD^UUA0@o-wIhfyl-jA0&{xvV!c
zs=B~5HBC}~TN9LuZ9i3$?aJ1*@h*#E7}Bh(VOP6lcFSIgj#mYk=DO@yc>Ay5S}`Ho
z%$f9VeQQ~uWX>flD$O<jx{(3Dg`+1kkeXY_)I_3!;fxZS#7_aS<pc*W+hGAu78I;i
z#H$++Ns)$`Vp*E^p=X1<S`u18SS?{ysQQtVKTctBJ3XDV?Qv!r`=+34gzSfezjL{M
z{j9q<=mvK?#pc5H(cG+nkMg7eF4CN9&?ai+wy}qipjIals_r~_{A(^Y9ZIvqmzqAv
zc1!S&A84ekB>XvRB=<}OY1(0w3N}R!n4Hh>?5mg$e4Fm^jmg)~LqDZ^>YHZlGc`I(
zi{)&T*U?S!EfW)>V^7rek3%V}h`m4_ZpZ=x)W$c{^97Wj-0MY-t1Q<ql<U$WLt^Ok
z2C97sR_03+DX2VHEjRAoe0>QCxaoS2AIBz+)TPJ}oy%Wkh@j~v=&EUR7Px;7l~zz@
zvz+rtBN)^)Dl8mK>E|W)NY}NSYqhb6l^o#(sfRUwgzNiAV8&)M%^40?XzAseO-gDj
zR^zR?;Q>upokYKt?1`8tgGbhLwvQNZO~4!bx*rTFQrHn_11?JYWSy}+)wwcN+3Xh+
zEnI1_<Ha;!sc5Nb|D}Li5*bkp5+J6}Q|i=^7j2>HN6mDZ?8$ZunHSNomzXp<IG%jW
z4UKn%+eiMWf!`*=qhi=2Xs){!e0&J%X&xEL*JKnjhvRC4ye28qyxI|Pg>dDf`CM7z
za7A32J6db)7=Fa7;mR8(@7k)evh9L-lzPOB^!m>sT$de!dKl_1&yD*7e~|f%#mG6U
z6$5~TkoHB5B5?o-W{M1#o}^AEY*ix3${<<&8aTVN4wZoz$B#?uunD*^+SGxNim)L4
z1W(7g8>MXDdyAQVo)2<%UuV;NR)H_;>3;9V@;;1ZyqHUDsjv~TCP$;t;i*`RRMTC3
zi&{Az<Wx;p3%qYjF$r=W`xS(!V|9p@p7@|vx^z6S*{kNyw(h%m4YoY7A>GR@AkA8_
zT4y;R?EzM){ylaLV4p`WtNwWw0|wYJ*kn7U_!o<@PiLc+CHV`nJeL1Vt?=mB3$JFt
zvFeGQPL6Z07Q<X9*q_e^IVJE{$lfM+Hsu_Xs(13iwXt|SSF7Hy!Nz!zmEPVM85s;5
znA_MYP`Oo%u%>%vZB^ahgXnU<_AX{ixnE0kfzlUsT!ej4fwtdde4aV>-lJ@2=AJP(
zf8IVLExblrx%F4bCe{~`%P+&{A7);14wccxdk~i}S-E$`URTlATOxJ+Y|r~1&xcT7
zFMA)QAMbv59v$DW^Lp?(+#c`dKbK}lWAkx8|9*`6IXrV^nhZ7$+=7k1!Q3*d*;`s}
zHg|su=7LN=3h|5m*PQJB%rYx!%;V4)e7QoqFb>@Ocj8IxaEsz5*+_W}xz$y!6+FrL
z{MF@tczWKtI=x73jXwGd;^Q~@UT@a#o^Z_jpRpLc9m!eqFdTEH+dkO(()j2X6CEJ!
zD9ZL(?ANbCvKJDlk?x$R3|yg`@g?U6c1@biE%D(w!xr^@AG~3#Qm!Jq1^lRy+@sup
z+@jvHT-|=X#|K9B{GLdGqsR-&h()$_F~=Z)JxyWQm(!aPWAyF2$_q#XEnB;m^_tDP
zN3gEbNRq&<ar+%olTK__;t~|SA;b?kQ%AoK8VxVg7Y`)p(C@=0-ewCAFom_<?i6m5
z@oMCqHO)0^oNZip$dTdhNzzdY(Tdv%nKexo(oJN}jXzRlIPxWQ%xLr*X88ITe$(PX
zUISI%yM5=N9>xiZ6Fuk^Bj_U$KfzN>6Uj#o3GQQ#E6PI$(Gk>a3R_9)qP)G-c^8P#
zy4b#J$0LFk8c%zq<dH6fRWl>`xz5(|=XzR0ve`x1cqx7Bt_Wqm#tpuCp5ob2kM8AZ
z*6gKe-0#8SQgKKw0+H`RB5?YCx1ad+8~p8N{zb0$=BQVPyZbYB-0!Ws$4Y|!+eHT8
zoetAMB_8&cO3G1BU#uBkfABZ`Qr)xNiGq<&D%|ps8g75Pd~lBg41Y3g07}nP+exkO
z2B<OY&k61?p=Tr`I)-PYzsE>MiBn;}YE?G4f<@bn8gIAaw!NBzA}1+ht}TZD*ti;(
z48z^k18S7HAr}kux;h_P7^IZC<*z3!<FXW`bM1<Ury(@GVY9j=feaIn3?PQI6Dd<&
z`_;aE54`)P9|VFa>_0(d!DUr~Q&f@aOEG$g#_-s*?duBcXZp92Z-MXK#OVbUx>7_>
zT7Ekj)#4)OmLt(-fUpAayc&S!|D5HVp(v+ZSno{_^#~I9ffvn;b4T6o_WhF>MN2O*
zoN$O1>NqiAc<`HaQEHV_|EjW2I)lK4*io&PnR@{I*;<DxkH2t2%)p@vh*3ktUx4dw
zU2?b6Y$=^qFLekmW9Qg$=g)5gvJBauVJ*6*zo|Qt<fCO!wi-j=9ht|fOpnF4d}5{9
z;@XlT9XZ-O0gZYFraya!K{X_r^UneR&sH6en;c0I1dL_>ulogsoAQa?=E9Pd4vwzA
ze-wts`n~`yrNl2}F;q>FmbR4s(>fr#+(t7gYkcF+t9+rd!z%)KS6>yl^4k+Oi%PrO
z@_J0Ed#dPqg^w;adRS-{c3zWgGWu|nhc?|XC3jB^;TR{2?-MB@C{TuA@v9YzdCg2b
z%&2}N`Bc8Dji*olx_f&4dJ;-yzI##Hds***t?qtmOpoh{fj<{())U3Lzx>eUYQJY6
zza49DG#}`CE6+aVo^ly&dOzEXPSo;NEnl7R$DKbmX1P|+C)ZEky~$h$F;{5gZXCzk
zIB30wJv8!VVE5wWLh%z|*&M&ns>NS&%{_oY>9R`Iyk;IJhJ&-_bdw;Deq*zl*i@!I
zLIms(%wdCZx)LUqYPZJ&n;bXN-_>kk<3}>r?R8Mk1vOkK6cz(tQ0I6^&Du;+A8U6A
zm_Yx-nG+|3Zv;M54+s`aK>v!u9x+N37F9XNEk1XIn)X(|k!+UUafr-7ZBpL1WVnNL
z<Bm{XkTT>{dd11lp$z;N&i8I18+3bm_N|P_Ck%*;RNx{jqIrm5*5Q`^i^T1@!1`A$
zxegL0D8qm^+Tf^cx-N9ScG4u9t6<ufqqISp8RO{m9(iK9X#l^(ex+H*uv;RbbC?7=
zW(f#_LH7+lBwEO?KRYg92;k(<E?(*J&$U5`Weh59K&N-s0|)nd)^L*TT#*q=@h*i=
z?@sV?Qg?B|O0(s&Y2v%`FhZ}o7T7%H8=uFc;k)hh+wJzzg6{j~0Fev_Jm?pyq<`3Y
zt@kU1)h>lKbV~@|Cqy&YxiALBua!ke<K4Mr5a=tBW`9owRag|!1roof5&7rUASCfR
z?ufu;BDu=%bm4u9`95lzVrh-Y{+GIXv`M65UhlU8=iK~0WghxnxkBpwq22Gl{eCfZ
ztFe6WGj(61d;5H%S#J41O<Kd8K<F70B~r0k&Qq0N-RF681~kh71y+h4{2P3=nm%#O
zEehC6A^IwZwI@IofmOlANjwb3wBM9ac7>m8Fl^bZOS_W-?;FKY-!ofbM@jaDiG-0e
zm`x<Nkbf?Cz^6X#lyR?3@dE@^z%PS_QUBZ%=yQ;`swfOqy;?(Y^V}p-a{SnJsIOdY
zKq@|sRB&PE?;|Bbdo<mdUZGL_xu{o+bZLdB%j%0QqOmn*w+%~|aX>)rIVmbPRf}@8
zSkNnG`7Qh8y%GRKB*}Jc;)6>$2))&c)?cD27PltRR_cvZ`n(`#zLib95uO543M&~$
zK_@f*jjOSDK|x(9_I<q?Vdq%ONfhq&<p~V8I<AND;Wf+JW5ozMRitpvCbs1o09=j0
z47!;GAKsQ@A{oo(W-Jm@w^g!=Lu30DirQz6kOHyfjf05wE}e!tl&vcTJenBO(&A!C
z9jM7B<|as|*z-u;G#z*6K0V`QF`6>tdMc)2a-)NU!~CQo(|&C_HTG%W{0)&XyO>Sw
zmuPQA7~0_{e@I&0o_%uq^k#ojlsH5BmVgk<r1%sf8mJ$&GLnz^hXEKED^fx<W~@O{
z@GAYAt?kAt4#~g*<_x|cLE8F<x^%kKIRGN3?p6ILBsr}CLMNX+^#*ybH<y0Ep;qTj
zO5rN8v0L0DA<}T1&|NP(*h?J@@B87PF!mm)X3^o0^p@)1!rLJx&P917qdu<)#lp6P
zD6GtswCF;R_D^>;DDT%#cXetRd5{o||2{4p>i^MRRd)Vy85jaj3QT3KNBFxIE8<5c
z8d^XtxyeyghN0p|7OkX|XH7o<HkEf+Bp$hy$?YsGv)0zEX@x8FFq1sjbdH?hNJ<6^
zT(9uOZ7l}>L3s`Ts)sjcKPL##Sloq5k;R7)^Ut@R&WjggKzC2@-#}~+n~!u`!L!#;
z7+BI$nZfMS3+i5g!psT|;z?d%asw<?3y^j}JlfWMv8>8)2zy^L-rq0c_|8w%qj)fA
z=q4}0MALp>v4pIoawI^gRspsa;x98F_TIyUQS5xn4!q<&4zpInA580uU4AZt7ADP&
zEmMx|x3ZOcEuk4KDw5h48HHbi{(ro^Q*@;b+in@NV%xTDyJFi(#a6|(ZQB*wwr$%L
zRIhr!@5lbf-rb}7ppSB%ku_GH=f38g2n?_u<S3VM;OVVWLTe%5l^-&-Z`*9rNt^he
zb9H-KuFBe216p$O1Fdo)e*(U#tra93waAX?l`<3$!yhZ>QkS4#yT0bYTpa=5)jqM7
zTAP2^2E9qfXaVsD{?c68faehKQM#j}K&#a>ZSKaH?Wh~Jl1Qg-M9TBIzn@|A@c7l4
zj5C+z(`@K0XS;|VIpJzUfBYLvq(i1O1%t;XwC%|>^BLoUm~)st?MlOtmQMUwsXCo*
zSlEEAX~fwe{)|^|ZIIsBEd7kOwQZZ<_%=KR0!@|BIX|@VDi4HJ4Luu4`B&BY6W2v`
z@Myn)8M{NLgJdI}MRw-7PMs<GoPy#`|9pL$+sM_HL(gmJ)F1T^SqgVu$X)S2JEgHb
zzW1$%f8Jlm8n^$rVJHy%$@F-(^78Sj>1t43>uRxJnECK(<{*RA$Fm@RMC<F3ntM~f
zaH)Oyn$o>tVO7~5KVrC)C&_)-hHDcJTTrcne()c464}I}S0{gpYX<d^7OhZD{$U-$
zy<Uuy7=9>1tP)3H0w?t8d5M?oC2_Q^$hBjLCt-TUn^@ZL6FZM++-Gnk(Q&s^kMcJ}
zg?Z;`m3xRvWmAEOk;q#t#wO%WK|02%YDpOqmSm#z)_nhGnI%?sU<LWl)#W0&$YVV(
zH{hzEc*VQ#tkWH%@51<{*?!MD4i20&CSVQnH?xNFaz8<v%Y)vI>_TP!tTd_*W2=CV
zPwe2fs$}UO_*o+D*lSkrh*Cxsnc?8rShyYH4n3!PQ(4yk!x!I}<ds^WO#gJu(WUfd
zQTH3jz@2E$`%}=)4ji6rz(}eE@Fep_WdSQwdIy=IE4){wk+;bBFjIKi$y;l2nFh(r
zRWbe{(t%Q+ll{j3xPcn~szH^s*C4_sr5&&$-TN>4I4zj?9%eLE8K*nQrIW3K(2gx|
z`EafIR;Co$(#5C;ch6`*-gMm&^?B9z(^WAWTe}2A9TFycSI0kwHV{Z(ZjL%RCYQis
z<!783>t5yL8i=rh*{;e~@CIUMIuP%8Na2<pGZ~F(7kh8?l-bD0tZq}#GXq0(i#P4o
zpGoA&<^8gS$88+BKFYlxN4(ulgN@b&W2=<Gv8wA<Z;MDZ-mWLe;4;lVhgL6+{u$Bd
z^I{iZ*0l{{#6Cl}<6;G6iFhpg8hlmu;fc<6V)%zJP(lw6`XW}lZQ4Yx!<wBm7?(KX
z$8-d+wN~C$X9>}6Yyx=52QdvlPt500j%?>lu6_IztW$1zQN^3KhyMsgAVA2m<#ZJ{
z7dHlVb;#$3f#`#`-I5=h?(GOE>0XVC-VT~mG-w>#dQ*mI)PhZO3mz;yELJPbDEs0Z
zZbXzGgZj>$K4tPvH5(+=yz&o&AjbzpU!%YLKZ}N`O3tpS#4n<}A`C+cbBw&BQ3vYE
z6&uUn7hqV1F*okz^*iwkRe!IcaJnu)B{NBcP6t6KvIW^O;s8slq&Fu-(@mp}4UmOv
z_h(FIG)!czNok4UeF*4l8UFEfaPW*_C66vq6s+J@8uB1+8^EhN=?^E-xx8e-_15`s
zrs1Vm)(MG_H`(j?=W$&d7s#yz2q$l{c?MRJ&iP4Giy153bfRw9#Pf`1B~>u4dEK-a
z^w$1H5!49iD+d)WI=t{>&=SMI-;9lyYr5sidn}?~=BJ7&DHM<46IZ&2r&waJ$Fp+s
z)Y*NjxEC6r_<g`oQ?tWf+?s}+8U-mo5zt0JpNo92=pp}(pvL|3v6n|0G5&E2*ThIe
zun+5<1KHrZEB{Zeu*z}vAjJ%nlQz!^{@e*=m|CMeua}mNYz1KoJabinGn*GOvezpI
zmc(Wrid`C~yw#j0Tu}{)%L$Zm#qF>LFAtBvrII1`TVr{VVyJ`hmciR9nPtEo!)(G+
zBZ2!N{niu4KIQE%V2^%i9a%h+U#NiK7Qp~MR}{`85+|!gx#7`524NFuwPY@U1!)x3
zDoL)Ib_n|aK`YEDp>6v1dfA+{v0m^{Z74Zucj8LS(uCo>-;C4l#PGip3#TdvcO=i#
z$o9=Fj`&egr0X{35&^=DADkmAo4{QDJcq-vg>em5<T<I}=Tili%mIet*ZrS-FcJ$E
zO#i~YWBPV*%R((Mr`7!`>IVTMTPQjS^)upE`NjRA9af-<{jMM1BWDEctP|<gj9Rr$
zA)D^-%ba1aR2<hf>Do*%svVLpKb^e(Y(|v6%zXZGuLKB&J8ZTV?M~1=sZ3y+c<hn$
z?W#(^`Xx=b*wB=d#!%0^nUt%HQDLp&m1lS9-H2ZPznX>fn0RjId*ElbE!u?K7ciFC
zX?xqG8mvq#qYbJ@t=6Dw;$o7RLk*J?tkw8bJZ}~GQTS%0213`ne2Y#Lh`-Ozr{Om7
z(H1RhR93UV5&av%u7vXa7lNIE_!q&JR}J%_^m1@ZcXCY)fbb{iyGyaX{fl7BUUEF8
z+6sPZ`FzN(0m&1%&Qk}Zh@tm4Ue=7Og^4toSOjJezM8G50|0EzQmc*Bv2G1ri;^D`
z&zk7gb<vv13^{W302<q?KlHw{{!)<)r1Afx7G6FFI%$LDaiV;im0{1o%nEo?&O?$v
zfO9Yo2pK)kuV^5cv<kz2@i2gx1_eG9kwvAd&^aDMWE4eEVsMU!T~q!T)r*1RAM8ut
z%8{y^7mT6&IWsAjrfP?8C1zNV{y=!gJK|z4@@jk<nSzj6Rb&?6$8=xsVF*E2U5q!C
z*ET1f+-Q4@=9GDOIIn4tj@C&dZ6WSaA9cpp<f*)DLdQpa>^?#1B(YzRp57vDKj~@J
zc1cZFsA5LKps-!Q)JRRF;?UK;dmU}lzf(cCIt%ebZfwJ*8wb+g#q40qk#aTF)#-*k
zYW!3@^(E8ek=%`Q+FG8}X~vEV+=X+Z^uMWvK@X_v+09eiLgkuF9kDO02I#jg))$g8
zzh-8?>&vNA_MM*hULJj+wpB4nv@5Zlz_IG7La#oJ`2EO$^$;h{0S6~Xbr#sScC*|?
zsuNeVlQF2eMCEu&Zd(THT{JK5lI}>JTyW0Mz*X6tyTG4+b538pzi(59;hlK1rg3?i
zpzL?Nz=ie1Zl(I2^wUaz1x{BN7#8ogW*A?>l|H9y>q|x@W^ZBR3gGxCuHUvUu*CU_
zX#uzF{0GC8PKrIx5<on#BQnsAhTDWIn5FG0Gi~y?3Hk#^sdu=*v-i?6(sCVShr*%R
z$}{PONm?=6>BW5CAu_Nuf2cH88j=X`3aiwPC{YCAd_Nprmql5mC;Dx<D?ceJD&TV@
ze`z9meLo%TQ$>{RjqOplJ3dGVk0C5tZExmCwyPw2+FxKuTfa8q@Vy4p%a-I~gAnMs
zT-FQP9<aN1YgK%pClgeDh>?N_sMi0P-ny%%7nBvJq7#ghX{&~=hBH~BRVRc-5B`JM
zF{T-=NVOnXCV79|&0x%OG-|f}=hvVtpZ9%Ywj<_-Zvm~p_10@^Csboru*LdNSC5>{
z?fi{uA0Ns0*uos7Q!IZqal*3*Bt+!aXuF_U*6_unuw#q{QQj|cTMJFRfpQ&Oq|l<t
zC?y-pnfnu;GqYmc=xe>|nCdCCEE+!=_IC_NoD)Hg_&zwR(#n!6wndvde}t0A7Dw6+
zN3j?v*C)P!uO#AtKZDw<$>rpyKTjMpvez9B-8fnlAHh{T%?i!gyS2;)#>$iwXtc~X
z0bj|uPfh#QMQG?;ZO+=+Xg8w$fCX;2&|*Y0zVT;gWLJ;G%}svJ_D*5xAYS3w!n+qH
zhnyVkd>dO4h#D?jKWah6u6t;a*M3_)My(~+&D(lTZS|ny%*s!u#mB@WS#8nsmtm7&
zl?u>11m)rjEFa-oBaL|IsQqsoY-J?xW{Me&1_~=loxE{QoSA(S^3*NqsMd7A?#`px
zX}C^j%lT^Usx;r$nX3$uRJ@~Jsx_Gw=K<Je!i^Wf-nS52M$~tM!~Zk7DThURyQW%!
zyD7;-l@Kv=&9deEozaD^cV)uGDZcOk>I{2Gxq44dTWNSPK$_7eKaQH;YzSZ%rY{?h
zmW!;|H})6DQMV=OD`+0Ig2?M5+uUytj%}xBc|R}vJU-09(^pzs)N-)%^S9Y3EL_cA
z)=%O(>?|%(bG4W&UdT$}xrJEhE4e@Whg5X9yRDRs7;E6Vs;_grh(w=d*2kuhX#)*_
z6aJ<A(h#r{TxIRI1hEOW!W5(CBufsvVsXB6C|uex8R-U{*&m5y{S32^+t@v?FN!0-
zogP|B(Mrux#s-8AFbaEdc>?~B9h(%LM6???Q!W@kN;g$s%cMbIOTl8_+XN7hN*~#s
z0snZRBd_WatjzxxsR$Ww)zT$&5w-4Yw$ck`vaqbICvVBFsv`4kual3P3%#CxkjjiG
zH@moNz@b|3Qx#}Ggt#FtpSFDm#`-GeVJ`iZDsgoT%GNTtbxkMLTJ?|cVmIQuA5SD+
zFPGWWFF%hIZsXDIv6)78xUW`*6g{)q6dpg|>TuO<p*m&j_|QxUj~*9AoO(5XCLFHU
zT3g2>Um=iNp5*7&OioI-HePG0DW#B{cNPE9T_!83Q*C;@rDaX`1saaW#34QQ{Iu;5
zmNq-fdP($|w@eJoNP4lI;*Cy6EchUDSo@Ig8x7+x3VR~^aVhqR^}W-B*?PwKa;t5y
zq^D7E{g?Qj>%49dAOS*|?F0lg=)e*-fXzb&w!Fv;Ja?kE;|4C3m&1N>(l7VsL$4|b
zJP^oinu=%_wj;}vPq-S*Nkw>w!&eASDW+&$d_1GZi3mZmRG9KT;jau`q@Yg1ab+`U
z8eVP|1a}2h_b_m@y{qp-NfQRbsr~^|gQao)=VEnwVA=qP7Rqd~(+TMt15==x><%1u
zM*S1Jn8}ZUdd{zkNh3fw10Y@B&*e<ynNL2z-^+vAA_9D1xSTjsD|;AxAZoLMQ}x7b
zG}aYORus{r#IF&!FNZQo4m!&CSd1?wr(A!&KC*T{omqM-9LUW4zBHfK(J&K0vjvB(
zK$6TRUvA75^PE>s$VqVK3C>9XsHWLrc5_=?qgH*l)b0&siCK?jEFJ%5WsvCNkPu&O
zKAsO>EiS6mj?I!{b2S-CcCQjD88`vxPeBz7y_Dw%>N=O0fBY!Yk)oeGOU!BUVu(*(
z{7mZ@Bx}LXpNeKM6q<yogau_caZI{O&G~XG+O&n3D4!g8)B{qggc&fmX?w%(-=*n)
z6Xm{5xY+-Rf0hCp_94{0ha_Ec|DB9I^!WPo=bqX2NHM{JCWsP#a3kCbE6%i(PdjA1
zP@jW9&k^71NGB1^BPDBA<Kv&_fyXtJN^pOCJ#7b@x2j}E+}!bs{fMwxtOfTrm5y=U
z=xa2KWGdSq;ZXd`K}D<+c8n%y1Tx$KGuTa}7iRJbxAlAUcWXA7*6cJgCK^sz#ce+2
z0BDi25!PmCgtL<^aP+(EFNCIMIX+vsgyua&&KtStkWuZ84cNVbje4{iQz{cN^64Pa
z5Kp=iWNh{Ylj~9JvN0HGhCo^ryyZb1iNtUP@rrb_v5J=Cr{C#MrL!02Q5n84);V{n
z8xLCJrSv_;;rFEh3&z+fZx5qS>B;QP8obIo<la9l(6=H=f2F#Fw8-6DTB%^`ZDC>N
zj=}xZkPK5qmGVHFIh@KNtqkS}(0iO1l#mndYouwh7Oj{YEbJvh%0&nNTI4`^aPwJ%
zRmef6&NvR^@HPbss@lpKYH9PvdG*Y~W)D}RYWxotsIUyc0^z`J!3tNj-#CD=03L}M
zrTxTa4F$mTvKH<hKSX8(0AA!AUq&n2A5_~-N%`W<+)DJzXFJXT&FX8yi1NqCam2?e
z6IV&~p0e`eRbks!ZQod-igZ%mQ4>IBwqS}c7Tz@f!a(oRxzjfr1*5tA*}2hqWuiEM
zwLcT=@OKCnH%l`4?f`i408(*3BKeWm0UOkr-Dm>q-!<wZp{3d{#C2*{#KP>!D3xYr
zghczL9jS0`=P4!s!hm3Ue?Z5d8X4~{OfcFgFbu3tAK<hxRhwW+ZC96%*A|fA#4`UD
z>`_Gy2QghuhqHt=#6h;!)!iY*$5bzyAeh!!Ii|sT=IJJ}!Srd6slFyZgYKa{?|A<R
z$^O2HXUg$`TwVok)jsKHo#4ZkyLB>TEg{pyy~kRWu)f{uFCZdaiDUZ+R2=`HX8Qcd
zLWPMPKJQ2j@n?Vk5qIV%wp<}lpx)lnd^GR?m3jB=Py>-y>o-5kBK`{4h6Ey6TokDM
z`9Ku`e2OF4YXdY4!Vl55Rz`Y5?F{JWULY2mUI-nml0-Hwn?}}#V&%#N6X|I#ZSr{b
z1&e%aeoN^@xYN5*IW%kUQ(4K=Ukd|Tz}BLi9SYFa-wLIuSF?-#*<^sNv%Z#ipR7m1
z-L&5NmQ`xS-5_R@wK;OKd+C5iP%JE+0!F=!MjiDjo&pGwf}mLPoKVu5d2rfO-S@VK
zf1XQ?IJ)dO#sX#RCHGQ$ZQ_UbXn;uh6-V3@CHpPH{iSqtnO#IqK_<@nzkrRzopI1E
z_LU-_^fn*$PUS)D$R$Y=3ggG;e7wAP3T}ZFk@1x6X8;dvDV7Y9MVKSo%!vC#ZnlV`
zEjL5B!0j&_-S1x!$FuG9iIf3r%M?pY+^-%!3pml@4&#Juqm&1Q$msP!;9v7j%HxV8
zh!YpL#IjU-7-Xv8zr|6KC(eU8e&PnhDkKF7)5xNhx)&Ibp0G9Dg%T4iN>bMM9~v+^
z>KPZ{y9EqiF@i#-B4`}TFsmp2s&bLy1>fPsDU*^gbLQM=3P4-uGfbk`!h1@6HCOq(
zm$!W7RWwqsc+vpo*u^E}h^;GUO!wH^MA+ll%u`G=^~a7<G{CwwPgpuC{u93nQo-zJ
zF2cYZXPO$J!izv|LbY!1ZB`mYD{)6Sjsz^gx{g`t{`dz1_ubC@8YewU_#Ukbhmb7a
z=A1%Nu*EjKfD|9sGfsue7-)++EGZoUmw$IYv)r?D9jWA;L*-`qPN&r!48ZHC$_&%|
zs&)g_&}th@U>?idri#7_;nBo#G(I=fB-!uY-57G6UNs&$>fDI<v#2TCmV88N89;JV
z2ur$w1K6DXudt5A`TrKyL4D2co9gphP0W<Ak2`X2r<Ah82C_O)3z?QvZZol(Wj%^f
z>SZh9PMv;jPSv9!alDYLDL7rHgxmxGI}Ow?o3LG&PE?+C9N|C1?3TUfMX57H8^z-(
zA)ggy-JP%;dG5Oe#TfSNTDf`RZgEm7Qtz5eQ}4X6dQ$I(29PZe)*#tu%$fH72b6P;
z^=~K#0s!TN%O&ivSkcpGG-0WinEcL_Ld_WDIb84-q#(=hFV`3%TDY|R)j8J>T{DU4
zaS{+IB8Ci8V=<2MO(y`1d<^D7st;XPj(J6N4%;JXLY0y<Bj}p8yLR>ssx>Vx48=L^
zop84~TLzRt+)1W1U8vRsSy@dg9YIS(?!p57nF>}QKcZNqGQHbV%P?no?^4G#3eUA0
zB(T02HngpBnjY6>8ECs->I7ibsZ|c08KfFqv>O^dSz-+=OZMnkv&MN?5~X>_d<odF
z^W14!?5#Xx%|oyaF2@1eSeaxLnV$v9(^O}2I_aN!MGDIM3$IA>J#d`gMR;jYS+<sv
zbhySh`kwV5YPlVdnNW&L2sLFW#*>t{xZ!_a9rVF;W*urF5uc`foIg>>;qCrozmRRF
zZv=E2Ll9Aiq^pkSsUZ&L#D<oAyvapQqX0X4?ME?GD_Z}jgX4XuLwn)ra(p2q->a=8
zN@b#~D^qi6p(CBG?~BY4CU<h`2V}%FF5Y&`FO*R2SS38O@=H;CVavjQ5jjPFiJWPv
zQ_?o$9*T2;I5~a-j~%atXOkNI%bdw2_N#zNo0bo!1M7Pi?vnzpWQh(;PN5UI`t?I6
z!9W91rmC&t3rM}>?Z#+7+Ra#VURgYJKt>|=B5L*un%%OW;uH$_u;*Htt|Je)@JWWN
zDv{YrLc}dz6&epMqt+?OdAi&sMlP1zIelvNj#NRoOyN$Hl@6KQmaN(52!ySSYNIx$
zS8hIXwYXtXF|5J)Q!1_lh~b(j;_Qjp`(05l?~vK<H6woYl3ebZ7(zsap=k+mio9_d
zc%5?gd#}cO`?9l%XjVlM6B{1Q&tti-O(|nj1Hm-{4D?gQxH1BD6c13#QS?!_uh$2B
z1u+f<BC_z<0)yt+mQTjU2+qRb)b`Pss96e?Ykf@T{Ee5>Yq!7o#woBDho|0etCT!$
z|1PWR0m|xvvCSQQ1HMu2@5%fwdO9`Zbl>0j+|J}bdPhLDv7gI+7r*UJB~sZie^GbY
zec^I+a;5cJNn(_kcplMh{#f(-77Tc(xWUiG&|5@Nb>1<y6LU2tD^<QRjv#Ud#<?^t
zfZcS=Fh0x~ou|)gZE{|uZ>x+GxrCfoG-S6jQ*_cSKR+$$c-&EaFFV@0w691{O>0LD
zipAQ734$0Rtt`LKV$_tOgkP6*-zSxKM62fPn1D;U3+u9EMUV>aFQlT6iV~sH9SWjh
z_P>hPr(|BQm!L<e{Ep+FL7KsH=yWvC`LZzggaGZyEMGWeg!cPvD{Wr(EfH;(5o@Ls
zhXIq~%lmYAfu=R4<kX56!UPU_HO_U*g6Um;&aa@-fG)Z7c>vjT^58c{?!me4oUX<P
zs<i3j>00CiES)-Dfi9=72@ahIJ2A|y;IXiN>w1GT>0;2Kz?i9qUn|`Q>zvP)guM<E
z7Hqi01lE$BSpF^4w6y&p`S!A6G^Sig7{8N=jHi~UJ6|T)eH~LGn2l2@Fm?iB6=zYk
zy@ZP_tL)B@i*q(fily^>V1_l-xp~Y9NnVJ*+kr5{y-k4HQMc<it$c9}hdL52wmExY
zEZ@bTIZ!RMqBK1*#r-q*ms^tEXll70L}z8KbszGq<iu2F@8-$nX(ei?X))|l&tpn~
z&wj8ZW%FJ6PC<Azo|N<qFwE7nrN~(K-Nbe}Wl;Tk8Wg<Ah@i|=ze#3w=o;HTm81Rf
ziBDnv=)V_R6+Cf|BpB*SPeBvGF!#h->v4|WoJsMpRPb#fKP7d*wbpe^vbKTSd;j=#
zkehZ~J|S!a;bi7IqCZ<fZmpQtXpG&N4Ow|Pj|TPR6>pJ&Jj#C48W6y>AmqxD*j~B$
z9$OKz>*Ioa&1F}B`p<#(1?hhrXq`CLQ;1-RQDI7S55mWhN@u~U_lSdi!?>tR7e&7j
zMP7s`ay|kgJvENs{IOp}Mq~%<jVSLujyWb<!RZ}S8dWC;VQ!KaGY5w1Z}+)8@qw2Z
zg<8d?o0^%u(hj8?$2@>}7W0xtJvd<a7TOTYe+CETO=VeLAz1o<-e2_*GU4g9%4}Zw
z61Ek?y-;|S8z$%~-bngVpx*z@;6m{9X9$r*j7Qy)0ymR5A{1iW(4t1)CWzgSW_Vy4
z0Qtf_OH-KGBg4NEQ)WZESR)d!0y4NywOoZu99EAGX-BQNAU{KldWz=ybAR2@z|riC
zmVGDHDrAwnSYuyTw(;_{@rf-ghO<4&zmXx&uv0~nL?3y*!8oyd`ZkC#%j+5~y~kzS
z8~=KvxJwSLMTtKjL*-2D>v|}toD1qMN^Ut8Yb`g%9f<QdkD!#au9wAwg3%W#swUIt
zwy7Fi!nW_dX7KyR+{6Vi7;zoM0xL~N8KWy%GX4c%^erBqRS{SBPc_xJMThh5?<KHu
zCg0-6(NQ6H_~H(p`&$^2{+Da(qc5MA>9sJ4kjER2$L|kpNZJ|LxijhqdNVI_@bv;0
zbZj;xdSg2Rk_)G`D~W*@Rp-po88qn3LtdV6L?xBSx*_dyFi)o;;ATubG`v%#Tl-Q<
znp|A%hkB^&3=P9Ckr*SyK!nd}nk}6_aRwR_nJ%)MSXCnGI}ZI_lSkwJj#dMybulgC
z&~7~ukDup)Pgoy45V1(!zb{jNJ-j0GNi73@8+|*>fxa=EY6u$?cQ=WzIL>E@ui7&w
zI7H+6YRJA+{As81EIC~?LuE`Tx=`BFZyd1XWOi6afD|Vl=@Qna9GHT)D{-VQrQXH&
zZ+&kv%g~JV;Mjl!r>&1?&hHJv9W`Dyf>+qUN0L|X5JT)&fKmABEIb(CPc>5f$!z2h
zu{Pov@i*FK^f%gtsZTO=%1*n?&vSrTJwKC^Mrt`(mHgv}rPPAEMqLCu#g9v6`eg}X
z4&r}~QBoL<{f<E05X$_p4mn8!-l`QH@(UPRGrQK4&0*c2mv4hD*|A7?EoDJy+?Ucl
z=lo&^9JvK^l&h_RvzZy^HDqj8TKORN91ax4aR_gRYi73ACs3rn?L$K8Km4lZPi|L=
zdEjVRb*Fv@sRyQ1*T4!Bj7ZUOSNd0tZ<5^o#{sG9?*WO_25>+cc6nR%7#Mg}F}gMv
zxRrI((DDVI*tG?{58^YG+p?q`{#8$gx;#=R0e=AD0|pPLWu@`f1Oa;`XubqnTVPPa
zY(hPj6NyEcVd^@1SKp%ivA>m#i*u4jB?rTBI`AWJ+hEQb^%qmHUZKI_rZi-E!>)_-
z?;-fJ|K3$hu$Ih`sXJ36Wa3$L9p1)W?pZ@9R1)Vcj9C{_*J?$_Vg$9>7>YXFTn30S
z;Xo~Z^0c6&=Xd3y)NajYdpS@zHo~~@g8tg!<@#gTO@Py0qE2twW%9_=?FcxZkZOI0
zQ^@B8eU_DFRE2Oj=*vDJAG7igI!ri+*w-h0=ud+a#BQa~T4J?u6=|C1-rQldX0Qbk
zP+l6~cS=}eGmc42u$ccg!n_5{v`oV;EWsc{8$fm{&Nw-$+u9>RwEP3-Uk%IHVGhVF
z4KR*5`|bc!r6EROClL#-c4>@0w;yCfzq3T({7M?^hKuQKag;ey8Fi|eft&82E1dhT
zRIWER!8=U?YaFDneDb~YPXWiK;ICht3jo7#m(A2R;Mk<aXHx#pv5BCeM0lXgehUus
zr)oNH(HK10n8s><S^zOi!4_>-!FOLzHld4!O6cyt6-&Cb|4qe`qXfu=kL=;{_sAdq
z+&@3c+7oBE#-%r>O=$vyY<)F!86y;V@*mWz*MkxVR*a{4c)rjM+f$1~Z_RI-g|-i7
zZ-9^Ur9ow^g2_Mqy*;Iuo*$FO0S=~Ot;TXimh|$CVP_!WY+02Hpzs2n)co%VGq{9I
zhxPM%>aER9H=V?RZX_BTzs%|c5}726Y$?P#RXTCbx3E$(`>9dghIe7m66eEMs+2w{
z?lTmaQ=O!Hiz$w+UcYyMRygy^fk|s&D~ra5c6YFyWgRWV$4C6TmszdyuU_V)Qt;ni
zrg?QgKYRniR<Y-X?ldbH{)6X4E1d<oD~(!S+HV;`u_WxuDW0uXY^<Xw0n4R><R|_h
z^EF*P{C^iSt!135Lf}4LA618`bGye^F?xkG^M=!$_C>~MT8`WJ=R;0sTz!A>fOQCL
zG|P1$x!f}TBCA1s@YdU>zx0--jFM@X8{9?Jkp#ouW8FsNAh!ssLd|P%AE*k!d`yNk
z+vP>{;~$(HCNA{J`35ZVNcbd-(H6%y6nl9Twkv|0wRV-xI)!i;w*N9|7Hes6VrZ7C
zFV1ozwC@pfF&%O{GK)b+z+N6P2?lI@X#CLsO-oD094zoy97pxxm}y(Lv{GtUfogf&
z-MDMiw{&-jXiYw9d;T-hgs4bV99fAp847OLClFk;;vRx|<Z~e#47=Qo9l2USPT2e5
z_Ey6ul4Vj~TnKS%-w*3sS(~$+j(|M{a7sH2@}$Bw7bZ_;Wvz2_MqGD7FXjx%q!(-v
zjnqgYVMY{24MEJ30x5TNvnEBM$KzIIU}>zg=nYp-PEV9=XIe%WAQ<s6i}vT|*$^y8
zkpTNvuh~T;oeX1h(+rTUW!aS30v`R0OCxL2Mm0t1GzdGKg9w>$0Cqex-I~Y=XGF>}
z^Rn^!R@BR>B$3fEoLVvVn5WfQFb!TABb&C6v2gx~s(H0!e0!XJwC+f^YATb6I+L|t
z@fO>U1E9}ooxWeVC4Y+VN;;xdIVwwtIXNGKus8QOYjKi3fP0QA2<`7qsEJ(jbXbH5
znL2xho0E%Wl#P6j=qH5IP6LlvmzQ3q3yvB}Vq~B}M>dzGcOsz@K3(yr^$YiXHuCnD
z_V{@D&URr~pY59FI>Jmz2EMc+LX2(vAX*4%9nO#B-u4#;F=zy2s;GYJ_SFi;kYAf@
zMijIXc_0+&lrBynO>4qeO?X2G@r!8L{niJ(Gd|lX^EjD{`W=5QK4mukMmgR=^*-Ph
zcGs2ILy-+hJyS?%(V$e#>WpHAZ#zC4hH6zJ_$52#Z=Vk@T66^w4i$_S1W#if5xFUr
zel`z@^cy&E7OWy%3#4+Yg*9Ew^0ZhaFh$ROVSayFx2gPk*QjHAlL{2!QtUDWnm$<U
znM<x1;zQ^1AfoqJlXee($QKz-?x+`9<_Yj(K1=2}(GnaoWa>jk$kkoqN2^99S;(7Q
zJ+g<4Od`9Gb0ippbFKD+xh^~~hS^4u2Lfg_-YuLYNYza1X-lR^w;`$%O?5|*DN_R2
z&yWyq^D7uEKMe~&#7QBZ2RjkiA2!*x_fZ`!eT4uNFM><kVh~YlvnnXyTEhE^9<Cs4
zxlG*}Itp#W9yH53k|CQ6s3c0#3)qMTML*GX>M(9UM(-tVx^$u_#p*=<Y@%=h5KW!`
z4LEK}_h<Rs0HUd#!oT8md$pqU1$go6Zrh~qe5w=}#54EGFbaFbnbup+Z2DMN$dHgv
zz0jB(PXBe&6f41gPfE9M{H>7k#`ivmx8sMV#_zKq^Y#3?jN-O>>I&-?>VXir*sH}T
zBmT3a?R#_vog96#_Zj?}2;gvnEmF|n9AN~JY3aXCCMp288J-??T3Wjqo*gx+yA3U7
zdas%0f;G4&99D)FqN@%<KNLj2nHfdK{=Ug@k?xAn*e$2Fr3Z3J*4tb<yR!!{%_RZJ
z(dCeH=}+y~vm`ERnbB7N@zO#Q<=c^&o*R2T)xc^;KIyaEZPU;xIkoJ+8k-w@7*-ZI
z(dPStFM&DqIfY-_WnBE65=ub4g9m&qQ?9Kpa>o`f-5;*<(wxi8356-SdG-6q8Uzg&
zUbX8ewkvnrjRi-&n+>mGw$x61nac0#CgA8^&eSUHox?*KI8p>og~KYA*{<Jo$i<z9
z3VMG&nx}zH&EO_e4CQ3F!(5^xyO^ILHzQh1edL<+Uk>3Ql*2&a%GP$CHMbIi|J>kv
zCRYU8XwF&M3bL6r+gEFd>--1^-&_TCG~N3MbJ>Tf$pUwU$&AV}j()UqK)uJj=_PVR
zc`p@UVyVjdFfmu_d(JH@nA7THrf2A<H7Ckouiges;MOp+14~MNTC6W}%H~9}dE6Po
zI!Z$o6vuakYPiRP#$zI-i5?P*9~*^?pk^DiN98<i4Z$KMEw&vyj_qp6AUa;bE?jR~
zMG;3tPjf*QT}sZDD6MPeB>)Mc_b?P5?~+=V*|3txkTkjElDfb>9L(R?#C9EO#un<`
ze}s@J6q*UkS)<62Od=J0F&2n#2Mt;$L>A_nBrk&ti`kMNMH1V{+<*9Ne;hTR0Gom~
zbVT4pwQ})(3hPdbVO-2+3ctjxDpc~yh`pC;&A$tJ-=O4*vDw2GnIe$#QH;$k^PPY?
zzx9?+CiRdZtt)6czD=|VRDsZOM8R#{=A0S}uLy-AHFrmW5CTuZM8JoeCbB!0`Dtbr
z)sXAqdRl(&O(!ZZZAK)ux5ac0>xa?if^H2yKZTQdSeUpZ)aoeC__K`T3i+yC&*h?8
zQceiRr3G@~6&$yMX#b&l+nVwTbp6Ru!(!;|nO^yHW?I8=8Ka9Lr`EQGrh0BE2H1yb
z{oRMDc}F+(3$s<dk80k@YZ9}yT=r|nbB}9fTOU1}98`VK@lb1XQq?x|O=TtWNIR_O
zD?8?%H^DBhVzzzDij5xAu-d;#(}t2Ip)!gV3rQCSBWw`GLoN$H8NMjlJZo#o@v0nF
zoayoz*vwRHT>X!8w3$BO9KEy;I7f?EsA{4)a&5|*Pi|I-StSL`q?e2z`qypqcK&$W
zU{T|17pU&n?3j>+|5xo6^D{Ju4+|tcHm;V3o79JV-lH{ED+KM$D{D;GTKT|-$3-DH
zVckmU#R+`V#HJ+wG5)de4&dAvJ2i-ES$*vohxo^afgmmsiX8N7+@_;~rxzd4Zn(b?
zk@95<B)KhU>{kW<_(ZZ9TDiV|s6y`*73B`)wx!nfYs*pAo}O$5){hPE9*wsPdQ=HT
zRY)X=$s*B+r~GzEr;rRy<;xUaILL^1hu3!@Dwf8bYqp-C(B&G!il&kK1C8^|qXA_6
zoIFjDARqs7?+d#Oj-4@G$m^Q?ZL|((U>GK9Myn<dRq^(zW-u1r+`@bDC}Ry*;_8JK
z5Yd&MC|M4ca^J9JP&}pEB5jM_UspI}d}M!=7xS_XO$A+gK;hP@&8-s8{f(3=K}aTL
z?ASi-w7OV5oUdm&)fN$u&RT7@ZzG&h{{yQjp+>h|K5`ui2Yn1MfGmn$+-)5<dKa2H
ze@t*=@Tdg@Ht*T3wtapFP!rF?N!(F6F7E4mVUryrWlCt~Zf2|c!YYauzmi3>t3rIg
z|1EB1k=qw1a2Z;@qSFbOkO?Sq?(WLs!E#u=Q{><b$Pl`1!fa!k#B7oODZVn%84FS4
zjci_P1sv?HCGL4a*_w^EMN{P~`>zRQ<srR-LPYKAWpAD(Cyk#Kf+Q+DExf!Hwtp9Z
zH$}P7OVONxW_}~O5N>P6ze#2C!p!^@3QQPNxP&{w6bhX+nTZ>?K^6!}fixSV(fCsN
z&UHak2-~!GnC;^38BpmM_`z{2!w0+4Xb&g>o9_YCrR`(k#%(bvFG(E{l%i4wdr7+v
z0xu^-`$^j&(`S(@!dKlZrQ>Ji!Y|6F<pF@6065RpFAj@r#mt(fF%<?ID=hh8AJQdc
z5l*{U`Iz9b2+kqeNF8$`70w#8vK|=0&F`c%#*~qL8U3-gBTv_|q*e|1i~-tOM7Hc`
zQ^t1N35R(GQ6tBW1or0jpsmu4Yv_!rz0pKo6auk+iYxC%XQptTZJ?O58IPenqaXts
z)+oU%$w7(bIPNVqnqW6=7M<a=G$=G_uuY!S5X6^?l#>r>cv546*YkFXKCWbjR_I`<
ztGLWJFll2rn!l%zE04)_pbBNuolt567$T`Qx_pHxqBL&yH^8l;)-Vg#*@AIEV85Uw
zGGyb~0)4pT0(sQ(O6+Uem=P=H3RKl-!xi4?1M~fX){Clvh?HbB>mxw3;~Lxm1teB?
zfrJ%^65)-<{S?dNNtyfYnfpoT+fOWEUq~Kpc!~$)apcop2^xhmOH^{jytm+R0>=gH
zNdMuwaScsgOUK{L8D(S-&VOW2QY~!J+8!FDCIN31dvS=zW(HtK1m#Ls1mg~zKk!7D
zoCnr!Unn2hbCO{se@Uhhdp>e_`WCA5enxMDdHEJTJS^>;ivLof!ewhxe7PVOE-ART
zhRx7(KO*1uMq5D_q@C4U+8%$c@HtuVoa~c>kRTUh)^Lso1u6Gm>w6lmf1Scb<v-qj
zX3e`5)w{U<;O!s$4g2f-jA500^&J+SKpC%@luvvL2Fz4Be1+mLm!eM*{kIXSvg;Xy
zRAP@0f34$?I%;yLi-3S{a%7igFY`gT$>}=HVN<c8zG$PW6Qw%*=E`E{E>Ou%1g{<w
z5y)jfSJrojbX#iFb#jwZ>??AP{byzUeQR+=5zw@q_NecL*#-ULh65iTOL8?I45LR;
z=4nm8vorM$t{pwlHADFD9doG>u{vpqK{L23svB?X?7RLm{4BKuM3(|}Gv99vvtpR4
zGdXXgfHT91*o63ZpRt|rqM$2F2MAU>wayvA0n*RwB1_sSi@0?{X<GwTBs1Cmeg?DX
zs^PI{2!4gXScZzr_gLj)8u6+hLu{Oi-1+nAoz-O2jF$35cJrLNAx}ExKSnikwAHz5
zoa9ExtWZcjOn@p5;grTTiMpiX2~5cKZkzUFCX4KOSy>QX$z9BuSm+LesL7SYTU*1w
zW6-~Sy!kwbZ7*2{Qa#qli%-Gf5k{-tygG{}3|_r^#FMdn67lm{T6uZSoAAWuu%Z!E
zVsqMBf6+OG^1)J8J4rgtpEgiB-JNgFJz_wkFAq>+>Ub_sopML<@nr-#eedAHlel9U
zU8nDStZ0^>i<ws>FvV(;vaTA?>qKOJi&<}+ZJFNuaT2Pa(5?;83%?X~JXX!99)kc+
z=oI%?@6xh?lrIc=)-*^ecuE6y8@2%9ICA0f)^W-6)-tZDM`e6R+5P}$hM;kGkl`j=
z*1*p68I(I=Ao*7oa*!d$2VSMyx&P9Ai%p{eGl8B{c(ybcVHks`+agkdHJl&Rf*zfL
z6%=2@kX#A*n+Dw<0lTZUA*UKs-FTiX>rx}V9}I*23mbWxZ%rp5Zd#V`WTBB6QHv$!
z)2`^R8f5&nfbl>wkS;%Z`0SCfkIU)SBy!=z$no}|xm)=BLt}$z$dj&C#zv}VZcR9|
zQ*^lZHx$BiL@XGfUxu&4W^?2?6grmukC895H94(l<Lpx#Ca}+w%Rm9+mW;-8r@L+R
zf)K;c$eb9GLcu2j{vqQI=wzf$jCb^7V|{QnQYjJGfw(IWzMw=(jNiBwN@U`PGgqHe
zRN;FlM%3CsWLN|nywl)*X=Y!zm<7ZJPik@bGbq~*nP0&I(l4zfSgwU<k1w_0<FpKt
zQoD;xJ6T3qCy<xr;tFh@6?adH(WJnlYZRoz6f=S>Q==i3a#FIg`OZCYZ+E~a+>rsU
zqr|}dk{WT@sftl;Wln97PyGmu78y}~6a;OsFE5lut*d}HCI>)lPG^{ny`4I5EO!6h
z8Pq10FsIrMCClmM?Rmbe+>+C7gJ!y+f*m*O;hve*3OkL}8G`-s^#?1#$N;L~8c}jO
zP6E4OG}y9KMbF@5+^N0^Vs3OSn~_4Atw)6$2td;q)|{;8zNH%7+5dDlGPc9&Rdilh
z%+{kIIbnlYWMOde$%`(VE0e@!Z0~>dw?t(K7o2|#caA~wW15|rR>gjVL&^O_Hp1dr
zbqOL0<f!s-&;%?2DDVweQ(<%z#d2toQsHIY_ZF6tF1h|<(kK;r4N)Mz5fSFHcn%i{
zX6bif*;G#HlSpI%44wAyFRCqN^>^}0l9%JFrUoKo)kA=R5jS2J4R(i$`yc?wAbNaC
zZ^r$J)5FKbzuvA$L*tpSB37%8aCfDYwH?t1qZTFXkGjS0PmA=P+HaPqCaAs}rZ<k5
zh`@S}#qs86sq<@3$;xJI423T^X;O)JHA<-_>cbn2X2q}a8<lDbz9~2fHo&K<^By;2
z1$qd?PB`QYHL(E6El&`a-skoG4aB&|^fJ7PM&+Z7^ZE3<9L5=QoRhNr+&oazvzVpr
z>)qd&xjdo0m?GzfGlj_kS9uSj&@JojNdr~G5SgnwNRSw;T?1j>glc;PY<WEV^PW7s
zx`z0ebDwE6uYhbWU%giUa{$oVLbT;ur)1SBr8T@#`LIL>wh!Ix;P&HYW{%fFW0o4j
zu}^)8Igdq%Df7qK<OcCM2Iq%d_1@^f2IPBxXbZ||hguqg1mv!45n4Mrs~|K*W-#RC
zC~x%`>G&F!2Q7D1c-w&!c?s4V4~LAs&!P6sV<(_QRBB#$oJ)K^^*WJmU{I_(U&N0>
zrVL&>!b&SMOtfOIw!Ua|CySD}`+t)wXKyW#%qR~#`yxJR_*bmF0w2aw)3JlRmLC0R
zGsv;^p%V{J=b8AtD=4CbYadSEGBNn4XVC{V%(F9KPo&9_PLjA94tONNYeJasQ21eR
zju)ImT2%3l-`vlELao98Pw?+fxl-AG@01_hPOv>jxTsW;92sSQ$x&!{CDWPU+wK3I
z6FJZQofAz0Az}?hoK~ky2nGs{o3<%H7xtZ)&%Qyp6z1lNm54}h*5fyoj&2AhR;SE;
z-)SQgQVeH@uz^E{#}>hw+$>J!e1qY}gibg;_vgf8Ful4gz8J~qzF4~3J6rBTt5WR<
zi<3JVtVqX_40}DhHXX=5_WW*5cf%qK?(x}FgmUr!VpBvlO}gCP-mP3o8Thd`>0;A8
zZ`gCdGaoWX@ji~^a}?%T2l&}6r#;j34=_WWrJ2Om3-Us^AwfAwfCorcR+n8x<GivI
zHMQ@F&-~_a+z#o>o^3EuVq`@YLlgt~jEr1x;(fPdjSfHxB`cTaUzJyJA$+#S0$Pyt
zQNb`F6G`Ljm8}4DHNQ7#%}D*nl*lAfXS$XZ<<eghrx_T>o@@)6!p#!Jl3nYn+>4qT
z3bPhIM@!RH&;d{@ci@t047PeLqLO3J8%b{BO!NhE<})oS!*Z2Ui{On9X~S16cwM<}
zXk<PnPil;}x<5-~BgRYR$kQSMD^fOyJ~bs9lx;<9SH|P!wz3b30eV2n(V?S_o4<th
zq0%{#ki`?T!D_m5WoNUp;GqE_IFMQNc7LIu`9>&}1uVjyXOQT>&Kt;H)@8qx5%7(R
z6@NP~|F<*8DRVXE;y54tS!CumqhPS@mb)vmk%KyctE7b<-q*>$XG<oqYAW9l8ePpr
zUXW`~HdYn*&RS}0&99N{EmFVVDtF=d)(82($)N2>WrAFt5Jsfz9}Be~gw|!zUlI`d
zh#o1zG1SzB?JhmcG78BV>_n@0uUuVSg&ARslJ&+DIH;sn*$aV;Vv-C8G2Un6fX!Wb
zF-iDce@5SQpWHSryI5A5n}{;pua|RRTONG#w2D(4b|IsUgZBC?J}FU&5hqMp*%O1J
zX^!&gjGiTlA*W7Vg0=hLgu$rWZ1T2f4BtmpK#e-=3}OF5WCx|~+mbBn1dNpk3obUH
zGx`U<Wo<SKxyf84xWjZiu+I*&d2Tp|p|uMd_EX3a{KrJ;40P{LN<0BI8DZrGM3(NK
zV<dJo2=<snCyPLFLp3COM)5nd-driQ)YLBtBVzh4XU`*LMG5$(j;O+5AfVkyl{lnj
zJt{44Z?o>8Ly0}|aT{QPMa*(TjhVIVPq^3jo!d>02GZaL2u}_{Y2l4Ug#thN3uG}V
zUd~6t6~}qoc2z_w7J@_IUNUDSkbpuwL!caYnY5PB_{ad-@apr>Nk$`)?O)q)29`(2
zpcABao~4f+IM*gNqtWG%D4Y*dw5{It*(_$*2e!ah;rnVXAu6_}Tv8dkqwl96V}Q`h
z^BY3!^9y9A9gzcSMk&eTZ;n`5icfi5MkW9QNE4gyy3`Bf#a{uL^}no@cK>s&G$o`B
zsG#4JpyJwvWk6I%jaGBCMHF1L-<+sjaoAd`-cGq310v{xB21DoXQ8iVQxtM0Wm2px
zwZ~s5tlK*Kn=$Nyc?BzwKLA6eSx8peC5lBT#)0sqUVo?1F-dYt3aQAm%lbTNSc!FW
zs?+9hme<D$VC^MAhJzPoewm_Za{-xJM=MF1Z;J67D88nG?AZt#K+)w@hnRXT>F{tv
z=|%a>HfIOsi#j^2mMk^0V~+xfl&s+~qZ9=G^3uY=%JmT<C2LzhJPLzRbkdpbr@=8o
zBS=wo6iaC_Tfv}Z6Ub8I1L(L*Ok$!6*zPG)E5A#!LT_n$>*rS@+cOa%QJgZq2=!X?
zq(bn=9=j^CJm`=4mHbE()|yjX;LZqUo9M4BGdi0cE~(8)VXblD<bfnGe#xor?fh|d
zYk0ld2-}jw=GS6>_O>rKl>)`=O2qW!$aEjaMz?Qn`pxe7ZrGV~Zv5l8Yxg;G`=yez
z?)d+>Vp2?G7Ay87k(=5nYgCiJYo>IvD{S8rdMt>F!4;QA!zr`hEdC>WdK8V3PK1pI
zK4%r;F_dJs;~{8>`C>Rbhq@Dk=~Fl>lPds_uzn55y%1CHMeXqp{s{Z=%?!M>W(uB9
z7A|tEAVS`qS<{GbpJ&(LE>iLG&-K)gdz)1H(jS=ZLn{;YTOD<(d|j~GD3|)g`gdbG
ztFC$IQ*(z`r{WH+Pn4?VhiMI`+mP+{0#25cS$=%7s~LwepE+d%^5`GlD!w=68;Nb6
zbzaQs8%?mxE&1R}aR>+nXHTTRE&9BB_VF+5Hyf;HOgZ}3;8N-0ww#u26nu{`_ltWR
zyYFdAPpZ78+bNv*(%;9&HeI<chFAP>G?FV(9%sQlHNb_KcGKmvjDCS<(hcWFJ#xmS
zEchOFYS1q5IQy=dqx{mSk07<<{jns>M$uV18}1aFg+NWEGC?}qkqXi0EM5oBpxe{l
z>xF}-(@HSop4L9J*zhS(^I&N+bFF}4tJVA?ZGCF9j_KU(uufj10uQchMxD%A1#_Ot
z;37-wq$t`#*zG>*bM+yqj(N1wGQQ+`KKs>Qza_}U9?$aAah9%-^o{~peAgY9Ke22g
z%`-vZsVaeygB}qd|6aW!sIgC=@UsSfle8;ri!uLhE=)tg^YEvbyk*$)nCF2h&y`MI
z8Ry?+RoARs#>XLCNZEFRnh5JV%r8K*{XX=cW;?%=c#BXnT6>A{(2O^3E{|muZ{;m|
zZ}8OTuZ%LS@HJlW>uiCq&X*Aa5z=3UZl@(lQ6)?|=yeyStO4Il-XCVXoUt8|ko~k*
z;~scS<4W{l<)1Z6S#E}3Y{eb}AfnMd7~#APkXL1tKvPkQ&MriwvK~eVFk>;Q%yL+6
z`AgDZNHAgO7ET?}z*c|kMge^ot|15<RM_XurDGTv>`)q~e;s|iPy<TTiKz(Sc3j3e
zYSOO*b(I2t7XQ4Z+U-#pc~{{M47Wye%9^`ET0EC-nmC`(gH+mG4m@0rp?uu*y(qjq
z{po-BER@(0_?+lVq);HZ67c$XWoq(ze0>l6?BRUZ&TzU0MqiD_J7Hk#p;_f^zFOb*
z%~$YujvK`QlQ18F#s_vgi!A)YMQd!;6y|;{ydXgSCKD*)dlf3!9|IISw=Wx4Zrr(Y
zCg0g|tAtT3%loQHEG@)!dvUmuOQNgA;_;*25c?C(6(2Fcmy5_71w4~t-P*wlpizpt
zwZ9G~nY8=s7QWT`FSl@VK^k)Mizjn|1|de6BQrG;g+O~KH&_<T68ArD;lqfN80>hD
zBB#~?7^qXU!Zf4ln788Ns+czp-*U@a>EmM^h)T@YjS8xJI(xJsfLpi~!r=SOU$?Lo
zqlI995qTr=gKuI7eF*Z_KQB{{n&W%lv|86bfd+#9bHc`Aw(e@PpKx<fr}>e+F9@DC
zO1MCgyiW2gI!a@G&SYszX?q_Z<{*t2Of%gO=?3$dF8&agw9lK7P}wHPEaQ%8B{Mzb
zh3XJlk+@oDkf2%?Z9h;-0?Rr@9X<W2f<J88q*1lIx&>(Ez9ynwi`Iy7%YVGhMwbF)
zMe<BxUf)Ksk?V-Eo92w3v-g=JgwmRSU|vm%>l`ej3LP%$zADiqjnnFxGfXoyWdMh{
zBB>Q-kpC-b?>P7@hRAZ!5wsV2XlNuF=c5Ji^O_^&kz$r13k9zrbKPU9^6~{lW8o5k
z*8i8Emz#>ttt<f(++{vjJY9ZnN-g}lJL!{)s&Q6e@LyIaU5q=Rr-~KIkQpX!chWB}
zuzuwLlYJtp6PWA|(J}(%ToOjHJ)rW&rHlkE1cezuqP&%B8!s0yB-)D<MK@+T>!{e>
z7e^}O_be)~r`N)7jOZ`J^}W3x8hU-adK*exEL2?{9-gVJ8+Ao`S7959H8uhLN(DYh
zdx0z)Kq$0_5`^YVqz>bUZw%TM;r6sY4ylYwkV23G&pJFr!P~a7wg7LSYzHHZB2Obv
zdX8<CR+$6mTwI2-W^_~mCYr)=&k_3_#FnHgC%)SNtkGDjFV<r8OJt8$JK3=oQ(C{&
zmyM;CVMAKvgy{JBDIKVhH)?iK(Z(=Pu6A=)0o`kjRHfRezF+exO_(n_%eEV~F<xp|
zKN$_k-Xu=0jcLse9>W#dcW6c1=?mL>)uAa-P2o!kuO;!|M`^`3U7LpjUM1*@*gdmi
zeiur_hilq%)Duf<RNje9u*kJ2s@&*NldMA|pi@gJy~#DLRVB)A=7gj~6Y-{UeFH!V
zvZA38R;rCd@|Yx*w5q6*vAS4<tMuMAAKTBX8~8ZA*EX@ua&RC8Q6e}z#0>i(ADxm>
z-+`V@N+?*G4PH!2ep%9_Gs%I^WvFk`?$1v;e2ZzQZ}I~+P%Qu<Uz-aUK<*+9o1M4#
zY2+m+{DD*C>^>R)Q*KM=dUfC2J5lFm7~kwiw^h2U$9V;gb%(S2h0}`i`;*hkOA+9`
zqLdBFC13fGIbV!z^gTyF?-}b<+5VK43Vd!3wF)1fszpFoDa`PccMDUl20WmZS`b0d
zPPHtCk^;wJ5C4Aw#6Ua0e><0!Dkt&hp|pMA?<a?^^{hDRw{5XP(uRF<Z0BhYV7(As
zQBOwMqeD?FdPWeVIN6rf$9Q@Fd27e2os(>QM|rLDwKECRR2ozGOm#?UH?QwnieRWI
zI@#AcrDM?7I?X?Qt<x{~u3H05pT5?qaZ@w%T$8;Gt{h=@B>THozM*7ayG=T@t$Fj7
zT;nCs`GTLfN5ongzAS@w{X}LmCvYN;=R=AoF6oJPNm1W!a82?^#5_w^Ag?KWiHlq3
zfpqE1Xj9tUd~nZrN%D(#cXDhTbXbBK$>(7<kkYPOhe+E(k56C8wDsvLnSLAhp~b}|
z36wgvo1Omi{9ru==qbQ9rqELWqvpmGAVF{N3#($f_~aQ?KL6QJbtj*hGHJe-b@>3t
zI_rS8up%+R$`%;36UCT2MrVx@&&!;bv4GGBc;At`aDR_Nthh5iIea~4Z}c%1V1Bvs
zXWrPKz1IeLk3+u)n1{+ad~}sA0+WjLJ*8@UdP-$GkDgMk-IN5l!`tM<U2qtMrCRs?
z{~3}XJp_?)2&7}kqYPQ3aYL;xgs39Hv~F@IOj}Y_tvSgrpu=3xaW(TV#X?bp1lJ!}
z25`LGG<B!fG6-horLGS&4mAK8k;C{4Bs!xjH@WhsQM@EVM^on-Y6!p>=wN3m02;f^
zr@Dkp#t3$!z>^!+P`E6LbIXZGSoNi%QiecqEk>B+!l!E`+2ioDges#fqrjh{g7q$1
zIkzrpP#JgF8B5K}Ei5y+aqY5h&|&JqqL8+!F{VZLpRa0hTj`wgu4s%=ZtDN_+lA0S
zXI5GGZT$A+_-JcJmn`@quV*Fh!D^4amBkz@1}bRcHShbPjvZMQ_8WwaBrQ{}zze;U
z?)@KV<TGya0mEUsbQQF+K;#LRLPVzF7uP>JU`l1b^tIIHsMx9o{A7rzvQQ|C4bj05
zB_q&>k#nrwH7<o$l7GFhn0%n4@&TC)Ds(3OI<em}_Ne02b1sxr9D8)ArYnl%ns99v
zhKsc>H8X>S_i^cS7Laq!ezU=<XJb)a04=4?=duB^g(Q|!0u+0T=q3xkxLjd0VSd9L
z?86-zt^lsa%9--flIA>nV!UKc33T*la}(!zk@(Ot)tqTkjgNITT3MiRy$Q58fmS@d
z3G~|%qdvU})Et6gnSAcnyegs}fur8U5{o>ueb6I(wA+A3>u^W*+D7Q5HMGWMTL}Q`
zyKQgTOsety%2^fp96D@?x#Mak{uueIHcLi*)KKrVS`T*bv|8JAS5ZSoU&|P7W37uO
zIhiP5D!41AL0Pf@xdyY+W)%x$k}LrqQ<_7!mRS*1afxPl+T<>+MxEi6nt|{MZ`Q*?
zdhDVom#IPNjv?ox5%i*8CYT+km>MFtGx91?k<&vcKs(DTu;C>vvzZj9-!w10c`NON
z&`*#4JwYLus5jQ>P$9qABwD3>&F?uM=m33?9$#XUQtv4ABoS2I_ox-VnE)_K@Y6Ex
z=n9kmUhnVqda(O@y|$@Qh?=E7t&Re9q*SZZLFvS2ud;<8f_#%Bb<62o+o@djn3#Di
ziWLD{Eti1?fs}o6pAw4j&%-eBjp+nG56ePF)U-qWUr$xLK#h&2%|OrBvGAoth?aIO
ziN}nf3TE!oSUh_Ljg15|bR9svjq!)uD4xL^Ki2d=uZ|B-w`LW$Qeh$jHj%rkW?~?5
z;b*&(wRRStuGUlDH8g$l6lqC6wCUpG)5`}{PcI)d!Ty!sWXAG=B*|73;#bj$4IbH9
zr{5|MeBqRD-R{w08YGFKO|R6{*b6*=$a3A9uh}dews5ZMLUU<AF~4wXX?(7%4@&10
z(h5`~%J@Z7MMHELoX^%KQ}-t-T4|J|`SitW*!a^31>CIMrKF6i*rje{$W^&?-iCpw
zg6n6}A~gE->=lQ8;cEQ#;^Ooi&v6<}qhQ40A1dEB<v$loglyR|z$Dq&M|D9KE`$jK
z%%mbA6^O@~*poY0u>}YdQ7*AsLct=XnP3mh(54MogD2@eHn~gdNNVe<wpSwEunKAI
z!qj}ugqF6@(MlSc$rAvso(>M{m;r^mB<*^hxWfFnaMEjc*>rx4&Q2S}YovCf_(Bko
zW1{2o#!@SR0CWOiE1j!^k_iq%bgDzdWdo?XgA?H?)IzB!HMP(I!WDbORIQ=<o%M8@
zOPN*7gg{1Lel-W)&B+R#^%G~n&<)73f1ozTpb1hhTs5XALas=w9#h{)eQq<fnAGHK
z<j@*Qv>8x-pcuDqJUan;9wt7lczs#<-17Wf?&qXl5F~=Uz)FdsVTSH(=w9L#$%PiQ
zLL-`yGvJUIp@7C^PyEF)z=AKpWJ#Sj?ad&Hmf}W0TH%LNtkvgX%m-0mR2hq_B_eqB
zd>2gk64*~86&G`RdpjaOa@c89wZ@M)8b)S#CnkQ3kv4*%|IQ79==QysBS825#&_Ry
zSWn|xOri*8S{=yTdfxL|nKv3a;*42pfKkTnB%-<u+kh`UH>J`F0-22a7g%d&8T)us
zpeGbfPA;Vv-uQ78F0jH3RWw;Gmr<PJDZ!Gauc3`Ugbe^_zZ(fvPnaAGL?n_sK~rm(
zfs-TebO*F9gQwsdX9Lw~l3EX4ldh~n?<LH_q}AfG90KQzo?qT6-IuJcBNbk(q8e}(
z>YGQ{R2X_Vrbt#)%F4D3#waoj_%q4s^3wlEm-?lbPOtC`$e<*u=)(YDB_I{Rfi(t-
zRtTS&A0a`Jd%rS;<A-WJ;|;1yy0gCl5B(dS>st1pkn&sa0*FXxJNii!&_!CJ7KyjO
zDmPP3ic2>EB4XwPzYX|<E`kAfwByMoTq*mBhml=^<Y;A!kWs^iygfavJ+yL(X=HLX
zy;J(j4R@?I<l2;hiI&->72LGgwi(lk@rPJgNO6feBPh45oES}N<b8C31bY}G`22@Q
z`}>3Sx5`a*;jwHALN|R=SF1Q59w-iun4~(1mB&lFDqs~oA4O?raC0yqw&CUx98j&?
znG)XUO${*3T!dEav+`wgIp$g<HnR#1rMrh>kt<#{G6=9+02voGY@1rLV<1_T?{mjK
zA+`WHI$2YWqvnv{IaEXrE+%9|Rk1QvEpX)gbSFQDDiE>i1E!UU*xos+jJ2i!{3V<{
zxD0>0QZb5T+T|!$(jtwKcMw8eVL)UWsG|5}#oYY>yJhcll?eo}Bs!vU$~mP<t1RtH
zPKR%4BoLV5iWvu~il8@$3t0aZ)kU+c<lI<GyGj*kTVlJf(A!t&{nnm_`oA+^H=;Xa
zi|tGP=AP#IzXt~gkDnCk{~o~q>+ApS;wcd(ye!@>`CclQ0A40p$=_qOKXOHWt!c(R
zTN)9#6EDyz2-kmzTMqIygL#lr>EUd<9~SEmSJo}ADo30REhv<%z$sYwgy$!|D1JO5
z!HasvK)VsufA#T}xqIa={It-e+<?1EZ#V`JnE&b3D-BO=n3COJRbcEHe?d|P@r6P$
z(h@$G(X50>d`ie{K<E!yw?c{M{4UsRen03}Pt`oQQ~rW#hqwf@UXHc&8Givx#VH(&
zb0Gn%af)v?!dl*?^iBI&Eq73-mR56>Mx;5YN>-uo-26Br)h`cg5%Z*j@zXotRZ;*=
zpGWS+MmV{OlJt$2-bV3t4rJ~3tg&E<b0t}a8POXZUAb{el&id7a<fb7rq(#UhAAFA
zDt|FIPqmpq4%VhgKOr%S5+8{Qba-BRow{@Ql$24#EDx7UDOmpb=b-o%+_I+_jB%I4
zDv!5RFUvr~eFS&U1KEKUr!VmQKFoe)Yoxj%v^T)?PpQ5zEBH~hU;9?3spq4mHG^e_
z6+knl_9LuB>>kGR<Y69Y7k+wPo<zk2^8JR+aLBCxklPH2N&!B9ER@%+T+6~|3K%JW
zO5L(Q>gTelSJP)v6<0S%{`a$=4v%UluB^+rPD8AD9!~whi+{XygT!m@Qy^ANy=f-!
zQyvaA8Pp#(?4Qk{ufe4O0QoK23W)_y8rHXMuVukNRK~juRn`C?gBJRhYwT?Db(|w=
zeqVcO>`$w1XALp3@o+({hs-zV@U#zSh!R0DDzPEn74T5mqxNgD8_qrF-zcc--)?Xa
z=lPFLi8|G6G0~$096*Fa!V3hhs#V?b$@ku1XO(_L1582RKFqG(Q+S)ZQ{cp)1Ddx|
ze8z}OI0c{_<vj7+xi~s4yyH8ZcS%wJFn4nkqF;nJ`Qg3rrn_sp^i8E+%D1b~I(6~s
z{8@|LcTuofc(0LPD*$k#y(wOS5`x;1tRSm`>qs$U#qO0K*P3gbVLiiM`sgf7SZkKG
zP(QWIKI>}6l-4hUHdn@ePQ<H6dSdbA+};bLnRhOOtyDAp*Nxck()ZlUOFzUIq)f^X
zzjXVZGzz@9D4uFRcKx+w6h!m8^Cg-9VK1Ow*UufO+9n%AqV1$*>_;S8;N6>-Q%bK2
zM7FkLub%x<p9cLeh~G0miC1LdnyhAXZ%svTv;KGg;L*X;g8ujM!K3ec{qHWGB5{aj
z$7;=g;x*TdQ@S#k@+{nC>fqCI*Uj|8!{u!9DRje9O=p0bg&!W?xPE{L;_vIf<f*4o
z_Z;yy0l@wEYv>k0$o<w1M8yy}Ft)8(&OY|355qV3G|>Ne;!ZcT{PELb|9krQU_Vd)
z55E8Y$w5#5ckvWx46V8F7#S7_KD|Q^5#R!UCk}aZ{X>EtVQ>emtrX<TgHnO(N(TN}
zsKBzfOp`XdRx<TdMq}4eW)?1{n%=qFDMwd3xT@k+z|!B)ft7kmS>SoVVZ|_h#5($d
z(qJeZIZ26`4CIeOqgeS)jxAmm`_#Q&u9B<VZ#P~%$-sc?NHxWr66%jzymSVe&$AA$
z!tZ1D+^KyH!l)bgzXNUtjTqE_ERLCbS217{_AA~Mhp%c<{}sFCtofD!mP+fN|E)N%
z{;D`ye&?)~82XcSY}zl%?T$6ShFiy-##{}M+~2gl0l(`svGDrRz19|PUNeXc!Owmn
zPrBJ1&=`N(`H86~1Ef0@X=E~BGN1JA!@v;<3wODb`EGz%hL)~M^=Dxl&VXSs-Ia!G
z!cLu45NDv+3{Q^Xl^7^Ytr7T5NpRzrYmhn|4!=tF1id%Ec*ca*zIH*}`5fJYQ*W3?
zG~egW01e&)n||I5eWUFAxib*ERmXY`%4%cRZ|xfHp!tq(WtQ?Zsz{h}RO_q00*&$T
zwNeW_1>X|2=uf?VJC?W%?T0Cfxa3Tvk6t(&+1>i}lZmY$Zr60>C-@hJ#x#<bT%%rP
zl2@4kenbi%x#1gDZL{fW*Fn*RrhFw7rn=E0B`XSI5+u%Gs75be+Xx<>Tizkq?x1Lh
z+ic^qTcz}>EbqYWTay}9bf!YEY(ZewN?qCxXcK8|^d;*_>doTlG>R}dP+#}D&(H$3
z%IM89qnO{Cdr*?oFMcc9lD-`M+IYr!qEtyFB(>QUwW_jyh`}ek=rSY<Td%QwbOOKG
z_9=i>*b(`+2tq~+a_sUaHZ&M$f7&!}y{}Q1PlNqedeUxe0&esFdG_pa!T)Ff>HdCi
z|J}ut#oJW)QcKSt`AYakD<A6`&mcwp1a;q#@?{>`pD0W;=R8?L&YzVLqFO^B#vIK)
z7>lV4Dw-r9@M8J_jaC=NFm-w_i%&}GC^@ATSJdq;^tCb$mQyT<Tk!-v@HJ0=LtNu!
zV2ljWqZq$XF+vd)rS7^<ZB-mWF@7NLH?_W#)RS#qb?x+DSe`bx23qL<{`XHF73e=)
z0Db)bPM%^6VLnQ?#uKPW;3fNRN#`5b_)kFTD?@a1*q~U7e0W$hHLReAP2+b+e2vLP
z`}to)A%+ES?ff4c?C+P)|MyS&^S_Iy`ux8ZYyPz`c&*o~5q~0?h9CBS*#A^~Kv4%V
z5XTdx{%I6@5r&m6#y1Cp{1S;3&8<`iWV3nuxU-qhi5oMjSq{x>>+~<Dh7sy?uT=vR
zYCBIQKWN;Rawly+AB%$Ry!@%0qS)Xl$;_TY$HV(v4~6wH-{XxNG$Bj2k(VEfG#CED
zi&kk<$6Q0%`zi|M^qcx>&D!p9*@fo?7{OksOp_f;FRB77%L`GG5842T%b$)n`Y2L`
z!ci27*fjO!7Ad&+*!C%T@k{MdJfE1NOMpL9%C5lsdMJGBUi`c$z0r>DDSl7!ojL)p
zg7{;#i6dnI+RYt+-_+B-Z2vB(`Qqn)ClmnxT<?Y=m|xEwVZ2vAv%A7($M<(ee`nO*
z8NKDaf9Pq@|K4yxE!b>QNLW(^++zQEvj4Q0|Kriq$9?{fojg`r19YNK@Sm|a_bDxX
zmCw^VwQoee`Xjx_Pz9H%dBP9Hrt=DnN`;Hj7&x9~6k<UqnGFA)_%C#lUatc=;7I#Q
zoi}@>mlJ&b@0Bi2{~*XR{6N#c4{i=7Fuw!wGFqx!QaH-d*^9%A7lS=#@ayTZ_}B4^
zS1;gS{}A+DI!w`5b0Gr%5VvK7yemHgbx+R_{Bm0VLP~%8RQzj;-;#6YH2!iCirFcX
zp&tze%7)r((e@?xTA`i+;TRF8V;ZYny|}z2??UGdYzk!ZnNc{${FgKM`RToiO;L`;
z_)_*pRTN3p77<d;SFk_IGv3ZNDGFO#qI!8($So4S{D;1j{ay4F{p!hIe!|<?+KzMS
z`oSvpD)Ms6t3TJG7Ztwpr-A>Mis_B(z_j>(?0^5L<p1&PY488LlgEz#-%9-#jb?7y
zYG_ptM)ui#T^RZ0HR{7;UAI#w#>kwxUcDGO@@G{y#%R9H^<%Vo?V^s1{M?S}$<)<O
zkzi==RUg|LG}<C`Q;Vj0JfoU4+G?KfqBc!axtVgUy;^XS&!yN*ZhO`joyj-ruJ}xT
z+`1w(#d<Eo3RGk512lmASTTCJ_5ik?g$b2l`EiZAaa4UB{`u!9xtSKeLq?*RA6G$!
z?~eVr3>+{w)9azM&D3>0!d52*15P%GFa-^<5buvw%V|`n0Y|#>+#tRBokyy?-`pA2
zSWQmjXyT1z<=^T}RA^lOVhs}%!2h^d^1Ob=s!1d2S_Y~-JNRRBy$?D17h3njvc!kg
z7NYUjDD`0o!kXVJ6OsJR%p(IURloEK)YvJ<EgA1}>dguXY<u^6?j6=w@ZI3p3*0-U
zF?h6}YqRuXpYFX(pCF&wo99y$OUY2OtD-4&Wl*xq8p&r;SPfz}PH9O@X*I*|&fbQ>
zU9JSN1g(OOwUltt=iS=V0xyN)B=xA^t1pi>{;i!iY}UWEBSgc686MWIq9VuIbu|_F
z-Cb2xk>A^Gb(QR^pGTFI?7CXB+KRydUHEet=>ImZ1JV}%|Kw4z{_~Tk&z|=Bzg;|H
z+v?e^3Oc|F$@lXq5u*0!HcN$=s1I8#bxy|p)sz=$La#-c5xZeZ;i;wo*_9o!9V!Rb
zt`wHpM?dwM+~s3H|ApOnd-4Czo)qeTJc8Gcd-}hNXWghVvQd8pW*=h@i)Q62bnMVN
zv_q4-(fQvn4^+$ffAr*W$^Y}<ai9NVC(maPHTp#nfJzasn5U@v_<tcOq2#naqts9`
z)a1#N$MhjMvA{YS>1WGY*`h91tg4m)t$tx!k(5hRWxQXwc|}etL#1~cKAL*xcS8dV
zP5H4}0I2U;P@~kXR;H<M5Dhwt!~VAX-OTU*_49zW>3{a0l<L1e-S7GTojmsXpIxR1
zGx7ZRq`X6eOt9V5VRbGnU!)MyKcDO=(f<)pxrILuqqs9#*Q)>7|GrTF_1WY7UjM(7
z=R4=rO>qk(KouNbcjxxX3!TZz4=|ay14Q)NodeCe_nmWb<tI+ES`usSB!H2?nFrB?
z^|H`<k7ATl|HdO<1MPRXVqky}EApVv)`Mm2UHTt^`6ascKOT-8v}rpabzx5g3H=S6
zzz@CAz0vXc`*RBU`OZ0t77G~Q-O;%-^W)^+Xzr(D`d<eB-e~fBJf{DZKU~en_&@T`
z<R%<v15IFltEF@42VQdTe~pscCH(Kiy@vly7x?c8#<};u{(sQpog4enDsfJZU%+>P
zTg8O-_eTEAbI05qe!4fhNv6@v8{flkoE<x7FAk4izZflM_cG>c8qbn(_TrPRf9d=y
zn7aE$^Z9@L{lU{>{pY8s66(+Y4xaCv7h(qprEYTX-v3@YZUATH$3fs-rh|X~-~M9m
zB=Pje0s15*&&T7~y~Xo(wVJGe0YQ%`j1IvRB&GdS`eEVv;n+<QdYMGSAezJfpa3~q
zhVucCgIRj@<KSR_|Kq?J|NH+QFaQ1Cy}ysg|9I|v=R8o`(-Fm~fPhTyoOuLiFBmz;
zZ=E-9FPs<0Cl{lK_wN0Vzh976!CjIkJrbUOJdl%sS&fn_-wS4>OqsZ|xi`l4L#_GH
z4=<y5;c_mL|47oi!29tM&hRk#@0A;S51s$<cg6JXkA4_EZTWy`Jfya*qu;xymWS~N
z1T_R=jNu3lbaj4NP2jZ$Bn7Aq(C1hG*YVlC4<9~E+~n#WUga2K5IOE_R?>4h63!|5
z(^i)F;t~81&Il0t(g3ZCjgSyrCp-jRC+U^vkO%L*i%1QPKN1*x8{nTYGxEgWJ0FT8
ze|Vms<>oK~tp-{UEu1sy9(M1iJLz=1mxB<#Q~Nz2_zAX#dvfZ+<>EOiUyHcvK8U{9
z@`FQemm@;buc2Rqrd6mTs*DUL3sNcICF@x^?+ct2T!Se8#oi*i@e)UVCfiz$QisCZ
zB#EXzojbKuj29e(E2t&<0`lBgY`J&uU(PSy9mpMc&fq`C!lxVml}uxwEW^&f?)__s
z5C5<HPwrpz7mTL7n*QZPR9*)D@!^j@Kfr%*7^jd4%d)u;ZvW*>qA0+osENhK=Sy$u
zU-~dp;FVyqvEx!-_-%?kvK&3y($Hq05oe>SuT@7Hl_AyNrhK;HKUp|d)!3Pnu-VL&
z+vdL<EW(0~|Nf80#sxP)t6pXur1{|OjTgtjb3wBt#T;1JZ7`_oriGwrD|v~Lw%Fxt
z74jy|^#VSWe#Oqfw2I#4!ApSzIhal^-$dzY>?N=&weXcfA#y{^uck5H9<6k&WqgjI
zFu_+Ta>!(DnydvCJ6L7+lEFYuu0#9yQgdFhpfBhZYPIg7l>-b4j2+P#&9bJ!fr*gH
z0fjzQ+HpKZY;&Qd7oRkNMi^QAkmiV);}DS7VgNZsYL$JXV%#-$cg~&E>}(ez>`V#F
zX*8=Dt?1N~A95hpYVe$vXm6nVAq}1%&?j;5%*)VWH$!JgJkA1T(wUb+7euC~7?*2x
zL*WUTMbiY!UQN9v91lFOLF9sz1pp@FZ0uxQGYgey&Jc&i_%FkbC4bKHIwLY<J7<aw
zi3_T{G%Bn~6=wpjme`x}%|ral#1r?uxW@NK-;eh9=(Ob1kP)Zjxz$TwYi=x@gzbEu
z>aST`(OCbExD@<{D3z84131Z5v<hZzmvk;DS55SwZn<OczgOPMQ-MFZ#eTY|J=Pgm
zX4|SV;5P$rKaUY4Z!U*AMwiYN_3@{``O@6Zk?3FlpfGanc}wSk{lUwaAUJ=DI~jjB
z1->vGu9idg4}DlQpF&LH2$<67_B8fy{J@)gFOsPnupX&mvzv@Jb(ikM58xJpIn3f{
z`S<;Q<QM1g)vMaoDUK#1GR~qX{TcO0cd%&}6`Rs%uvK`Nyoo{_Y?C2=g_ERjf&G2c
z?(jEq{BSd(Qf!nmudd++cqU9PBDnVkG}Rg>OfMbWsftAq<CuI(h4PjWcqrc`Riisp
za2l{ia!?k2iw6apFRO3CYO9!;;829Xj1V<gn99g~fo~o0dSmQ{)z=mZlk`fUs*G7A
z@FVBs(t)Lh*DNy%T!FxhNZJF0&>--4rs7#8QYMx{fJ!gW1aLz(*#?$05N%qAZMbmD
z>kP9OGj$8;dDR_6+>R_i4)fJm(*|a=F28DSfgbO(fS@j-j1M&*I-h|xH~yoiJidGh
z+_xNe>W24IzVYD)5AS?9U332iju}!BCxf^QfgVL<B8Sw+|5W#eTWb}^Ug<8+-<9EN
zF+rK|Qtu!&b1Wvo<%#c*_!m_z@HY@xRExN<<7v(#`E>y|af1~{3XV!b1LTx|2{TbZ
zoKuu)go#Bca2>LfB$;-`T>_s5>|{YNal?jW1|*&(E#x_C2V>l@60_m}<ZmfzPMco%
zbro<{?gtZQDj?1ZD#_?rhyjY~>QT*y_${Ggov-MqEPdj1m0a0R0DBdH#s+UGO&ZB=
z26shR+zKMiTGXg#>Qu2b3lq+<Rxv;Z@ds%3mgTJvILItN2+ks$c{3J~6;UpcQGv~x
z1AyWJ$Q99IL4!FNTbffRxQXUBDaeu_@*@dNvvQ0Y9A&&fB`s-InHlQH+LdCaS};?!
zSG&q<9UWKaO06a>7BU|6-of{h&A?w}&JaJ*71b(p2sHu<;i7`Uzr6H_u=7xtfqMhD
zGHf5ItJs6(xW<MFVhr<5Ap5eK_#@|(Z51dZz4X(+t|poJBEs#61VBN^e*!#-_(}}>
zFtarfq}oTgAItz|B@VQiicYgLR1+$=TK1GBgXXfF$L>rJt@J96R`V-|><EN8{y3L)
ze-ZF8sXMZJWzz_qSs+(v@)DysvN}A_tn}6+#v8y1QSgOz^ulBnBMw;yMEW{(5Ri@V
zMlOAZDPsAy?Oa9qiFJ~lDIra$iHVwVL%re`sz_|r9Ga^NH`WcpH3ugrF=e)Vc~o(0
zDMo^iDUalcq`Sonc;vjm6>xlM4rRw77-vxhNgW?%0RSgwHu&sLw4tT1ZCn4zAKZ<`
zlfELr5S<cBQz$PQeI8CY%6d*=K+0l*ssUW&IzU=<t*uJZFJ3E3`HpA0FSDtHh%8Nn
z4t24VOG)e|6;>SG_{cA7b!^nP&VD*PsyZ{TVMTF)kO|>ETYzm;5`DOVLn9I|<E%ow
z^GP?v?=lE*m--9Dw4VahKxXO2%pHGbxN1leUy2*+jW<*jZ>AYuM-^<V`|V8GyG`xx
z&egd)(BE!VVf*=OXuDF$ejYm5hWb(!kh}s!YAOg^Oj6|_x8Tj*JM0Th;6>pj&_Mch
z{iHY2@wV2vDhiV<LdfD%1foCZUAbHWt;Wx|u+)I)iFb(%84TkkR3^dsyXc*LAajt+
zN3+s}nf){-N9lAt)$1q}{`!uAe=k6LFF<=(HP5i&63yP-l0E>1v|E=Cgp`l-`=t_<
zaRU<1*2CU*(3ZznCAxN@>u*)=TWa%5sm^NH!uph^Rpxm?My7&8q-o$u#f~Jw2<I`R
zhg9jI^bO47mm7JUE|z0TgEuGxWpnk2PEE?+<~-(WDuK(nM_W+ctQ>91H)z(prDd+D
zMSd-QhF61X{ALx<<Ukdo3Nyonx*9krhLoSMfSLovP=8yILA&{qgRLmH19CM2P!uWk
zApj^?-~85CN5Na0$azymZ&m8&4i&zoPqeC0>$CWl0V~joau?z*G)H0DVnnL6FLkb|
zY)e<LBaLNaK7e&Jmnx^G#d$K(WY*Lou+?Zb<UMn~0L^B(azQ(~3^kp(R2`a}`snGt
zJm0+B@DEAUNO6Ye6M2a!Kg_0z(}vs}+w-Pu%g?bbH%gTrc_-S$mXz(~g*p^(E=ejA
zoltz5cufPAP<Fs<x88_16%LH&BJk3}fX(X0a$4z@-TlR@AL}!mnUX?jd&m#AnToD%
zAWKzU-7t14yV_9<RCkSi8&r68{nl3H8Dx{#Sf$rmbY)wrz2?LvovQc@vVUx@>Z|$4
zXQ=WkK)SK&uV%bYqynsgW+UBP&6vAT##H5PZ<L3ulrx_?&b@!CpZfd{BaW%>;2UlE
zKOa4MTFn3Q{o{i^|HCdG%<}Yaq$N4SJOR&tbO!Bd0S1)ri@HYfoH~{CIn?Cq&MxuC
zAL_ny2J9e*EZ0w%=Yi9cRkRSU(^{j-fo54aylmBy-T@0T;cEQ(C;c;9Q|Q~AA|dNJ
zu7D&<*xFq-hsMv;rFLlSWIc&5DBVLdwoGzAv}0s9i6E-Z1BD@+vlplU=u;ELZ|Erz
z(5XM}`Wtx3fB*DpZT>fS@cw^x@crYb2an+QgC|d)Jo=0Cv}-`Bo^SmAuUdb+Lx&<f
zX#J`W+0&N)Z~xKb0{{2@vnPH2*PT3Eq7~C`yYuG`u6$2@zon-l|8oNW+vzv#>HpKm
z2M0a<-^Ek2{_o!>p}S13qV)ayjW>h+`hWjDTo?WN@8B_6fAm*)pV^JxV-sQwM%bwR
z8!h+$lY>(J_h<X?pZ@;e!6OVA6hrRFHAh>4bfjTE5IKZ{=gz+<g}9#Q-CZsdEbxcF
zbHew`Q;Z9?X$jx)(G#%qV9Qb7aw&uRo;znRUcERxe=&S>`1(ad2TqAO8&2+?JAVbi
zx1lMgoG;~ir;_Q}4sRIXMkTnX1fHrT3f!aQij`&+U(j1K5c=eXh7f7F?y=kX>ERJ0
zMix=QN0_mb=gxuprEG_Wx3ai%zKjMfTDi*JT5GlO5=d=<23lc1Rqd%YVeMeU=<7fO
zN(*Mb48jFkE=%Q`GZSX9gtQya3%~L22u1}IS%cwl8qbCz2~}33{^_E!t*|-`ane6F
z@6U2A^Xg$}xBi&ltmXDN=H_2jqcne%MIOi4HSu}jsB5E~DwoOUj_xK|Xq%P2uG%yF
zsA5O||MtGNxosO=bU*K};J6=>&R9~MrrAzrI_IiRntGe09@|as&Y3eYB+(Yv6sbc}
zcHDE%f4|QQK!Pt40h*HS1en>`#sWa#0r0%PRCiXXM~}WhwO*Sl+RN!TRHxrmg&y0Q
zO7t}C+IsTEu4v5%wI59i&eIg@i_T-K_(0Sbxz4@hl}A?MT7TV(q-o3OSkm-&Jgf1$
zceP)d-AQVXUv}2KMmBXp=Mco;&+70hJApK<lq+qOeL=KtnzwKrM)g802H5ewnH<;F
zHY5JOJL^xah5rXx|7C^$|MA&@<NtTk9RH6->GcD4#P5Ig{Qbk`=kJSu9}J3oaz9sD
zr2FDi*8+#zJu<3}*Q>PM^Lm@H*nLwo*KC^+|Ch|tZk!*tjr`w_FJJud@}OG(^W`&F
z|9dCx?)+asxg7Cd>G0|&W}0+<kln15mldEO68z(+kvpuFtHf5wAA?IjB7#oE>HMV1
zp&c9yUzC_Gd8;XTOk;r~!gCtYFOr)U-$%dZ%)bQM`Kh9RlKLne@lL}42rFmEEF)xz
zPODhjL>t_!_gc#>7ES7Bcvm{&FZOu?%%guJ546U)Tq~~RGKp8qI&+|4C|9E$8iFiN
zDui{APf%qpRJGVVZEOAu`jY=%{q-IEG4HVqSBVJAr(K-h9N3W$<;CGbQmso6U9Lir
zlx9%OGbSnm04rF}<lnDr02_EkU<2?VsB1mM*z`J3|DDFsF`dj%Jpc|zfwAbv4=8D|
zY`iApx78D70uNL8>pueXWh+YD%j--3^FN;cAM#cG`R6^1kh|Uc{=YEpDV5K%`q@*O
zpz+HbilF^e1S!^-8lLR>K!nS=(AnJ-aO*;p!31EB#>Yn=e>iRU5kHeV$d)b!ibu@c
zrWCg`#RQUhs;DsLvThXOk;*7$dFcDz%^Z-t^5aZ=N(TxjP6=euu@TVXIo*vD|Ki-c
z;L2{*7nfijyJm(`L!3>_roN*mxOMJ}s2J6=<Vz{99W07r#$i1{T5Oy57h_Fl8CEl-
zKo^XRlGt9N14<2c83ljkv!yEVh?9tLfC$2kr~uXQ1X6)H#VA~76=^f5eA4eZg~>(y
zDvwOO3^GL;(8qLzxj9&?6iil_Ol36lul;b82A2boOy@xcv%|TK0AK@JY(&>~xR`yH
z2VXu}%k9>#Bsan^t#C(7gJDiW1=-NP3h*jt-IF(`XGO#i9f1sDDlT9Fcmx{2gp!{@
z&x<5p&@6s5TgDjTN8YnUI=pl>0r?$I^uJfgjKP@<y+fjmlz?qH<AAfH2>!b8!$b6~
z-8R?}vgrUpXb<=%5x+c;Ay*e~D$;o4iD_>iqrFP61v&-^-tG)Nj^RycovRNQ+os2h
zt>8qOf3IGqKQUPzMtYG3M&?@vX&?Uk&FLR{?&YU&FCvh^0Dc(!Je2>R2ef}rfqa!g
zaFbXGl4*X}g20CPCG@W3caP7Plg6hol{XQ%Jj(hUq-yWCO~+fD)S4rfz{9kHW}s1!
zQHhCsJu_jV*8-M*q9-)L_{I7?;kFQ8j*Ij2>J}&2Er?9IwOs{l;>y3p6wT{<RCYa<
z1Bz{@41A(0bW?7lX`axK11$4FABiDX0NL<OleO#XfBR{?4E{WMx4HMay}bS80kQJ_
zOhU$MOhq}?l=lJqf|I-OLB@bn$4*U;Pj9W4E#JZ_lezeTCfltaM(XD<k8jFpXmM)9
zfKy5)O>ax>xo!ET2Y{{6PvVN&`&YK11!rtnFh(&g0hK7~RaR%pNNT!-d6rPb7&8^W
zuLxb+#%(u`jdQ>ry*BGz**>l`-(&?A1B}{@Rg&33Ff;ss@#Rwuh%5?xq#^6FiDKOY
zq2Eeo<v8#<%C|Xq3+H<yZnw3Y)bu$u?uCm!6!j^HOIEsJynaGIrpi71=chAHFndvc
zf0Ti%^Z+qly@*Md6i<>s41*RP^xXH(>1Lm+bWl>ML8B>;e9A%ZYPd{94ZloaJ$V?u
zMn_fJ70ShL2p`)Afelt~-nnuF$SJ^h74Z)+Om5YyuDs_bSg8Y8GbznTOwEM`PUA(9
zX+O;c4eltZu>>eW4n9Enp;FAwEq_K978x*8NMW<Suh=4sr`HHCJw-wVMz9f1bOY>r
zLR`yEw!@m8u6rs{M$1iY*p19mH^bZkQtHjr(~!xQ2b`~YSoya)|6Fd2>YwHLwhXe3
zVnkCb+ctVYcIB)ZHLRCucTDJoYRVXplV~@j>Clnfeq#@bZ<&-MBGplq8A5HIR;Ef*
zxN@~zhT0+|ttfv@C9U5gf)uM+fZ7?0AvFe&XUGA|G~yg)KF0)M!9vw(S(ABY4a5Kf
zDW&EN!@*S)-$a^Ln`ZQfmjLdQ(=jGve0zB8eUjOkyrUVOPj-v*O0g{8XAWVpTynW1
zrK{0Zq3sQ%{Dl?JI^r-jOeBdhuhKgrFL4(Rp+6pkt~dvCcnxT++o2bBs~O}XjbV39
zelQqewRS6JzI5SEl>VD?QYoe=n~O}*HN{hN)=BK837~cYGq#<|jb}NZH<r_=3R^W&
zS+j}swE=97&v$&jBMaN(^BGB;;jk`fVqBO384c#T^(XN1o)D751ccSQw2#)AwDhp{
zy>l3H&bB4>VEC0eMS?>x+uM#qFuOr8$0896hh?mH@34$Lyd0MKmavRPcjK;8@yjZj
zH9L*#t#nMsZ{Cm4YvAPzc&5`Bl~9LcZ$cBX@C1OBRZ}#(oHSVJg)gLqpS6V-B{QC~
zMtk_bKv}_mJ3Bi*&7%WK`HD#i$4R;q%(kt4hU*~KR)!<a-kqW#8*%2jwgbnS#Ugv<
zO>VO`8Qu6kOvQ1F%S7WLoN0~{xrVYh22SW~eh__{vdySKBlaifHgdHB9FAo?R2FZw
zQ_5z}o7?BgmPIMbJ;s51)XDfk89rH4WW5ndOW!c^KSYnhtiCxDoMXLkW3=43dd7{o
z(&N%GkmFJB>&*<MwAxZ>O#tWuocspT)pU-|o9cS(qr!cUeY4+-<(|n7{Agv!)D0vh
zHtd`)qhBzZt11l@rUR2lWk`0+7B{FlCbf0foq#s<HCiPg&54*aIxDJHX5P8KolBP-
za~Q^}S+5>l1};QRt5?oYtkxBpU5|3%!;zsjRD`{HJ|#)I5zNgC)^*I{64#sM@MP$o
zoScrgp>U3a*;L`dank6+-PEl4L;Ma!m|_Sax$tl6OIXNfn>$J24a2F~I7V51!`3oW
zIYWz4r4un6C*f<@TZ7iaF#~A`B1f^_JPv26@;JzK7hJL_$A{)f16w!i&+q>2(Q9M>
z&&CZR12HZpb7ml?KXLk#uS<WTVG9`m(jUf<x5r@(hcz75_^Pl*H>aO6M`Am)f}ZY4
zH=OvFa6j5TYZ~R?6B?``iCjl%Am<j#Y&}_HUBaq`T_5E8y|e1z#v&B#)2W@x0QyUu
z^PciuCHJZ~ctRQjJ=PLqPf<rsAuB%KX8{zY>J^qt?693cD>--ryPsXDVmlZptH}=>
zS9S}i3Fy>yki-!cqECIl2zJGKr$d-#C>G+cIHGb<FyjCgHMqo-6dde|;22!40Bj=#
zeSq!&dJgB=BK(dmuebO&Z2{|IB5lEp?cX<znKU;-yIJW0AmqEz=$^b4sjDBi`I^0Z
zjiavfA9w!a&VO8O%kg@T)_;6gy1GxN7J52lKr|XViP2wMQ-oo*0Nq6z{^~8@u%$>B
zL>wy|C(`1^SU9{b5qzimYimx3cS5{F?Awg=ETOQwV~i?JbXdb-4Tm+pDy*?RrJ9{e
z4Op~YsnggQz-oCXFn}G+>A%J&AGF**{79;*Di%UTnyy+|ZR2&X$*Z|>=~A-G6<EA(
zC5g*4d6U9(lyVp8IgMIAX67}fJjPN9CW8SKWZ=UKE9b~;Zar&K`3ARik}$lpD)p~b
z;$K~xt5dQ6?;q_{syN0&65fAit=*=j!i@|8Rj6<e=q7JCCL)~%OA*pIBR^9cc7#(F
z9vO+*b<vC9uclBGK|R7HuRL6nz@pt{+jcM5EZC~Agr%}3rZ%k9ZrG?!Td-oEz6#dK
z5=>Ss6F*`;(L3ORLv0#|4;(&l_~23E1LLmvfK6ia<=$V_xEgztHN}c3wx5`*iiKK&
z7hdl*afK5941q}u1C{0)!^&O(x4Tze(4O~HF7|s&a?1%1D<}+@v8S0I3FLbAbN*+)
zghao`$yqFzDXZR|no<6}F!y0*&&#MV=`G`#_cZl=Pl(w7{xJw-&+pqT+2(?a)j{Bp
z%5DrsD7&WN5aSE2pwZ5^mM+lIg|~o%B^p#a0+fU6r?8J+3zSh_O974fB?~Oyvlwh{
znr{+_i_uz6%|;70<^ih6$v0?pZb~v&J;y#J5Gy<Ww`{++u-kW{3}$xvUV<rmwaf1)
zr1CLx3HKLvXv{$<I%*d|&4XT-wM9w@;a@pze>5wXVdzQ4VhmVfLH<latL?Ei>pt?a
zn`#o(w(hDWybxC#Ut$R?zd~pI#D!E25{beJ5y2F>z7a>EFGY}S((;<psC9)e^k#^f
z?Sxlj(bW>$6L_{a^Lw$T;$pSw#g=UCr`8gprTwT@LaevN*!VRK@D8;0vzF`H2)!v1
zz?X4X1aLWBrW@sz5(WTX>-4>qiQsJ<UxvPn(>@MGhCa>@$q)OEZrE>YHCDT>9GjKr
zn!W3>^W*qhl#JM%ABXefctCy}o_ABxQfvc>NwB_?WeB&%ugLFgG4VqF4dA{IyykhB
zJ7ke?K_}m+(n>WKbmFMf!>3LUE9k^Fez`)M>_!<Tt<gNh3Uq!?#>b^8;VP%VRHM{*
zG<zgUw}uy1=J@MJqh=-r2U#d4=3;P=y%Q5VIhcoh6iFZ^p`YHr%v*7h<K+$(QY3G1
zk`rnZO4RAo3S}jYc8hnS{8QaHpJMz5A=jmcc2e&4w&VDS2O;I!nCVQjknD`$79x*m
zB)**NS(4x0OmHhp>l<dRuGkeTga^9}z1P}h(<-(DA*b9GJGRKRWJxhP<6vU0ia+|r
zP7#m&A3(O$PMil`0bIY@k?h(h|FH|r`!aB9cgK))gO_7S97EFBY#5TXZ-zu_B5eI@
zq=rtGr@&))6U~-!0LO}dBiG2HUhh;Lo{aU&&BjUvt8l>MBltxbV`I9n)qb}j|D~ew
z@{v43PN1|6Q$55&e9=5yyo0vxL1fe2D%uY^T01_@h0HC(?(K&#2c?$be<BAUREiqn
zFSy+FR%~zT`~BFDT#+uv^lXHeV|u<NrpGHVn!_*FyLb4-9$pT=d`tMnGKZjUW3}el
zNSH|_8ZwCd>ZH55Tkcus1LS;wTAT9$s_n{Q_3eV}Vfg@Ab<a#a3`*xqg%&w_im^*I
z)&LpTEs%qWFA_hwgI9#(w;jK21uw^MKWfbUAaX!1;>`bGdUAQ%6Zs!D3hER3lwQTR
zA&Vi!{`Tc4f$XGZDeH=#gr*$l$-MDw20!*%b=0)*d2O+WV;;z8p39&Qv@+;gQEh{%
zEeeWbv%2r*g~e-|d{Qc^;(vj69Eors@5?ZVN7v7WFNOyrq?V)a8ao__a5)zT!^5#!
zMqAbyY`ad)g%@sT1;?@7UuLbIijQ~RMEBfUXC-=ptL|8cywln<gVa=Omrd*2Qc-ej
z=7q_zSrsSe0X7B7u~~xGHax*tNHQu|j?Ic8FmMCJmXqwlHa;|?-aL8>#Ie|_(b*V6
zWtV;iaU!Oh33dr^e^7TT{{lH=D|vu-<YB09VTdX|f3eJN_X+24VgTuVnrETgXJPCn
zkUgMhx$Ihz0t^H<T-m+3ELQw)RDBz)IwMj%-y~jLVghd<<ymlDN`tVCyr36wY5W8s
z*-a7sYcXE=5NT5?x;;KV!qd7&EefzKPM6?x3ESI_(<N-vH$Xn)u0qQ(510PZ3R%Nz
zLKJZtTt*0E`Ze;7-@KR7<-Uvca+t(nlCKGq*h)<rS7A7!z*N24moTy7)CfD&(=|?W
z%qOSu{y02(E#tq4b1g!zdr$j`^II?bPq`=&$p~Ivan&tcTHo(6AE&8bJ&D!~e1o0{
zv;Oqv*0qyl-6VNucmjD_IIp+)b+OCVX|>9aYALLZgnvAd*F;r6P`8B_y(ZVdj)Mh_
z3IScW=sb)LzZIel(6o{Je-r6Ec%%aV$2>iKzp;d3xjZo_1y<h)k84^kFO@+~g6(qY
z<$b+{Kb?yxNEiFX<`VifnyI@^he&#eQVd0f;n{|$zZC5!TEIhU{{V)#gD$N8lVkXx
zeCRb;6)e0r5z{NoPYgGFfdqu1Ly+D_Ppwzpo?OMAiTMSaHT#0In-zbmZ4<YoXJDQw
zKEG|hlx05kGfFSNS~3k?0~!gBtr-ZcbXau|l>JYxSbWPJPRP*`;FDph&N67^qfpi9
zYVI~l3yAUoyQWClN0x6c6npr@W<K!Cc@aDox}^6@lTe`ob_FjAE*Za8UX&9pooKne
z?Ksi$;fR(<7!A8JoiOZdE{@n1DeDrx$nlDGmgel;Dg7orK2mRTOSTBSM;r*GJA~}(
zdVCIl6#DPA&mb9F_}M%*f!dBEArFf{PI86O_fe%r1<yzQnGx)|&n|n#=IDl_8;)*l
z&$w|nHn?QYt+T;7tR*X~Ay^%!u4jX*ILKiihkYFO`C71#Rri12*fW6tylLeB7`13j
zU#_wG=ch9n2~!{*_}l1@qt}N!WAO_2vvMq1_js8<mRxPeYnZSSiCA$}(_;+L7A*@>
z#hxs!1-PE!ML#MH;5p5F!d=eM(EYHZGIRJ8fsYaqqaH`aKq{4uwsn88j1w%<vH@%b
ze3}9`^FXE<UdZ!Wg5~pawn5?Hy(A5r3?w}#J^MMLd&CsEddTLfKkV>K|I0E+=*<C1
zh@)8#=UhzbWdYGwWQ1_;hj-)$&oD303cXP+_N`(Rf+&0W!uo(<lz-W311wtSG7s3A
z5_A<vhu)#aKV}-6AT(TA!EH9M>VkBzbwWI~9e<-C;n+Ih9c&$OPchUE|6sG_Y_aV=
zOdMNh;B?}4v3)fhFSd^0vkx7|W)(hOtj<Eb?-tbFrOZR8<#jU9f+Wy~aTa-fd%G-r
ze7iQ;&K6l#=;E$OoLR5U%>|mfYjk&Pb=BmUT<?VJ8a?*ZTnAN%c}A+I%@UxqnmYZ{
z_O|2nPmj)OYPAZpJiMx{%g1Y?<Z9qL83z{rS?cU&waYIL*2ZrQn=Q^Gs(ajpDJbCB
z2XD{}T0<70Sjq$B6vmY#H&xM^PxwS}5NWzv_(K>)f0+cRA*p!rm2Q+wm7Mw%2q$AQ
z<1m;8=IV?4Vk)F(Rt+qh_KTcEW1tR<)4jQlP+39LCD3Ctu}i$lm~Gkj&gns(E2m<4
zxoLD9`3f25!}mEu0Q@q6#pHrGE*<Vi=qDvTmg7?#pR&E}I6h^&R{B25=xUg*Cnf7T
z-J_1=_8WUhWXl`~V$qVyy&ao2&&dhsb40mXE<<evN@gs53Q>kHwu&8H+EAA^)N^S=
zzgBGiu+oOw3bnb&W!T>^HpXhz;Y=*8#ou=@$Vl+TXhwwh2>);sCo}jZNHqQ4yVv96
zoq2b3Qh6hQ`jBgzc4{Ee;^(&~%kJC-F~0|jW)fH^5V<8Rr>{$c&B<9#&T^D_t01$M
zvlOZ5go*x?gV_*Q;1v2>BVwswlbze+wiq^~AlWyoK;n#5CDZbwE)CzzKET_+-$(;U
zpWTMW`>v@_A0IZqzg()lVelPiQhlsg+Y(IM$l7h1F}j?w>&<&lOAbBZ)X@rqUyCr9
zA@<gdVR|6l(EB6LI2;txJ#>;~M`iwsv$Nw<#1~mSjYAChhM$%q0jOu3eI}4ciEQdJ
z1m=~-<U^39jQ{|c6buzSr1J7PL2!BtC%XV)EiT0}a+&qoPH+SUMQRhaz{?^9w(%`6
zPkmi`<$0oB#nBhXCR6ts9bC(2ZE(9GUcdkJ)>e<y6cz6xrM30KjS=v6(pX!q*ED_g
zPE%K#r>(Y1S#6iDdP|A4jCfU}^wh?*32@boNM=VsY2cXyzHU!QTTVn<AMa&;7^V`z
zVbuuk0+0~1fw(|of0G26uL2r!TF)aw=!T?+O(J-W(qOR!^a4kj+$t*!saL`{UP_uZ
z6%h=9;}&qw06`LMKx2g@ele{VABrD|N$Afc>P6Hx%<C20+}sQ)lm%`sf)2|O%;IS}
zQfX#L92zD5GL)jxcOneqo6mBOu)5FJf%rV9Js6$QB#vRno0DM~BaX7(?SqEzIQ>^X
z(Xim>QWh1Zx5R}nGRh+*fy`&}Cdw!YASHSRTuGZ&N9;$}K@vv`UzYqsi&vav`1)Wb
z?>+Ph1~Tv4P%87H^k8r3y~o5_VuH>GQL!96N?_?P$en<+hONir=j$646Se6IjUTaz
zwzNUxDIF+CpGkA5vtY3O{xR2j`m+4HQgyO2a*y-xTtCOI(p2e3mq7%7!;2e7MRvEn
z5eip({F!uhaS?nWHiRm+;G5A4wiH?8;ymUI6C+jaWdXBuQU;~?q}*u)KQ!zO!iXCF
z1=7SP#0#yAO(hAEJ`@0y()A6}I3&tm!#b%ChykQ+&bUDo3IQ|=Kmq}{`m?+~y!Ong
zLK)Ru_k00FOrkD%g|%ei@;dw10I`)I_L$M)^fuRM-|>cPQ}%{oI@I2IBIOBr%?q~O
z6I@py=Yw@tS6y+nVcP7_{~`dz`@?Cxc=glsXV3QfyIS(8v~NvXIj*1E0O6y2h!P0-
z%WizG8mWTQ_XAX7czf3ed&CA^KZgge=F`Ps`lV%2W?a$0yFM`K)CPi{(?PbBcu>J0
z8wsir!*k<L=5c&woDcF7_qWOjDZEQR@)OL@>cgET93;QH;j^Yv-6Wp1igcwd`~m~|
zla05h$B-a$nvBP%$=GmoPM6WroG!!ZGTQq&U51e^gQf0PTmtNAz+%s_1^%%BQ|S)<
z#*6A}k8Fvx!sv>Nd2eFGwGi1-+hpY@G(-}+tR0Rv<l*0G9GS-Kl+*LTz+5_q7q&_w
zrWO4@9peL*+@uv?PbCM6$~F|@(F7}*&lHhZS`=(mLO!}56)v%|H}X*zt4K<5DbY@*
zo9L_toK{2#5C&WZAmEz3aYOG}JBzisF}7yH%&p5R2fhX>qZuvjiI#q44abTWPyJ-I
z0&7N7+PipJIe2{~4gsB9d+c1hcIDXBaU+&aU0;QBK-ZeCrj9~3zD>sd*ftrCt=$>g
zqYp4wRlKsJ{AWC-FW$qTmTDsh1mp1POhp*(R>Q^2QcEXT-CY%2w*n~i7Z3!mCh-?z
zHP^pr)H@z!eZ5n3C2`xn8QW%u9jl{`la6iM+Ocgr9ox2Tvt!%dvGLFQe)G-2teH94
zYt_L%se`Ke-PiRzchSXOd^X;i8DXNywWy{@WlXvnD-Xi{VpPOB^?JlpVt-h6@8AIS
zCzr84A{oEu!`=|GTsQFC#f5ektd%~@SUkx_F3gMWBdBewJSJlg4W8RLN$4cLWVmKX
z;yQ)@ZL_B<uw#E?xtR1*Uq<6kU|JTyNXxN0y7|qma$_RU&Uz#MZ(GoEONGU-MTb#`
zeY~d9k)#UyE2W=YHpVn<(sDhJP()W#5c{qE5$VM&k;RmQ(Jqvx!?rI^vf#=)e>~f2
z7fKIsDd^)=q77nAZ&?b3Ijc1#0)DHO7tRC^k_ilk5%kTnS%pBQA51~dwm}bS4C?2%
za!_QFB9`{!5FEiHX35|K*m-K^cE3DBXONdfvlM8}m7^LXrVlD59>`h<OKgNu3d@^a
z94Lz_uoj;tH4)NK)KjobtbtoAAZEnZ$QQ0^kme_L2YZA}F-mU|8`D6Qj;~anGYR3t
zC(bZvbz4;`qF7{f{M}VPXAFH%zC2PY2$!zi5vcYwN{KcVG9qu2U2QT5VB^05_c%0>
z7_$p%NAJY(BN}MDAF#})GCTA;$aDX?>v_q6{+aO8u<3vaNiFhh9uGs6$+q>H#lLb1
z#XEm--ERzAC4=dPb?f;uV>oM%TjL8=_oCMA{Og5C?&}|l*ysD*4-eC=EAKBoq3*fp
z9A0a#vnI8&n{`8Kia$8S`R4C~yRS$tL~EU6!%`EpxqPNMN1)5!yT^DpRT#6TKZ2=<
ze&>#udwJd8gwBT$Eu(`t0Zd|bUEU}tt-qu~^6E*r<4Xs*-Mrb3cfB>-g}9h3e?maC
zX~u)UaGt`~1%NbMHAQ)5T(_%35iP#~k~ih-&x2cxWhV=3ek!tnNim2YtRH<CD3*!y
z9pv3pNp(5>sNsNLWJ~ste7EqzjbDo}o8VMr#xWf<MA;aXZkO{}po${rYdfeUwT3$T
zYsoNB<Iu7_L5#2ak(l2CWYwipRfyY+p$gVz(g5X|pPlS^98kd1MiOSu0zb{n&-jD^
zVb2{Bbz%vPTy^EtwQ$JW3@fS$C`DyS+5PnFb>|Ao6x9rKye>Dt{SOJ#yprVsJ1te#
z?ghJsVfBMeO94MEo}MdI-u@f=E9DaGpbe&8IhF{wpJk*_fn1isOnIIF@=VB0ZZ}W-
zqbiV)Bm)U0=+RHDwH@|3W3{J<zsc}3*Y~tZKunS5Aai@Et=l;O(ob}U6CN06@`unQ
z@8M6GLIg-GiT=_|4;E8|*JG}lx7F{X2F33#veUe^;tP&E1k;zJU-iU{imX{9_Gjmy
z4A)|QWaSTCztMm+$T5DXwqz)YHpX3(fMMoiTF#`hGj<ji6M1F!1a96?!@W?;{^+~3
ziXuOSoat?^KgRJk?TUaUO~Pq$_=cWckrGJk)mL(}cKu2x_9rP{68`O*&}EA9pZi|+
zm`%H{kYynBFH&vQzm<}_le#crQRdh{>PERK`8vQ%?(%&q3q_H|W5qQR6eV;}u`b$a
zH#P1q;m1o-ZIr}{bC)gfIZvd#u+Dsx_+UCC@ARpg1_)eA+yY}ufzu^Bo~{^|o<w^H
zU%;spkW<3!?ei76-J1K9D$szGMOXx$#A=(t0IXmKOFE(S<C)1nP+k7!1HPjlM=|SV
znSz+Pv3uq_jLECk`vhpx*T{sD_{9lI3X>pT{Rl=>aUEGzXrd0{1<YS)VKe=5470RI
zOi|R=^mpPe)2znn{B!I;qz(On>@%uYmBzJ;Sotq*VNwdyE7{N9WJ=`{=}w;EOZd9M
z<s1I6{?mX@Mo(?SIY$kE+}HO}`QE|~3c)6XC0G_Cm~ejryi$T3!n9^i2;(>|l`P$a
z7GAm*`fF{yrmM88z&tiw>JsrVG0d%&_thF`L%#5=isSmuOmz#545A9|o>K3IDlOwy
zl#E{&FOe@kuX@Zt_O9=BEWI_J^<bQxe6$(1?VFF|Q+&j1$0~8%vz_^wXBO=nVLC^v
zyr;JpOgR3<k06qsk9p?VZjkf`gF8Um0n2VDs}dsD7`lp9WB*!E55gb>?Ic6VmekI@
zZjzktC41dDue8dn&gxfm%ZmCv@ef>xP>V;$jy6`0VnBf))?Q@DY^QTxP9!n&scAnH
zT<;H(%)fQ#tLjL#w_Fp@V{=Hn9$8~)+dg=Vf&6k?t8MmWCS4!G*=D{JB<H^hsW=!r
zuUD^R`d-XuLuIYSXUE?rS3L8sLW;8nc)F?Q{X>MEE&p|iz8<D}SnWuttq&hXu)dHy
zC?}fYgC(Zs+w7b;Q+DI4rQ6nnMS_ZbM~(;qRVwNouhc^*jmSEiKO>xxgM4U<qzZQ|
z+blBzTkN`j4@=DVl+Q7|fIBVfED`nXKgjnV)gyIO4pg^KRF`)oqFCNFR`*8IUhlzm
zD!Uw_yt@2(Y=!TniXT>9)*eOnrj4&keUW?(_^a1r95KGcaa6Y3Gtk%;5L(t7WnJR1
zuQ7cbeaM=rRR+jaO+nOm^y=QfBh*;=k@HV{Z<2`+tr;3`D`<)YCsdyxV3p>(K2$&E
z*IWJo^LM_cKKz}pO?XMEn{ww}Y}T*G{Fj9#khcT}ry{D-TiA?X0`8B3S{O{K+}Zu3
zp=V2|-;g8#kpX43nAYBh7dIyLAfEq}d~JRn0!lW$F54`BJqC4cr{+W9csm8c0m|NN
z?~h%nZ6>CQS}(uX90%JqIxp*l{1+|du6(1V5au#f(}!=g1fEJT@ZFMk|5Y!$IYg^a
ztyBqtm5zxr7N1<#Ah-9I{8W_bH)AVxU}^xR(9^+zQzzns6TxILoOevZQUpQys+euB
zYw6%w&7YHuBZ#Z}pL9Y!Q(1)<W!C$mCNGFu+_HxV^rA_!gLaugH3qhbn#d#Og(PA5
zd%$m?<PNo`J>LiE=-_1@!&>XyfcbH?{iCaS+*xIvm>Ff?klBpYVGXOq`lY>*9<Mp>
zR>~JgXzRy+Xp)`!enmgtrgqRcLHOkioJTvQjKiK@|A+b0fJI`UoOx{sxkGfZf2J0l
zW6IFWf)B8gtF;b>;LXXhgxT*C?YI*=zV$vq_W{Zs<_0#5&Sgkz_^{5ZG;<o#0#&6M
z?tKhD$4k6PpLt8x`S%58hM^_F-yi*2a)qas{^F+rXP0|D;?tp=T3D7RcmN&fl1<1Z
zP4v5i7>$LS0El2%$gBL6>1v$x%vAA&QI2XLR$Q0v2M*M$hyw}TI#-ZIh#|>m1X-mu
zR{$<_ZE2qgPdnevfuLI-R0=Ied*>*tfISFr=$#d+&q%Uur6=zU){N?p#d4=P89>Ab
zUSr0hIEbK+b@bJ)R=m+0tXAm@ex-e)%jes)@AeC@!kY8yW%d;alze+RT@btrr^^yG
zqWtwb0Vo%lT*~bz9niZ&;2Xb)Kyx6qPK^qV2c0WTQYvm{E5Wk2L=9bO!L`s5G;kfk
zQOP{14H>{g0(d#A2Ue~di}v7;yY+Jvq}mWR?|6l=A)V(ZQ43)!RhHvZmfFv{x2qzK
z%|3sGIRauoAvo{pza`vNGwZ+qI3CQ@?}+7`Wy=4uXN6fJb#PuB)vl}lc?8*bQ4s;x
zVnKk(qoHnrK8e1)6IBf6y942kS5wqFwKhtvyBzcg@2E$si_KWP9aa7#ieS>n)TqG}
z^`_aPY^X`EQ@-p#3s$35CS+nACV|TL2loAb(1)Ig#W6%RW~K}xp${aY@ou)qOK9A4
z(Ssf37SZOE+`!EYepjzzu&1591<mkln}1CM&OR#CO8V>cr)x$A>hAzHH04P$r-a`G
z6)-Y^KXW-GYs}D`4OIRloH-HTo^qYPG6wXd3!*YSz@&8E+R0#*JhuK^@6vZn`lXdo
z5%nU@$s@(2Vej%D_96`QgGXwz_z%+R-3=5AM~>>)180|zCwuxVA6{H}LsWn%G<*wh
zD{qCBxb8piqNtYNBT}jRSrZ1rO`zXv?Ec4dOQ~%I_-nqS@_SvsL2nfA)VnzGazoA?
z|JzUUS6<m^!#?RY)r&IR!)^E+cxhX2TudL#3AZC&8Sia$Lv}x31hCb+H}=J}wjD!f
z6pq4r{6N(4wn4kFo8Tp$wo04r8%s1Or3jJ6b~oGc?FzR`Ds~()0%sx?6%<Alg?0=B
zs)5HFT?5e4;?80^#CL}ZteAz|)bJ~4YhfQp9-l1V$O?DuK?9uaouDB+`FYxE5tImt
zutVel3;_4@kKyW+vx_M;^f}-hvuMh%qX($O6w?9;963>VRN;bmIr5|EMxBy@iRTVi
zXnwwB|1RK%`zw3*Bl;QXmlFpvDaqGcRSuo7@Yl(CKt>MRV|CR(ed#*T!09!lHxEcS
z%0?;MqIEB)UHYBx!2neu;Znr%{d{ky+(IiTO*Ry1Hr;D3UfRIPE{Kc;!69?{E{_5h
z!s4Jx^GGT}f$v*t*uZyaN1M`byP7o9A6$#>Ykb7KA{7v=s{`ShXuALFcKj(tslSse
z`GDf`@9A~!vPo9ip4hWm^$tXoXc?HTT!g4mFB;jW8JebbtaJO5Li&huPIa@hn$8QI
zF2nDI!+ZuVV_ipIS{+U>+31dCRsz7nzOR*h>^Xpli0DDwrRv?p+F9;aeaya~A>goy
zeGJO=7u~<hlufpS<M5P!AFg#j9$hiFQQ0yMps&Zr``Zsl{@O=d_XH)H6`ANHO3k)f
zMNfAbd9K@E5h7Efsf&SsloMNX)Dc8J4aNNOuFnUUq+jq(-7QNVl$O`fjzEH~K6(FA
zXC5k;3h*r=@q<txBA+1fOAG}gsK%fbkb)A-C2&Ix>V8U0nQOLE!kp?+0_QjDG}bsU
z10UG(ak8E{SEZ9y&K3}_d3BumLvEKGMm4lwKbcupM(hui2IFCCwTk>XWA`rCKcAM)
zV=^`D#E>sF#KeNMmpi6mM>31Motcf~)HH~)O6@fQ(OUe`{|to+Ag_*cc-BDx;X7I`
z|LDfaVZ3Gu)8yJk<aB8XD=3)+6Lot4i}|PC|ANVNt{4zkj~EV4O_NtVIu<>eIsn<~
ziDDYJ3*hDv`bZ!I045hS9Y7$mFQ?vh=@1L9xR$JewM>BIV>}K=@SbU;$U1{!C^u-$
zH;oLt^~SVf7!bW-9n{`Kr!<>F(w_*|kJr!NgfnFSzl3v=)q@}cL1LYqCEQ8T+eyw7
z6vdq`9U1%gawBYsM{Qt=60et3IdsL<Z%m~N_PA7t^Nv*1iKS=Emn`~Xr0E{}Nx=~J
z%|0aeIGw*awhPQP=~B1*{}<aFi>=z~`Y+oo)>#hdgLB$qB>8>S&iYgP@UNVua<$IB
zB(FvGm^xO=saVGU3*1bU+`IoY*@|e(N#Rx(kMHc;VO*d{ES)c@$Vy^eqyLs*6TVt;
zddAj(h1!&dHrCuRv2G}e)zOd}tg+4RvLXE&E349FQ#Wa{h_NB3Ij(N3TwYoD%u2vh
z`xAINW7P-4z0ZTegSP?;`3N=~Z|HTX`d=vE>~M(p&+u^}#$G5-bJ&TGrXD@gdyBUx
zO*#~(Ee>%Qh_+8fo&`ZjQxa;PZTT3p(%WN0@grEnFAz2D`d?y<_uow_EU*m6X$au{
zBg}0ou#{o&<9%C?>{pCsPAH&)$n|;#N{xEl*FRLm0HhqXe&TeUMZ{KQe{=>xCc#=O
zmiY{SBFv;sf1D<f_oE$|>J}$(gwS@SvGveuX<bON*0*}`k|(TZ{05HC#bX2VRJ9Xn
zF9=<5J!;qztB1(Sj(d!bxA?5K`UW?4obMyE+Th>#{mMPEo;^FkT78<xR+}z^u=gTO
z`5%$i+M(lRTq_!JwFPG6hM_<PRJqTD*ako%(Hx11!J*Nyvwn_VOkS52>@TvD?t|C4
zkp+Uc6eH^1-f~L_p2a8&)UnloVzgN~e-uGh^flf}OW46HXZGG6Zl~CL*6NoKu2{w;
z5AST~f}O>f9-8b}jmxfGK`~NVb6dRG=oCqAu&2wUN5o+xr9!JNq&yorEF(H_nv{dk
z-%T8TN{wTcZk_M%hu3%!)spAls>~U-GWG#o@my#^HA1^pLY^j>wT{Co)>`h2e8FHo
zU~l}DBfA6gAOF-p%%OE}Jxv>oa+cUndWXWgKb5imE>zM3^{z)MydpvBgyuTf>v;o-
z{)O2ZCL};~8IeIxyu(fpB-Y!=Qh2c3qm0k77DX{(%|fmdoXuyA1NM_G01}%GEIYge
zG!akCqfw6pm%er{)V`@Rt?X$I#-GY@nD~{D7o)w$=S+rAk8kk&oVf`vbJgx{C7bM2
zUzqT-MQxdE#2l$d9k{iN?dit(eoMcLEydPxm0~f~fH_7kviZ<S@>7>GskP}mvufa@
z<;u$T)O`B|E`xjJDOIxFY{Vl)(F0$<o{bBSYep-te{x~D*-0QZM(qeSPNRlKp=C72
z8gxv?D}LkW&(wWVLTn3Y#t{)dgoQO!W8~hwwC6~UJO0#c?QCnE&(P?#hakQp(2g=E
z?6&sD0#`HHHD*kup%ewBms{g4H}*gxtq<WU<%Yc!6;>9<A{zQfyGd}|se+o-32bm;
zqF=X}p+<8rq#q#ZW=u_!EJrdn(d}BBPh}j*aK7g<eAJk<Di09Q<9fgUKk;;kMADqj
za)AL*x6|dYq2S;m6%qUSP$QW9`zR-__SmJ)_fEqc6_+?)Psx1PKK%eKbBnfZfxemc
z*?^YTt3q^MF^r8PECfW6rHK(7GLipY8pJ7=&;H9cR66qcy;Oc@sW}sO;h%bk)*4o(
zmOYpD38@a~Fc!6{S|8!X<v!uY1mkY@sm<i=bXjq~J{{D7l!x*yYEfHY(mlN-F2|$M
z1gw_<(U0_5j~`u-ikenUax7mAoB4aAdJ(K$;R(?>w10rHqx{K6m4x|7xADm2VY!}$
zbc6_@+Pa|_;#J|?Ey;|4P3q`}^8Ej(W#g>6VGq<6n34Ol<7KvF2m(uFXL;(pXhA~O
z&4@^gmF*nrj+U}-JB`TyLD_sfnfJTVqa}LPN8NW}`=36MN*z>Z1BTk+4Amu07>9IU
ze}}xO#Y%f6Xk9LoH<PeYh10fmIl6SQDW-P&{pY!itM5t@UP=9lK!Y6^pBI@jo~qr1
zE-`m3TJ8_BHq#cR2b~%y$|ifhc|DX8(yFA&BVlmKnHEmI{fZu4!@4(`ZJJ0@-h{i%
zjCb+;Z~qHWUi2)_dCA$n;K8JaGUAKr94rLtBYZzGhzhyA#X|ykv7+nx8YzSq_EdSd
zF*^*HF`Mp;9;|&8r)c(~{IvajGM*|xBB5WbqgAmHOH0c)Mzop7RQjg%YxhP!7z%ta
z>qC}<sP<S}qfmzL0SAOV?u=7E-WUi|2FQ^Tykt@bRrMEJ;RaA4i_f&Q<k*Bt2>Y4c
zGyA<9@PM%c1<P}t;+cSW!iJ}7q0DWMRo`)uaB&Ka157pW;-c*%-lbr+MbbFTP=DJQ
zbc3Z7P0|}i#J`!!1T1!8?JPY0o%GAv`CHHJD;7kRsxJ!kkk}FfIimp5I(Z*0w^_hk
z-xbF^hS0q5eNV+fj;zSZHq2e=n-XU(@~X~H%{ug*hkH6<^*!-+YkjB|?Pm0eUg6^P
zCgCa#XNWpO<E@l)N;%I%XxYjl@wVDIcH@f<k8B=3irY^wbq^zgto2v+UgIHC+-3O+
zc~UxQ%B*_0p>2dKAS=AB24@y1!w#HFsY{faNFDz$%2Uz?NL-n<2R=$>(*k=1`2s47
zCnOuCThMlB1f4<pNOvl9l4e7a2`x7oRvX))Y5?xl0hX?Ry5gZ_aL+7gpmdz)hRi-y
zw9pi`!e?INP<*C2#Bbt2??UUCkl~E0-W6WXS$EDgGoh;)Lm`&0HRSl)!b9GdS(w_p
zdpH!YztP?MNeIHM`0tovKDOMG=&<S(dVdQDu<b*u^c}T@0gl>1`=pka8T+JBm-~{v
zfYX%uJHDXP%!mz*+{c18@sA0W`Z_y1$eLrL%BZuomaFaJ>P|*KkN$=Ulp)nk7SI<<
zsjK)xhaWL6(?}UQ5O6YdU02-mm!atSr(vF2j)R*nL@}*u8PV1Pc?|p2n8ph!K}0is
znZ>&XsDh>h%kCuojr5O&nZWK{04Jn>hrP#ZHO54<Uxi;ynwo`b)>PrfFllzxnh=$g
zl&_o+&2$LY&m+zXSf!mM-Tw1rh)%}c7O7oCH-;l+x0cg@I{3hvBJ_*5>L|?$`m(+l
z<AKbN?`}xDFDng7HL)#gOAJqg0mZPxTk<QEdY&VDnTf+9ECuPA#fdi$cwa7Tg*b-C
z$f=+A09K_lG%jIW)3V?UmC+ma)`}t~TFn0IxK=FvFzyq<vK#_<I_kgB2r2qSLwnML
z_v2!irV5o{x!<0~$c1Q4CvRH>Z$g;4)e;Zvw9W9$a&x#Amxs>AyEgWEvtC475{<fT
zlQHBD-i)}LRW#+mhih~P7qt|Ao6oiKJo2~)n*}Zt2)js?Wt(l{G0SZgU644R_S}&m
zzJDy>2wW~@UJMJQFmrzJqI{GoUb5-@@3zGb^FI!?c6ytUwmIv0>gDkT|0+sWitj#R
zL6f6)H7lenPN$=pRn<SuCjaygt`IxYxx+N8+m$|jWLNaCo4#dbkMwSeA<}vr!ta?z
zXQlROQ@z;Az4x#D!uc{EsMYh}oT=!u-OE;tUIT?OKUUx?UpYi^oJbize5uaUs!7cX
z0kvIWZ+t-L_-Znk)p@2h5@2l85=M2T?3{C*2FYP%<Ui&{H`ayGA}@;Q%kB6QXPx=p
z7l)vz(Q6@DAWYXyiIN8c-{?OJI|*0>dzeqc3bk_y<b`dQq1UpF?8~B6Jb(WQZ?Y1B
z52|*xJ_k^U3P>w-*ML3m3<){5^Ya^Eh7H|0^(m7L{u!s8jD4ltj+h}@bGnksxghMg
z2{qk`i8VhP<u~F5wc4^wAv9=Uke=-<u&ogYwoDGDQ9c)rxz9Tard4hznp$zu8Wn7s
z?mZR$UYEtjimxShy=oDx+#r5YUNbEyaQatpV4R?9tQvt_DSbP>cz;Y%QmKV(yHKl<
z1Rt`8)g~M_U3Fx)gKl~THNUx$WpJF?GB`PW7!u1HLy7r@arBo+kQzDka8+Nw>)JSB
zu)$dA2~R!)qL$7p0|u`v2fv4P7O=4yU-)U?upg0H&b7BheS9}M!@aYfqnR6ZDErhW
z)`62<3<wO|awQ&w`*UQTM?~kSnZ00u7ivLJY@bRY18Tncx5bE-<uS@Ef_k~wma<s6
z?O!P#g&h<ZZ4mno&0K%j?W7*vKE&NiibKH}q?hRpD`7w-69)W^8i9h>%Xe-<C46bj
z-Y+e0tJXJ31ljO!jXcNx>|gDXe>?N3T{gX-QaE_VKo}C)Qu;txECiV*GRYrzuY@1r
zkjDx@b9T2|U+BUU9KSF=5M{QVRVX?%!|`?=vG(6jkjavy8(eKk6xt@F3X&KcfshET
z3+I`W0r2j*t#Tfl;XMeus}XeQ^A%1fU1B1=lmCQ4I562*5yQDd9HUgyhR6P*(E9ty
zU%_BAfpvDUVIq1@uu>F48HZpX5gC?VumO@GDui2)2Pw^=CF^8{k^59L;gQ*UV8S|!
z-nLB8YLcl{iZzD~m_&kkik;d}3+>HP_w>g@N^eKTa*6ocA<|n2nN~fr4+SpQQ_amI
zX|iVdZSk_k_*A3A-PNc0`LiV6M0bZkeDOc*?_cfAL<jQYR5bLqyJUexQZH-x6qV|J
zG$J)l>qzyw7oiB)iW=I%LD(Oq{h8AiN9b1$F{i1`ryd()q^hE+oPKbT3C3oYFIMB8
z|5is3?Px(3jDJngM+W)+1Bg!CITX_f5ZV2rjuF?qo<1GRBAX9#VtXPQv7Z=B!A&Sd
z(RIGs<=AG}b0UUh->`rdTFVNn$pW4Fsz*TcDC_kfnyrjoSC~9C=@X<#${iyb7okSV
zRJU#-rc3wKfhf?atXEN#@OQaJF!yTgzjbF%5m?km%)dB<KPO|OZB=ailzuHyIS~D)
z<LEKL%BO42(H0<-HMX7hzKrBd@fC73C~u|reeGis$i?N0a|Ow~Mo1pR$AczcT#M`w
z8f*Kzx69FuTP$y<I`P3*21b&BW0M!bWW)wEy)%(}g3MPemY2;nlW|aj%=cyLZ*k<7
zlkDC1=agf*uhVRXY6TSp4uC$LqAs0k9<Nn)*k7a`-`S;M?JxxzkN^Sm|Kk=R#H-A<
z%jck5lOOkyMCJELgDICOE0QMJC~G7!NO?*Qy)51C-47~{BA~L>e(xuAK#P8~#VIjM
z;t(`}R7eqEyeV_IL0hi}X3YoksAXr~I?SJN++s3MhXR!t-%Y?G#~|&sxi(^F<Rl{)
zM@qhJqVK@NYurUBlKV_;*`Pf;vGUw0mh11j?M2=h8VYoPdShXM?MU&IV+hC$#~A9N
zWg9{hCRJM9J++0t`$|Zyt+LpAExiV>(GC4cAR+rUBs(zQplRmKMx%5}gkj(_BwVyg
zm2i4+PV?OxIxq@C&uQw9TkJLRZ+qrIy#V2PV3#K^-&Pv71ZC21uu|l<W{VOiG<qK&
z&-#n$yW)c<fmvxVcz3&|Lg<V0IekZm<b(zSlP#Lj%0oI48ZLu;{zHBCK}?R|&!sSR
znib>Y$5#4cM&-DR@3&uNf%<rCJF6GV8;C8qFBu}S_maxI{i0L5ZJ)~guQQt<=%^0a
zA;t=GQ;q4v=P6G&`FR{n?Ej3<upHpLYX<cp)V0_k%s2QVb@At4t6HYOo&Mk&+iR)E
z8C_kyq27z6%O2j18#ug`v{;c-Z6;xN#s#~RG`b}jof8ECQD-R|6h9P^sP$&-3Qo}R
ztHnw|t958w`j1s)>aa**<)7lfn6+VQO||umB|TJE8D;3K`8=*7k(61$7!y4Km+^n=
zMYe;d!JSa+GxOu)c(K^Vm(*mQD^DbtEpCj-yvq)(Bfa=_j6JF<v@7Ud3U>(ukk%%<
z!)`714^bfYMI*10r|$g?+(GE!H%$PNYGr2Ovt)l~4r4l6fKy&o*ORs4F#~sDmHwns
z_irEiQ@Fr%McY`lE-_Gf&lkvbmQ{bEs;D^x(w5PjU;i^|v!-m$vS$T-|Ikf^tKW<t
zKN&+xhxMa3Izn^5T5{wA;N6+>Vvs871VhQl5BfhA)6xzFEVJH_)Ila_EDWcx0-k(n
zh<dGhzm{Ktv`x}f$d&-kh?K-GN+={ML5rU!)JY;0Y&tu6S(HVWhYywL0`<l}gC8Ys
zj*cva&v+U)&NzbvS*0}Zao4Q<qhi$J-jw}J-7j=cFcoiJgkk>(Of8&5DVp}9Ze%p1
zp8g0WWGb-an5*0QQo|?Dwe0m{<0f7I6*yvXNAD}6PXM9*;UPL#yomZX`#sn)3l@_d
zgLY|T|9AI1Fs<`xh7zZD$Zx-uP;yZ(@yEqjn8L3=YQd%Ivf%`%Q<l6x`1Q6+Q%hUg
zffVhFP#>jEEyS0UQ+d+?eUEP=+G22DTEl-5X+<@h+eTD`s&kCgELILy<YF0Y2rw6Q
zo<yl4E^o}{7KcQxgHw~?`7@@$X?7<13a}+Q<KX=shTMq>mI})?m%&Uw3kM~4<=P@)
zeM;FJMsfZtF4d3xM_jU!FLL^xF8p6{DI_<<S&;|@eDp|L*^deX%pA+F6U;7{MA7f2
z(F`erm=9Zj$H=%^SmzcF8kMDbCBCM?7ZF7Z*030tUe?y}<B8C=mEFV^CnP>^^JmIj
zXy*}RLhQ|v9fZX++j&%7`<~@M<7(cQ2uQ@!FN*g?xqmsl>*qkrv68uNHVgDN9~<zX
z*jo}w;seHxn>NcrIN5Dv`NQ2y9ij_Ve5VhBAD!uP*y*P!$s%d?BH+N+-a;jO7#F?r
z1jc_MvZ4t8qWRNCZWfCl5@nyh%_W-Q|1p<($8aFVImCTj2h3zldL?)Om>^PG&yY~}
zloGab=Olj)?tjF}0qb^8euNzb;_ldqa9OOR8V*Wog0(eyV|AX&OE}g9si4=vXDIon
zR{1o*4W2SfPMtC%IN{Pcx9t5TC7k<zcug(;>owhedrfo6<ws4ynKLL77xgY2YjL5z
zCHBU6yGpWn5a5od1iC9U;i;<kZ%$Fj>JAC2e!NKpR5a`IVPb^c#(YY`h8FQWlCUo)
zmC775<6EO*I+di<Lq)>eX*T%)d^=545&;}LTt7d+?J%OZ_2tF-QSo|uA4`jf6s!z%
z(ri@nl9&`@V~CN+Td7aI=A1+U^(A3{<wjpO+LOO*jDSmweuo42c`K?Ec5O|6QZ9IH
z<wk@RPhM14i*-b+CO3cM2#r2XrJIS^%Re`1z0MIDSZ;d(CZw8a<)B>~Htk8eCZ~YK
zO_e@pT0cSGS@P@Pu)#x9L;+aEuYB0XxelN^7%e7_Tt4>o!vd>h#MvKAisU|gi{Ewa
z2%YV_1~@gQsTE8u-EMN!bf>V=JehknLQuy{w+(8Hy6@KqZ{1gnG(1&HJi`~27cjjM
zrki^xFR6QY2~#SBe^hRl9-!yQpkwr65_TAUO|@KeMZdSMhGm@S0(#qIn%R!oEjnUH
z#?N_RTE+;=3Z*!FIy@{go4K1SlF}#XU*$k@c&N2?XlhJ|668yMI@JNQ2I3qakEqP{
z?S32~skm$h2qlSbz6mGsYE07`hcIR9%Iq;F2lR9QSQO!s7s?VAkm?}{7x)p7046yV
z-@J4ro<U}<^L?DjZD*r|<WOEkAPc4GF;H&frp|4G??sZe_6gEG@zYzbDot<o(*-aP
zh}Q{Bi!2J*F;`WO&v-Vdo3@-tK1AtY9+a_@=N(uq6PkMVp~6veJ&d86&^H5CQ9SDA
zg;Ti@t1td5R7FO^+USHaQu1sT3oVz|zSoYatyiAGf#zQtN1n3tg(XKezK9~T!v^A;
z4WC4*kd5LI&`_!0CW<DKm%0h^^hX)-j;p&``<blg$qp$>2QaNTU7Rnul}6K7IpLOA
zFv0#RpE{0fWHm!FCm+I@TtW+43LG2}=W_roZ|p4_4T}YlPEDhs7TwdcqS=Z%pKX!3
z{ubcAHx+8a{nX7Z^;*3(G4iYxUpJINDADvSsw%O3@@7jP4I)51X#ef9dU9tWUA5#+
zW0k5uCHH=z=dPi6`zmA^j9u{fv`AiaqZJa&!vggEd;<D9%GiFUAfP`5ftSG(82mbP
zx_@!R3pe44ZTOcX#vHT5^2yqX8EF^BpYFSl+nB<ryYof#zCU92`eo#KbNkY_jilT8
zeDl(f!vB5^e((9Y_rj0#dBnTE)f@>`SuV~4w2jo~dJ^)r?rGj8vIr#8jTcXrInL&C
zB(IC;A^WZ5Aq!p8`6X5(Ne7OL^aN+5I3JIo+W|-FR$235g0pQn^Xucgg#)Ze_<>mH
z*NxDndq2bg=`K@<3QgTjlI!i!X2#8FMqlX7+i!fRTE;0WrZ$n9E4#Wp+A%NPhdJbO
zd;JH08qL`bANF^PXQM6jt3kumX|ee>@%oUohpl&eZ>7NGB#hgv&`r76kx&Gf1tBV&
zadUM6Tj&?PYH;mKThRRRb=N*pza~PSw+_LI%-?Ms5L}<GNeQQR>{)-RwY{5us$9v;
zZ=SXeb890IUa`*7L{i6emI+%W@r@-WHi^TaU?fmTnANiL+3z4i;f#OX^)(#x^8w!7
zv5LSq7XFDoS*PmN7<lknXQHrK1Zu>+^NeFnpng_NOUw7P@ps`-;ocq-VMljiQAx|p
zgNBfQy`Pns@v{L9uOgW;zEqqlLdKxr_aGRK=OJS2M5oJr-BjFr*62nmn0SWQF#SYh
z82AQPe~m1wz23@L@Zs_#3<pleesYMi&bI2YH9^QUNDHCH*K{@v>_679>cvcPo4+B5
zUKX?_{Ghxk^miBOd#l<uKPs?7+=4M{{irx~g-rLLazcSTQTq;uhN@`D&UtHqh{74f
z*@wL4BbkPKk;EOm5FC9&rHp^)%m^s^oKXUdKPj>z<ZJI;zr&en{1(`Fmbm7n@P&O>
zpk)uS6;tUWc}#<z0V2VcrVx4k9SvRy(H;!9?OA|3%?&e8#Q;1Ab2PRT$3$c<r&lWH
z9eS??@!}X)Q<BZHeXHg(5EaO_^^rds+XCub3TV4hgG^tOJ+@ExzHZ3iXe%dDYK!ZK
zW+AU>Ru-B+R~uDYbp7Z1rT^#Ib@Hof_sc#u2R=);@74816#nb${ScX7_4(`g`zg8e
z{H4?AglSAAVdQSb<MdsXPRsGag8^Uj?B{_LksX*%sq?pI{^wrxs5>4UE}eE^Sq<te
zXe?J!pm<P?bYvR{4Fo|_-~P4e#%-p>4XgcO=u3Ynt4-?yRS$b*Gsahsnu!Qq0;@4x
zD4d|st6JaL$8p0Ko~mjI8Qw<g<Lulp9=l5Fl<~V>w8H9UK5Y&IJt6udInIn8NgMr0
z9r@m-bOD>@V`r{O66}(qoAo`i<vpRmVk12v$4|kT&f6<WqX&EZWK(qR`N{ExRU9L%
z;$UwJE~Z8H26}*c^3hwFJu<y(!=Ty0MAraexsN8l;Abz=^%vLcHu`DFlIWK&kDEf?
z7c^rwzw5m(c9rm#jQH0+$wN%@HluY5<xz|W_t_@)!zb66GtipwL(bF!IWb2I{)3;x
z?XgqvD~GVt>E4&}`)|85fWLh2*5p8_wzZ4wlYapi=t5+k`E%!Ic-&b=p+iWKHbQ9%
znqtXK|DaEya{~cP0>75GD=N?$(o}gGs?Ge0%tfd33qFe?IeZRfg0589P<?lE3R^;{
z+ZBiF^B(g^CUwP>hn6oW0-f1ppw2si_!nzBYk2Q^jxVhfzcmkgQdGWT%^1IKkVC&*
zXPw?_ZiB0_KaFF>3V|w*)|3caHB6<`eY#Z2WLb76K?B`ELe3?baVP13>b9f*{qg3$
P`~qK}8u$WXLIC+c2~34q

literal 0
HcmV?d00001


From e7209915c0477923ab6b7f166449872594fb93a1 Mon Sep 17 00:00:00 2001
From: Michele Baldessari <michele@acksyn.org>
Date: Mon, 31 Jul 2023 15:44:58 +0200
Subject: [PATCH 09/11] Tweak ESO UBI images

Tested the ESO upgrade on MCG on both 4.10 and 4.13
---
 golang-external-secrets/values.yaml           |  6 +-
 ...rets-industrial-edge-factory.expected.yaml | 80 +++++++++----------
 ...-secrets-industrial-edge-hub.expected.yaml | 80 +++++++++----------
 ...ecrets-medical-diagnosis-hub.expected.yaml | 80 +++++++++----------
 ...olang-external-secrets-naked.expected.yaml | 80 +++++++++----------
 ...lang-external-secrets-normal.expected.yaml | 80 +++++++++----------
 6 files changed, 188 insertions(+), 218 deletions(-)

diff --git a/golang-external-secrets/values.yaml b/golang-external-secrets/values.yaml
index ea7db53d..0030eda3 100644
--- a/golang-external-secrets/values.yaml
+++ b/golang-external-secrets/values.yaml
@@ -11,10 +11,10 @@ clusterGroup:
 
 external-secrets:
   image:
-    tag: v0.8.3-ubi
+    tag: v0.8.5-ubi
   webhook:
     image:
-      tag: v0.8.3-ubi
+      tag: v0.8.5-ubi
   certController:
     image:
-      tag: v0.8.3-ubi
+      tag: v0.8.5-ubi
diff --git a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
index c1a23515..1452df28 100644
--- a/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
+++ b/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
index 7ae2a78f..f0314907 100644
--- a/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
+++ b/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
index 7ae2a78f..f0314907 100644
--- a/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
+++ b/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/golang-external-secrets-naked.expected.yaml b/tests/golang-external-secrets-naked.expected.yaml
index 518bda17..063464e7 100644
--- a/tests/golang-external-secrets-naked.expected.yaml
+++ b/tests/golang-external-secrets-naked.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/golang-external-secrets-normal.expected.yaml b/tests/golang-external-secrets-normal.expected.yaml
index 7ae2a78f..f0314907 100644
--- a/tests/golang-external-secrets-normal.expected.yaml
+++ b/tests/golang-external-secrets-normal.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook

From 226dd33bf0d2b5488bef32f773fcdf8b8e42907c Mon Sep 17 00:00:00 2001
From: jonny <65790298+day0hero@users.noreply.github.com>
Date: Mon, 31 Jul 2023 15:30:29 -0500
Subject: [PATCH 10/11] Removed previous version of common to convert to
 subtree from https://github.com/hybrid-cloud-patterns/common.git main

---
 common/.ansible-lint                          |   17 -
 common/.github/dependabot.yml                 |    9 -
 common/.github/linters/.gitleaks.toml         |    8 -
 common/.github/linters/.markdown-lint.yml     |    6 -
 common/.github/workflows/ansible-lint.yml     |   17 -
 common/.github/workflows/ansible-unittest.yml |   52 -
 common/.github/workflows/jsonschema.yaml      |   57 -
 common/.github/workflows/linter.yml           |   64 -
 common/.github/workflows/superlinter.yml      |   38 -
 common/.gitignore                             |   12 -
 common/.gitleaks.toml                         |    1 -
 common/Changes.md                             |  137 -
 common/LICENSE                                |  202 -
 common/Makefile                               |  162 -
 common/README.md                              |   22 -
 common/acm/.helmignore                        |    1 -
 common/acm/Chart.yaml                         |    6 -
 common/acm/templates/multiclusterhub.yaml     |   11 -
 .../templates/policies/acm-hub-ca-policy.yaml |   71 -
 .../policies/application-policies.yaml        |  154 -
 .../templates/policies/ocp-gitops-policy.yaml |   82 -
 .../templates/provision/_install-config.tpl   |   66 -
 .../acm/templates/provision/clusterpool.yaml  |   95 -
 .../acm/templates/provision/secrets-aws.yaml  |   84 -
 .../templates/provision/secrets-azure.yaml    |   84 -
 .../templates/provision/secrets-common.yaml   |   61 -
 common/acm/test.yaml                          |   35 -
 common/acm/values.yaml                        |   33 -
 common/ansible/ansible.cfg                    |    6 -
 .../ansible/playbooks/acm/acmhub-get-ca.yaml  |   53 -
 .../playbooks/hello-world/hello-world.yaml    |   23 -
 common/ansible/playbooks/iib-ci/iib-ci.yaml   |    8 -
 common/ansible/playbooks/iib-ci/lookup.yml    |   46 -
 common/ansible/playbooks/vault/vault.yaml     |    7 -
 common/ansible/plugins/__init__.py            |    0
 .../plugins/filter/parse_acm_secrets.py       |   83 -
 .../module_utils/load_secrets_common.py       |  104 -
 .../plugins/module_utils/load_secrets_v1.py   |  267 -
 .../plugins/module_utils/load_secrets_v2.py   |  456 -
 .../plugins/modules/vault_load_secrets.py     |  209 -
 common/ansible/roles/iib_ci/README.md         |   85 -
 common/ansible/roles/iib_ci/defaults/main.yml |   17 -
 common/ansible/roles/iib_ci/handlers/main.yml |    2 -
 common/ansible/roles/iib_ci/meta/main.yml     |   29 -
 .../iib_ci/tasks/fetch-operator-images.yml    |   95 -
 .../iib_ci/tasks/install-iib-in-cluster.yml   |   52 -
 common/ansible/roles/iib_ci/tasks/main.yml    |   43 -
 .../iib_ci/tasks/mirror-related-images.yml    |  226 -
 .../iib_ci/tasks/setup-external-registry.yml  |   45 -
 .../iib_ci/tasks/setup-internal-registry.yml  |  108 -
 .../iib_ci/templates/catalogSource.yaml.j2    |    9 -
 .../iib_ci/templates/htpasswd-oauth.yaml      |   14 -
 .../imageContentSourcePolicy.yaml.j2          |   19 -
 .../templates/imageDigestMirror.yaml.j2       |   18 -
 .../roles/iib_ci/templates/mirror.map.j2      |    3 -
 common/ansible/roles/iib_ci/vars/main.yml     |    2 -
 common/ansible/roles/vault_utils/README.md    |  224 -
 .../roles/vault_utils/defaults/main.yml       |   24 -
 .../roles/vault_utils/handlers/main.yml       |    2 -
 .../ansible/roles/vault_utils/meta/main.yml   |   31 -
 .../ansible/roles/vault_utils/tasks/main.yml  |   20 -
 .../roles/vault_utils/tasks/pre_check.yaml    |   26 -
 .../roles/vault_utils/tasks/push_secrets.yaml |  124 -
 .../roles/vault_utils/tasks/vault_init.yaml   |   49 -
 .../vault_utils/tasks/vault_secrets_init.yaml |   99 -
 .../vault_utils/tasks/vault_spokes_init.yaml  |  193 -
 .../roles/vault_utils/tasks/vault_status.yaml |   61 -
 .../roles/vault_utils/tasks/vault_unseal.yaml |   90 -
 .../ansible/roles/vault_utils/tests/inventory |    2 -
 .../ansible/roles/vault_utils/tests/test.yml  |    6 -
 .../vault_utils/values-secrets.v1.schema.json |   38 -
 .../vault_utils/values-secrets.v2.schema.json |  305 -
 .../ansible/roles/vault_utils/vars/main.yml   |    2 -
 common/ansible/tests/unit/test_ini_file.py    |   56 -
 .../tests/unit/test_vault_load_secrets.py     |  388 -
 .../tests/unit/test_vault_load_secrets_v2.py  |  760 --
 .../tests/unit/v1/mcg-values-secret.yaml      |   27 -
 .../tests/unit/v1/template-mcg-missing.yaml   |   27 -
 .../tests/unit/v1/template-mcg-working.yaml   |   26 -
 .../tests/unit/v1/values-secret-broken1.yaml  |    6 -
 .../tests/unit/v1/values-secret-broken2.yaml  |    6 -
 .../tests/unit/v1/values-secret-broken3.yaml  |    9 -
 .../unit/v1/values-secret-empty-files.yaml    |   15 -
 .../unit/v1/values-secret-empty-secrets.yaml  |   16 -
 .../tests/unit/v1/values-secret-fqdn.yaml     |   11 -
 .../tests/unit/v1/values-secret-good.yaml     |   36 -
 common/ansible/tests/unit/v2/aws-example.ini  |    4 -
 .../tests/unit/v2/values-secret-v2-base.yaml  |   38 -
 .../v2/values-secret-v2-defaultvp-policy.yaml |   25 -
 .../v2/values-secret-v2-emptyvaultprefix.yaml |    9 -
 .../v2/values-secret-v2-files-emptypath.yaml  |   25 -
 ...-secret-v2-files-wrong-onmissingvalue.yaml |   26 -
 .../v2/values-secret-v2-files-wrongpath.yaml  |   26 -
 .../v2/values-secret-v2-generate-base64.yaml  |   21 -
 .../unit/v2/values-secret-v2-ini-file.yaml    |   21 -
 ...es-secret-v2-nonexisting-backingstore.yaml |   23 -
 .../unit/v2/values-secret-v2-nopolicies.yaml  |   24 -
 .../v2/values-secret-v2-novaultprefix.yaml    |    8 -
 .../v2/values-secret-v2-onlygenerate.yaml     |   33 -
 .../v2/values-secret-v2-same-field-names.yaml |   14 -
 .../values-secret-v2-same-secret-names.yaml   |   20 -
 .../v2/values-secret-v2-secret-base64.yaml    |   11 -
 .../v2/values-secret-v2-test-override.yaml    |   28 -
 .../v2/values-secret-v2-wrong-ini-file.yaml   |    9 -
 ...values-secret-v2-wrong-onmissingvalue.yaml |   20 -
 .../v2/values-secret-v2-wrong-override.yaml   |   11 -
 .../values-secret-v2-wrong-vaultpolicy.yaml   |   20 -
 common/clustergroup/.helmignore               |    1 -
 common/clustergroup/Chart.yaml                |    6 -
 common/clustergroup/templates/_helpers.tpl    |   42 -
 .../templates/core/catalog-sources.yaml       |   14 -
 .../templates/core/namespaces.yaml            |   32 -
 .../templates/core/operatorgroup.yaml         |   32 -
 .../templates/core/subscriptions.yaml         |   73 -
 .../templates/imperative/_helpers.tpl         |   38 -
 .../templates/imperative/clusterrole.yaml     |   21 -
 .../templates/imperative/configmap.yaml       |   12 -
 .../templates/imperative/job.yaml             |   69 -
 .../templates/imperative/namespace.yaml       |   10 -
 .../templates/imperative/rbac.yaml            |   30 -
 .../templates/imperative/role.yaml            |   20 -
 .../templates/imperative/serviceaccount.yaml  |   10 -
 .../templates/imperative/unsealjob.yaml       |   58 -
 .../templates/plumbing/applications.yaml      |  207 -
 .../templates/plumbing/argocd-super-role.yaml |   43 -
 .../templates/plumbing/argocd.yaml            |  151 -
 .../plumbing/cluster-external-secrets.yaml    |   43 -
 .../templates/plumbing/gitops-namespace.yaml  |   13 -
 .../templates/plumbing/hosted-sites.yaml      |  172 -
 .../templates/plumbing/projects.yaml          |   29 -
 common/clustergroup/test.yaml                 |  100 -
 common/clustergroup/values.schema.json        |  828 --
 common/clustergroup/values.yaml               |   88 -
 common/common                                 |    1 -
 common/examples/blank/Chart.yaml              |    6 -
 common/examples/blank/templates/manifest.yaml |    4 -
 common/examples/blank/values.yaml             |    2 -
 common/examples/industrial-edge-factory.yaml  |   81 -
 common/examples/industrial-edge-hub.yaml      |  210 -
 common/examples/kustomize-renderer/Chart.yaml |    6 -
 .../kustomize-renderer/environment.yaml       |   34 -
 .../kustomize-renderer/kustomization.yaml     |    5 -
 common/examples/kustomize-renderer/kustomize  |   14 -
 .../templates/environment.yaml                |   34 -
 .../examples/kustomize-renderer/values.yaml   |   12 -
 common/examples/medical-diagnosis-hub.yaml    |  228 -
 common/examples/secrets/values-secret.v1.yaml |   33 -
 common/examples/secrets/values-secret.v2.yaml |  114 -
 common/examples/values-example.yaml           |  143 -
 common/golang-external-secrets/Chart.yaml     |   11 -
 common/golang-external-secrets/README.md      |   14 -
 .../charts/external-secrets-0.8.3.tgz         |  Bin 78591 -> 0 bytes
 .../0001-runasuser-comment-out.patch          |   30 -
 ...ternal-secrets-hub-clusterrolebinding.yaml |   23 -
 ...lang-external-secrets-hub-secretstore.yaml |   38 -
 .../update-helm-dependency.sh                 |   29 -
 common/golang-external-secrets/values.yaml    |   20 -
 common/hashicorp-vault/Chart.yaml             |   10 -
 common/hashicorp-vault/README.md              |   31 -
 .../hashicorp-vault/charts/vault-0.24.1.tgz   |  Bin 45763 -> 0 bytes
 .../0001-patch-server-route.patch             |   28 -
 .../0002-Allow-per-service-annotations.patch  |  310 -
 .../hashicorp-vault/templates/vault-app.yaml  |   12 -
 .../hashicorp-vault/update-helm-dependency.sh |   29 -
 common/hashicorp-vault/values.yaml            |   52 -
 common/letsencrypt/.helmignore                |   23 -
 common/letsencrypt/Chart.yaml                 |   16 -
 common/letsencrypt/README.md                  |   68 -
 common/letsencrypt/templates/api-cert.yaml    |   28 -
 .../templates/cert-manager-installation.yaml  |   38 -
 .../templates/credentials-request.yaml        |   24 -
 .../letsencrypt/templates/default-routes.yaml |   46 -
 common/letsencrypt/templates/issuer.yaml      |   25 -
 common/letsencrypt/templates/namespaces.yaml  |   20 -
 .../letsencrypt/templates/wildcard-cert.yaml  |   28 -
 common/letsencrypt/values.yaml                |   60 -
 common/operator-install/Chart.yaml            |    6 -
 ...ops.hybrid-cloud-patterns.io_patterns.yaml |  192 -
 .../operator-install/templates/pattern.yaml   |   20 -
 .../templates/subscription.yaml               |   13 -
 common/operator-install/values.yaml           |   14 -
 common/reference-output.yaml                  |  119 -
 common/scripts/lint.sh                        |   18 -
 common/scripts/make_common_subtree.sh         |   76 -
 common/scripts/pattern-util.sh                |   45 -
 common/scripts/test.sh                        |  129 -
 common/scripts/vault-utils.sh                 |   31 -
 .../acm-industrial-edge-factory.expected.yaml |  102 -
 .../acm-industrial-edge-hub.expected.yaml     |  307 -
 .../acm-medical-diagnosis-hub.expected.yaml   |  298 -
 common/tests/acm-naked.expected.yaml          |  103 -
 common/tests/acm-normal.expected.yaml         |  795 --
 common/tests/acm.expected.diff                |  651 --
 ...roup-industrial-edge-factory.expected.yaml |  684 --
 ...tergroup-industrial-edge-hub.expected.yaml | 1437 ---
 ...rgroup-medical-diagnosis-hub.expected.yaml | 1551 ---
 common/tests/clustergroup-naked.expected.yaml |  406 -
 .../tests/clustergroup-normal.expected.yaml   | 1056 --
 common/tests/clustergroup.expected.diff       |  381 -
 ...rets-industrial-edge-factory.expected.yaml | 8461 -----------------
 ...-secrets-industrial-edge-hub.expected.yaml | 8461 -----------------
 ...ecrets-medical-diagnosis-hub.expected.yaml | 8461 -----------------
 ...olang-external-secrets-naked.expected.yaml | 8461 -----------------
 ...lang-external-secrets-normal.expected.yaml | 8461 -----------------
 .../golang-external-secrets.expected.diff     |   11 -
 ...ault-industrial-edge-factory.expected.yaml |  408 -
 ...rp-vault-industrial-edge-hub.expected.yaml |  408 -
 ...-vault-medical-diagnosis-hub.expected.yaml |  408 -
 .../tests/hashicorp-vault-naked.expected.yaml |  408 -
 .../hashicorp-vault-normal.expected.yaml      |  408 -
 common/tests/hashicorp-vault.expected.diff    |   11 -
 ...tall-industrial-edge-factory.expected.yaml |   66 -
 .../install-industrial-edge-hub.expected.yaml |   66 -
 ...nstall-medical-diagnosis-hub.expected.yaml |   66 -
 ...rypt-industrial-edge-factory.expected.yaml |  202 -
 ...sencrypt-industrial-edge-hub.expected.yaml |  202 -
 ...ncrypt-medical-diagnosis-hub.expected.yaml |  202 -
 common/tests/letsencrypt-naked.expected.yaml  |  202 -
 common/tests/letsencrypt-normal.expected.yaml |  202 -
 ...tall-industrial-edge-factory.expected.yaml |   30 -
 ...-install-industrial-edge-hub.expected.yaml |   30 -
 ...nstall-medical-diagnosis-hub.expected.yaml |   30 -
 .../operator-install-naked.expected.yaml      |   30 -
 .../operator-install-normal.expected.yaml     |   30 -
 common/tests/operator-install.expected.diff   |   11 -
 common/values-global.yaml                     |   17 -
 226 files changed, 64980 deletions(-)
 delete mode 100644 common/.ansible-lint
 delete mode 100644 common/.github/dependabot.yml
 delete mode 100644 common/.github/linters/.gitleaks.toml
 delete mode 100644 common/.github/linters/.markdown-lint.yml
 delete mode 100644 common/.github/workflows/ansible-lint.yml
 delete mode 100644 common/.github/workflows/ansible-unittest.yml
 delete mode 100644 common/.github/workflows/jsonschema.yaml
 delete mode 100644 common/.github/workflows/linter.yml
 delete mode 100644 common/.github/workflows/superlinter.yml
 delete mode 100644 common/.gitignore
 delete mode 120000 common/.gitleaks.toml
 delete mode 100644 common/Changes.md
 delete mode 100644 common/LICENSE
 delete mode 100644 common/Makefile
 delete mode 100644 common/README.md
 delete mode 100644 common/acm/.helmignore
 delete mode 100644 common/acm/Chart.yaml
 delete mode 100644 common/acm/templates/multiclusterhub.yaml
 delete mode 100644 common/acm/templates/policies/acm-hub-ca-policy.yaml
 delete mode 100644 common/acm/templates/policies/application-policies.yaml
 delete mode 100644 common/acm/templates/policies/ocp-gitops-policy.yaml
 delete mode 100644 common/acm/templates/provision/_install-config.tpl
 delete mode 100644 common/acm/templates/provision/clusterpool.yaml
 delete mode 100644 common/acm/templates/provision/secrets-aws.yaml
 delete mode 100644 common/acm/templates/provision/secrets-azure.yaml
 delete mode 100644 common/acm/templates/provision/secrets-common.yaml
 delete mode 100644 common/acm/test.yaml
 delete mode 100644 common/acm/values.yaml
 delete mode 100644 common/ansible/ansible.cfg
 delete mode 100644 common/ansible/playbooks/acm/acmhub-get-ca.yaml
 delete mode 100644 common/ansible/playbooks/hello-world/hello-world.yaml
 delete mode 100644 common/ansible/playbooks/iib-ci/iib-ci.yaml
 delete mode 100644 common/ansible/playbooks/iib-ci/lookup.yml
 delete mode 100644 common/ansible/playbooks/vault/vault.yaml
 delete mode 100644 common/ansible/plugins/__init__.py
 delete mode 100644 common/ansible/plugins/filter/parse_acm_secrets.py
 delete mode 100644 common/ansible/plugins/module_utils/load_secrets_common.py
 delete mode 100644 common/ansible/plugins/module_utils/load_secrets_v1.py
 delete mode 100644 common/ansible/plugins/module_utils/load_secrets_v2.py
 delete mode 100644 common/ansible/plugins/modules/vault_load_secrets.py
 delete mode 100644 common/ansible/roles/iib_ci/README.md
 delete mode 100644 common/ansible/roles/iib_ci/defaults/main.yml
 delete mode 100644 common/ansible/roles/iib_ci/handlers/main.yml
 delete mode 100644 common/ansible/roles/iib_ci/meta/main.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/main.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/mirror-related-images.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/setup-external-registry.yml
 delete mode 100644 common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml
 delete mode 100644 common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2
 delete mode 100644 common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml
 delete mode 100644 common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2
 delete mode 100644 common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2
 delete mode 100644 common/ansible/roles/iib_ci/templates/mirror.map.j2
 delete mode 100644 common/ansible/roles/iib_ci/vars/main.yml
 delete mode 100644 common/ansible/roles/vault_utils/README.md
 delete mode 100644 common/ansible/roles/vault_utils/defaults/main.yml
 delete mode 100644 common/ansible/roles/vault_utils/handlers/main.yml
 delete mode 100644 common/ansible/roles/vault_utils/meta/main.yml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/main.yml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/pre_check.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/push_secrets.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/vault_init.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/vault_status.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tasks/vault_unseal.yaml
 delete mode 100644 common/ansible/roles/vault_utils/tests/inventory
 delete mode 100644 common/ansible/roles/vault_utils/tests/test.yml
 delete mode 100644 common/ansible/roles/vault_utils/values-secrets.v1.schema.json
 delete mode 100644 common/ansible/roles/vault_utils/values-secrets.v2.schema.json
 delete mode 100644 common/ansible/roles/vault_utils/vars/main.yml
 delete mode 100644 common/ansible/tests/unit/test_ini_file.py
 delete mode 100644 common/ansible/tests/unit/test_vault_load_secrets.py
 delete mode 100644 common/ansible/tests/unit/test_vault_load_secrets_v2.py
 delete mode 100644 common/ansible/tests/unit/v1/mcg-values-secret.yaml
 delete mode 100644 common/ansible/tests/unit/v1/template-mcg-missing.yaml
 delete mode 100644 common/ansible/tests/unit/v1/template-mcg-working.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-broken1.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-broken2.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-broken3.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-empty-files.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-fqdn.yaml
 delete mode 100644 common/ansible/tests/unit/v1/values-secret-good.yaml
 delete mode 100644 common/ansible/tests/unit/v2/aws-example.ini
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-base.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml
 delete mode 100644 common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml
 delete mode 100644 common/clustergroup/.helmignore
 delete mode 100644 common/clustergroup/Chart.yaml
 delete mode 100644 common/clustergroup/templates/_helpers.tpl
 delete mode 100644 common/clustergroup/templates/core/catalog-sources.yaml
 delete mode 100644 common/clustergroup/templates/core/namespaces.yaml
 delete mode 100644 common/clustergroup/templates/core/operatorgroup.yaml
 delete mode 100644 common/clustergroup/templates/core/subscriptions.yaml
 delete mode 100644 common/clustergroup/templates/imperative/_helpers.tpl
 delete mode 100644 common/clustergroup/templates/imperative/clusterrole.yaml
 delete mode 100644 common/clustergroup/templates/imperative/configmap.yaml
 delete mode 100644 common/clustergroup/templates/imperative/job.yaml
 delete mode 100644 common/clustergroup/templates/imperative/namespace.yaml
 delete mode 100644 common/clustergroup/templates/imperative/rbac.yaml
 delete mode 100644 common/clustergroup/templates/imperative/role.yaml
 delete mode 100644 common/clustergroup/templates/imperative/serviceaccount.yaml
 delete mode 100644 common/clustergroup/templates/imperative/unsealjob.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/applications.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/argocd-super-role.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/argocd.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/cluster-external-secrets.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/gitops-namespace.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/hosted-sites.yaml
 delete mode 100644 common/clustergroup/templates/plumbing/projects.yaml
 delete mode 100644 common/clustergroup/test.yaml
 delete mode 100644 common/clustergroup/values.schema.json
 delete mode 100644 common/clustergroup/values.yaml
 delete mode 120000 common/common
 delete mode 100644 common/examples/blank/Chart.yaml
 delete mode 100644 common/examples/blank/templates/manifest.yaml
 delete mode 100644 common/examples/blank/values.yaml
 delete mode 100644 common/examples/industrial-edge-factory.yaml
 delete mode 100644 common/examples/industrial-edge-hub.yaml
 delete mode 100644 common/examples/kustomize-renderer/Chart.yaml
 delete mode 100644 common/examples/kustomize-renderer/environment.yaml
 delete mode 100644 common/examples/kustomize-renderer/kustomization.yaml
 delete mode 100755 common/examples/kustomize-renderer/kustomize
 delete mode 100644 common/examples/kustomize-renderer/templates/environment.yaml
 delete mode 100644 common/examples/kustomize-renderer/values.yaml
 delete mode 100644 common/examples/medical-diagnosis-hub.yaml
 delete mode 100644 common/examples/secrets/values-secret.v1.yaml
 delete mode 100644 common/examples/secrets/values-secret.v2.yaml
 delete mode 100644 common/examples/values-example.yaml
 delete mode 100644 common/golang-external-secrets/Chart.yaml
 delete mode 100644 common/golang-external-secrets/README.md
 delete mode 100644 common/golang-external-secrets/charts/external-secrets-0.8.3.tgz
 delete mode 100644 common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
 delete mode 100644 common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
 delete mode 100644 common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
 delete mode 100755 common/golang-external-secrets/update-helm-dependency.sh
 delete mode 100644 common/golang-external-secrets/values.yaml
 delete mode 100644 common/hashicorp-vault/Chart.yaml
 delete mode 100644 common/hashicorp-vault/README.md
 delete mode 100644 common/hashicorp-vault/charts/vault-0.24.1.tgz
 delete mode 100644 common/hashicorp-vault/local-patches/0001-patch-server-route.patch
 delete mode 100644 common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch
 delete mode 100644 common/hashicorp-vault/templates/vault-app.yaml
 delete mode 100755 common/hashicorp-vault/update-helm-dependency.sh
 delete mode 100644 common/hashicorp-vault/values.yaml
 delete mode 100644 common/letsencrypt/.helmignore
 delete mode 100644 common/letsencrypt/Chart.yaml
 delete mode 100644 common/letsencrypt/README.md
 delete mode 100644 common/letsencrypt/templates/api-cert.yaml
 delete mode 100644 common/letsencrypt/templates/cert-manager-installation.yaml
 delete mode 100644 common/letsencrypt/templates/credentials-request.yaml
 delete mode 100644 common/letsencrypt/templates/default-routes.yaml
 delete mode 100644 common/letsencrypt/templates/issuer.yaml
 delete mode 100644 common/letsencrypt/templates/namespaces.yaml
 delete mode 100644 common/letsencrypt/templates/wildcard-cert.yaml
 delete mode 100644 common/letsencrypt/values.yaml
 delete mode 100644 common/operator-install/Chart.yaml
 delete mode 100644 common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml
 delete mode 100644 common/operator-install/templates/pattern.yaml
 delete mode 100644 common/operator-install/templates/subscription.yaml
 delete mode 100644 common/operator-install/values.yaml
 delete mode 100644 common/reference-output.yaml
 delete mode 100755 common/scripts/lint.sh
 delete mode 100755 common/scripts/make_common_subtree.sh
 delete mode 100755 common/scripts/pattern-util.sh
 delete mode 100755 common/scripts/test.sh
 delete mode 100755 common/scripts/vault-utils.sh
 delete mode 100644 common/tests/acm-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/acm-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/acm-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/acm-naked.expected.yaml
 delete mode 100644 common/tests/acm-normal.expected.yaml
 delete mode 100644 common/tests/acm.expected.diff
 delete mode 100644 common/tests/clustergroup-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/clustergroup-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/clustergroup-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/clustergroup-naked.expected.yaml
 delete mode 100644 common/tests/clustergroup-normal.expected.yaml
 delete mode 100644 common/tests/clustergroup.expected.diff
 delete mode 100644 common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/golang-external-secrets-naked.expected.yaml
 delete mode 100644 common/tests/golang-external-secrets-normal.expected.yaml
 delete mode 100644 common/tests/golang-external-secrets.expected.diff
 delete mode 100644 common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/hashicorp-vault-naked.expected.yaml
 delete mode 100644 common/tests/hashicorp-vault-normal.expected.yaml
 delete mode 100644 common/tests/hashicorp-vault.expected.diff
 delete mode 100644 common/tests/install-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/install-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/install-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/letsencrypt-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/letsencrypt-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/letsencrypt-naked.expected.yaml
 delete mode 100644 common/tests/letsencrypt-normal.expected.yaml
 delete mode 100644 common/tests/operator-install-industrial-edge-factory.expected.yaml
 delete mode 100644 common/tests/operator-install-industrial-edge-hub.expected.yaml
 delete mode 100644 common/tests/operator-install-medical-diagnosis-hub.expected.yaml
 delete mode 100644 common/tests/operator-install-naked.expected.yaml
 delete mode 100644 common/tests/operator-install-normal.expected.yaml
 delete mode 100644 common/tests/operator-install.expected.diff
 delete mode 100644 common/values-global.yaml

diff --git a/common/.ansible-lint b/common/.ansible-lint
deleted file mode 100644
index 353222eb..00000000
--- a/common/.ansible-lint
+++ /dev/null
@@ -1,17 +0,0 @@
-# Vim filetype=yaml
----
-offline: false
-skip_list:
-  - name[template] # Allow Jinja templating inside task and play names
-  - template-instead-of-copy # Templated files should use template instead of copy
-  - yaml[line-length] # too long lines
-  - yaml[indentation] # Forcing lists to be always indented by 2 chars is silly IMO
-  - var-naming[no-role-prefix] # This would be too much churn for very little gain
-  - no-changed-when
-  - var-naming[no-role-prefix] # There are too many changes now and it would be too risky
-
-# ansible-lint gh workflow cannot find ansible.cfg hence fails to import vault_utils role
-exclude_paths:
-  - ./ansible/playbooks/vault/vault.yaml
-  - ./ansible/playbooks/iib-ci/iib-ci.yaml
-  - ./ansible/roles/vault_utils/tests/test.yml
diff --git a/common/.github/dependabot.yml b/common/.github/dependabot.yml
deleted file mode 100644
index a175e666..00000000
--- a/common/.github/dependabot.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-version: 2
-updates:
-  # Check for updates to GitHub Actions every week
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-
diff --git a/common/.github/linters/.gitleaks.toml b/common/.github/linters/.gitleaks.toml
deleted file mode 100644
index b80cdc04..00000000
--- a/common/.github/linters/.gitleaks.toml
+++ /dev/null
@@ -1,8 +0,0 @@
-[whitelist]
-# As of v4, gitleaks only matches against filename, not path in the
-# files directive.  Leaving content for backwards compatibility.
-files = [
-  "ansible/plugins/modules/*.py",
-  "ansible/tests/unit/test_*.py",
-  "ansible/tests/unit/v1/*.yaml",
-]
diff --git a/common/.github/linters/.markdown-lint.yml b/common/.github/linters/.markdown-lint.yml
deleted file mode 100644
index a0bc47d1..00000000
--- a/common/.github/linters/.markdown-lint.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-{
-    "default": true,
-    "MD003": false,
-    "MD013": false,
-    "MD033": false
-}
\ No newline at end of file
diff --git a/common/.github/workflows/ansible-lint.yml b/common/.github/workflows/ansible-lint.yml
deleted file mode 100644
index 1bf2f7dd..00000000
--- a/common/.github/workflows/ansible-lint.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-name: Ansible Lint # feel free to pick your own name
-
-on: [push, pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-      # Important: This sets up your GITHUB_WORKSPACE environment variable
-      - uses: actions/checkout@v3
-
-      - name: Lint Ansible Playbook
-        uses: ansible/ansible-lint-action@v6
-        # Let's point it to the path
-        with:
-          path: "ansible/"
diff --git a/common/.github/workflows/ansible-unittest.yml b/common/.github/workflows/ansible-unittest.yml
deleted file mode 100644
index af326b66..00000000
--- a/common/.github/workflows/ansible-unittest.yml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-name: Ansible unit tests
-
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
-#############################
-# Start the job on all push #
-#############################
-on: [push, pull_request]
-
-###############
-# Set the Job #
-###############
-jobs:
-  ansible_unittests:
-    # Name the Job
-    name: Ansible unit tests
-    strategy:
-      matrix:
-        python-version: [3.11.3]
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    ##################
-    # Load all steps #
-    ##################
-    steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
-      - name: Checkout Code
-        uses: actions/checkout@v3
-        with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
-          fetch-depth: 0
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install pytest ansible
-
-      - name: Run make ansible-unittest
-        run: |
-          make ansible-unittest
diff --git a/common/.github/workflows/jsonschema.yaml b/common/.github/workflows/jsonschema.yaml
deleted file mode 100644
index a0c60c11..00000000
--- a/common/.github/workflows/jsonschema.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
----
-name: Verify json schema
-
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
-#############################
-# Start the job on all push #
-#############################
-on: [push, pull_request]
-
-###############
-# Set the Job #
-###############
-jobs:
-  jsonschema_tests:
-    # Name the Job
-    name: Json Schema tests
-    strategy:
-      matrix:
-        python-version: [3.11.3]
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    ##################
-    # Load all steps #
-    ##################
-    steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
-      - name: Checkout Code
-        uses: actions/checkout@v3
-        with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
-          fetch-depth: 0
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install check-jsonschema
-
-      - name: Verify secrets json schema
-        run: |
-          check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v1.schema.json examples/secrets/values-secret.v1.yaml
-          check-jsonschema --schemafile ./ansible/roles/vault_utils/values-secrets.v2.schema.json examples/secrets/values-secret.v2.yaml
-
-      - name: Verify ClusterGroup values.schema.json
-        run: |
-          set -e; for i in examples/*yaml; do echo "$i"; check-jsonschema --schemafile ./clustergroup/values.schema.json "$i"; done
diff --git a/common/.github/workflows/linter.yml b/common/.github/workflows/linter.yml
deleted file mode 100644
index 28c3944d..00000000
--- a/common/.github/workflows/linter.yml
+++ /dev/null
@@ -1,64 +0,0 @@
----
-name: Unit test common
-
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
-#############################
-# Start the job on all push #
-#############################
-on: [push, pull_request]
-
-###############
-# Set the Job #
-###############
-jobs:
-  build:
-    # Name the Job
-    name: Unit common/ Code Base
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    ##################
-    # Load all steps #
-    ##################
-    steps:
-      ##########################
-      # Checkout the code base #
-      ##########################
-      - name: Checkout Code
-        uses: actions/checkout@v3
-        with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
-          fetch-depth: 0
-      - name: Setup helm
-        uses: azure/setup-helm@v3
-        # with:
-        #   version: '<version>' # default is latest stable
-        id: install
-
-      ################################
-      # Run Linter against code base #
-      ################################
-      # - name: Lint Code Base
-      #   uses: github/super-linter@v4
-      #   env:
-      #     VALIDATE_ALL_CODEBASE: false
-      #     DEFAULT_BRANCH: main
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run make test
-        run: |
-          make test
-
-      - name: Run make helmlint
-        run: |
-          make helmlint
-
-      - name: Run make helm kubeconform
-        run: |
-          curl -L -O https://github.com/yannh/kubeconform/releases/download/v0.4.13/kubeconform-linux-amd64.tar.gz
-          tar xf kubeconform-linux-amd64.tar.gz
-          sudo mv -v kubeconform /usr/local/bin
-          make kubeconform
diff --git a/common/.github/workflows/superlinter.yml b/common/.github/workflows/superlinter.yml
deleted file mode 100644
index 30cb00a8..00000000
--- a/common/.github/workflows/superlinter.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-name: Super linter
-
-on: [push, pull_request]
-
-jobs:
-  build:
-    # Name the Job
-    name: Super linter
-    # Set the agent to run on
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v3
-        with:
-          # Full git history is needed to get a proper list of changed files within `super-linter`
-          fetch-depth: 0
-
-      ################################
-      # Run Linter against code base #
-      ################################
-      - name: Lint Code Base
-        uses: github/super-linter/slim@v5
-        env:
-          VALIDATE_ALL_CODEBASE: true
-          DEFAULT_BRANCH: main
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # These are the validation we disable atm
-          VALIDATE_ANSIBLE: false
-          VALIDATE_BASH: false
-          VALIDATE_JSCPD: false
-          VALIDATE_KUBERNETES_KUBECONFORM: false
-          VALIDATE_YAML: false
-          # VALIDATE_DOCKERFILE_HADOLINT: false
-          # VALIDATE_MARKDOWN: false
-          # VALIDATE_NATURAL_LANGUAGE: false
-          # VALIDATE_TEKTON: false
diff --git a/common/.gitignore b/common/.gitignore
deleted file mode 100644
index 9e5051a8..00000000
--- a/common/.gitignore
+++ /dev/null
@@ -1,12 +0,0 @@
-__pycache__/
-*.py[cod]
-*~
-*.swp
-*.swo
-values-secret.yaml
-.*.expected.yaml
-pattern-vault.init
-pattern-vault.init.bak
-super-linter.log
-golang-external-secrets/Chart.lock
-hashicorp-vault/Chart.lock
diff --git a/common/.gitleaks.toml b/common/.gitleaks.toml
deleted file mode 120000
index c05303b9..00000000
--- a/common/.gitleaks.toml
+++ /dev/null
@@ -1 +0,0 @@
-.github/linters/.gitleaks.toml
\ No newline at end of file
diff --git a/common/Changes.md b/common/Changes.md
deleted file mode 100644
index 0e1e8c47..00000000
--- a/common/Changes.md
+++ /dev/null
@@ -1,137 +0,0 @@
-# Changes
-
-## Jul 8, 2023
-
-* Introduced a default of 20 for sync failures retries in argo applications (global override via global.options.applicationRetryLimit
-  and per-app override via .syncPolicy)
-
-## May 22, 2023
-
-* Upgraded ESO to 0.8.2
-* *Important* we now use the newly blessed sso config for argo. This means that gitops < 1.8 are *unsupported*
-
-## May 18, 2023
-
-* Introduce a EXTRA_HELM_OPTS env variable that will be passed to the helm invocations
-
-## April 21, 2023
-
-* Added labels and annotation support to namespaces.yaml template
-
-## Apr 11, 2023
-
-* Apply the ACM ocp-gitops-policy everywhere but the hub
-
-## Apr 7, 2023
-
-* Moved to gitops-1.8 channel by default (stable is unmaintained and will be dropped starting with ocp-4.13)
-
-## March 20, 2023
-
-* Upgraded ESO to 0.8.1
-
-## February 9, 2023
-
-* Add support for /values-<platform>.yaml and for /values-<platform>-<clusterversion>.yaml
-
-## January 29, 2023
-
-* Stop extracting the HUB's CA via an imperative job running on the imported cluster.
-  Just use ACM to push the HUB's CA out to the managed clusters.
-
-## January 23, 2023
-
-* Add initial support for running ESO on ACM-imported clusters
-
-## January 18, 2023
-
-* Add validate-schema target
-
-## January 13, 2023
-
-* Simplify the secrets paths when using argo hosted sites
-
-## January 10, 2023
-
-* vaultPrefixes is now optional in the v2 secret spec and defaults to ["hub"]
-
-## December 9, 2022
-
-* Dropped insecureUnsealVaultInsideCluster (and file_unseal) entirely. Now
-  vault is always unsealed via a cronjob in the cluster. It is recommended to
-  store the imperative/vaultkeys secret offline securely and then delete it.
-
-## December 8, 2022
-
-* Removed the legacy installation targets:
-  `deploy upgrade legacy-deploy legacy-upgrade`
-  Patterns must now use the operator-based installation
-
-## November 29, 2022
-
-* Upgraded vault-helm to 0.23.0
-* Enable vault-ssl by default
-
-## November 22, 2022
-
-* Implemented a new format for the values-secret.yaml. Example can be found in examples/ folder
-* Now the order of values-secret file lookup is the following:
-  1. ~/values-secret-<patternname>.yaml
-  2. ~/values-secret.yaml
-  3. <patterngitrepo>/values-secret.yaml.template
-* Add support for ansible vault encrypted values-secret files. You can now encrypt your values-secret file
-  at rest with `ansible-vault encrypt ~/values-secret.yaml`. When running `make load-secrets` if an encrypted
-  file is encountered the user will be prompted automatically for the password to decrypt it.
-
-## November 6, 2022
-
-* Add support for /values-<CloudPlatform>-<clusterGroup>.yaml (e.g. /values-AWS-group-one.yaml)
-
-## October 28, 2022
-
-* Updated vault helm chart to v0.22.1 and vault containers to 1.12.0
-
-## October 25, 2022
-
-* Updated External Secrets Operator to v0.6.0
-* Moved to -UBI based ESO containers
-
-## October 13, 2022
-
-* Added global.clusterVersion as a new helm variable which represents the OCP
-  Major.Minor cluster version. By default now a user can add a
-  values-<ocpversion>-<clustergroup>.yaml file to have specific cluster version
-  overrides (e.g. values-4.10-hub.yaml). Will need Validated Patterns Operator >= 0.0.6
-  when deploying with the operator. Note: When using the ArgoCD Hub and spoke model,
-  you cannot have spokes with a different version of OCP than the hub.
-
-## October 4, 2022
-
-* Extended the values-secret.yaml file to support multiple vault paths and re-wrote
-  the push_secrets feature as python module plugin. This requires the following line
-  in a pattern's ansible.cfg's '[defaults]' stanza:
-
-  `library=~/.ansible/plugins/modules:./ansible/plugins/modules:./common/ansible/plugins/modules:/usr/share/ansible/plugins/modules`
-
-## October 3, 2022
-
-* Restore the ability to install a non-default site: `make TARGET_SITE=mysite install`
-* Revised tests (new output and filenames, requires adding new result files to git)
-* ACM 2.6 required for ACM-based managed sites
-* Introduced global.clusterDomain template variable (without the `apps.` prefix)
-* Removed the ability to send specific charts to another cluster, use hosted argo sites instead
-* Added the ability to have the hub host `values-{site}.yaml` for spoke clusters.
-
-  The following example would deploy the namespaces, subscriptions, and
-  applications defined in `values-group-one.yaml` to the `perth` cluster
-  directly from ArgoCD on the hub.
-
-  ```yaml
-  managedClusterGroups:
-  - name: group-one
-    hostedArgoSites:
-    - name: perth
-      domain: perth1.beekhof.net
-      bearerKeyPath: secret/data/hub/cluster_perth
-      caKeyPath: secret/data/hub/cluster_perth_ca
-  ```
diff --git a/common/LICENSE b/common/LICENSE
deleted file mode 100644
index d6456956..00000000
--- a/common/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
diff --git a/common/Makefile b/common/Makefile
deleted file mode 100644
index 83871b7e..00000000
--- a/common/Makefile
+++ /dev/null
@@ -1,162 +0,0 @@
-NAME ?= $(shell basename "`pwd`")
-ifneq ($(origin TARGET_SITE), undefined)
-  TARGET_SITE_OPT=--set main.clusterGroupName=$(TARGET_SITE)
-endif
-
-# This variable can be set in order to pass additional helm arguments from the
-# the command line. I.e. we can set things without having to tweak values files
-EXTRA_HELM_OPTS ?=
-
-# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248
-# or
-# INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:394248,registry-proxy.engineering.redhat.com/rh-osbs/iib:394249
-INDEX_IMAGES ?=
-
-TARGET_ORIGIN ?= origin
-# This is to ensure that whether we start with a git@ or https:// URL, we end up with an https:// URL
-# This is because we expect to use tokens for repo authentication as opposed to SSH keys
-TARGET_REPO=$(shell git ls-remote --get-url --symref $(TARGET_ORIGIN) | sed -e 's/.*URL:[[:space:]]*//' -e 's%^git@%%' -e 's%^https://%%' -e 's%:%/%' -e 's%^%https://%')
-# git branch --show-current is also available as of git 2.22, but we will use this for compatibility
-TARGET_BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
-
-# --set values always take precedence over the contents of -f
-HELM_OPTS=-f values-global.yaml --set main.git.repoURL="$(TARGET_REPO)" --set main.git.revision=$(TARGET_BRANCH) $(TARGET_SITE_OPT) $(EXTRA_HELM_OPTS)
-
-##@ Pattern Common Tasks
-
-.PHONY: help
-help: ## This help message
-	@echo "Pattern: $(NAME)"
-	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf "  \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
-
-#  Makefiles in the individual patterns should call these targets explicitly
-#  e.g. from industrial-edge: make -f common/Makefile show
-.PHONY: show
-show: ## show the starting template without installing it
-	helm template common/operator-install/ --name-template $(NAME) $(HELM_OPTS)
-
-# Only call helm install if the CRD is missing. If it already exists just
-# push the templated files.
-# The reason we have two helm template calls in the else branch is to avoid
-# warnings when the chart gets applied the first time, but the resources were
-# created first via the VP operator's UI
-.PHONY: operator-deploy
-operator-deploy operator-upgrade: validate-prereq validate-origin ## runs helm install
-	@set -e; if ! oc get crds patterns.gitops.hybrid-cloud-patterns.io >/dev/null 2>&1; then \
-	  echo "Running helm:"; \
-	  helm upgrade --install $(NAME) common/operator-install/ $(HELM_OPTS); \
-	else \
-	  echo "Reapplying helm chart:"; \
-	  helm template --name-template $(NAME) common/operator-install/ $(HELM_OPTS) | oc apply set-last-applied --create-annotation -f-; \
-	  helm template --name-template $(NAME) common/operator-install/ $(HELM_OPTS) | oc apply -f-; \
-	fi
-
-.PHONY: uninstall
-uninstall: ## runs helm uninstall
-	$(eval CSV := $(shell oc get subscriptions -n openshift-operators openshift-gitops-operator -ojsonpath={.status.currentCSV}))
-	helm uninstall $(NAME)
-	@oc delete csv -n openshift-operators $(CSV)
-
-.PHONY: load-secrets
-load-secrets: ## loads the secrets into the vault
-	common/scripts/vault-utils.sh push_secrets $(NAME)
-
-.PHONY: load-iib
-load-iib: ## CI target to install Index Image Bundles
-	@set -e; if [ x$(INDEX_IMAGES) != x ]; then \
-		for IIB in $(shell echo $(INDEX_IMAGES) | tr ',' '\n'); do \
-			INDEX_IMAGE="$${IIB}" ansible-playbook common/ansible/playbooks/iib-ci/iib-ci.yaml; \
-		done; \
-	fi
-
-
-##@ Validation Tasks
-
-# We only check the remote ssh git branch's existance if we're not running inside a container
-# as getting ssh auth working inside a container seems a bit brittle
-.PHONY: validate-origin
-validate-origin: ## verify the git origin is available
-	@echo "Checking repository:"
-	@echo -n "  $(TARGET_REPO) - branch $(TARGET_BRANCH): "
-	@if [ ! -f /run/.containerenv ]; then\
-		git ls-remote --exit-code --heads $(TARGET_REPO) $(TARGET_BRANCH) >/dev/null &&\
-				echo "OK" ||\
-				(echo "NOT FOUND"; exit 1);\
-	else\
-		echo "Running inside a container: Skipping git ssh checks";\
-	fi
-
-.PHONY: validate-schema
-validate-schema: ## validates values files against schema in common/clustergroup
-	$(eval VAL_PARAMS := $(shell for i in ./values-*.yaml; do echo -n "$${i} "; done))
-	@echo -n "Validating clustergroup schema of: "
-	@set -e; for i in $(VAL_PARAMS); do echo -n " $$i"; helm template common/clustergroup $(HELM_OPTS) -f "$${i}" >/dev/null; done
-	@echo
-
-.PHONY: validate-prereq
-validate-prereq: ## verify pre-requisites
-	@echo "Checking prerequisites:"
-	@for t in $(EXECUTABLES); do if ! which $$t > /dev/null 2>&1; then echo "No $$t in PATH"; exit 1; fi; done
-	@echo "  Check for '$(EXECUTABLES)': OK"
-	@echo -n "  Check for python-kubernetes: "
-	@if ! ansible -m ansible.builtin.command -a "{{ ansible_python_interpreter }} -c 'import kubernetes'" localhost > /dev/null 2>&1; then echo "Not found"; exit 1; fi
-	@echo "OK"
-	@echo -n "  Check for kubernetes.core collection: "
-	@if ! ansible-galaxy collection list | grep kubernetes.core > /dev/null 2>&1; then echo "Not found"; exit 1; fi
-	@echo "OK"
-
-##@ Test and Linters Tasks
-
-CHARTS=$(shell find . -type f -iname 'Chart.yaml' -exec dirname "{}"  \; | grep -v examples | sed -e 's/.\///')
-# Section related to tests and linting
-TEST_OPTS= -f values-global.yaml --set global.repoURL="https://github.com/pattern-clone/mypattern" \
-	--set main.git.repoURL="https://github.com/pattern-clone/mypattern" --set main.git.revision=main --set global.pattern="mypattern" \
-	--set global.namespace="pattern-namespace" --set global.hubClusterDomain=apps.hub.example.com --set global.localClusterDomain=apps.region.example.com --set global.clusterDomain=region.example.com\
-	--set "clusterGroup.imperative.jobs[0].name"="test" --set "clusterGroup.imperative.jobs[0].playbook"="ansible/test.yml"
-PATTERN_OPTS=-f common/examples/values-example.yaml
-EXECUTABLES=git helm oc ansible
-
-.PHONY: test
-test: ## run helm tests
-	@for t in $(CHARTS); do common/scripts/test.sh $$t all "$(TEST_OPTS)"; if [ $$? != 0 ]; then exit 1; fi; done
-
-.PHONY: helmlint
-helmlint: ## run helm lint
-	@for t in $(CHARTS); do common/scripts/lint.sh $$t $(TEST_OPTS); if [ $$? != 0 ]; then exit 1; fi; done
-
-API_URL ?= https://raw.githubusercontent.com/hybrid-cloud-patterns/ocp-schemas/main/openshift/4.10/
-KUBECONFORM_SKIP ?= -skip 'CustomResourceDefinition,ClusterIssuer,CertManager,Certificate,ArgoCD'
-
-# We need to skip 'CustomResourceDefinition' as openapi2jsonschema seems to be unable to generate them ATM
-.PHONY: kubeconform
-kubeconform: ## run helm kubeconform
-	@for t in $(CHARTS); do helm template $(TEST_OPTS) $(PATTERN_OPTS) $$t | kubeconform -strict $(KUBECONFORM_SKIP) -verbose -schema-location $(API_URL); if [ $$? != 0 ]; then exit 1; fi; done
-
-.PHONY: super-linter
-super-linter: ## Runs super linter locally
-	rm -rf .mypy_cache
-	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
-					-e VALIDATE_BASH=false \
-					-e VALIDATE_JSCPD=false \
-					-e VALIDATE_KUBERNETES_KUBECONFORM=false \
-					-e VALIDATE_YAML=false \
-					-e VALIDATE_ANSIBLE=false \
-					-e VALIDATE_DOCKERFILE_HADOLINT=false \
-					-e VALIDATE_TEKTON=false \
-					$(DISABLE_LINTERS) \
-					-v $(PWD):/tmp/lint:rw,z \
-					-w /tmp/lint \
-					docker.io/github/super-linter:slim-v5
-
-.PHONY: ansible-lint
-ansible-lint: ## run ansible lint on ansible/ folder
-	podman run -it -v $(PWD):/workspace:rw,z --workdir /workspace --env ANSIBLE_CONFIG=./ansible/ansible.cfg \
-		--entrypoint "/usr/local/bin/ansible-lint" quay.io/ansible/creator-ee:latest  "-vvv" "ansible/"
-
-.PHONY: ansible-unittest
-ansible-unittest: ## run ansible unit tests
-	pytest -r a --fulltrace --color yes ansible/tests/unit/test_*.py
-
-.PHONY: deploy upgrade legacy-deploy legacy-upgrade
-deploy upgrade legacy-deploy legacy-upgrade:
-	@echo "UNSUPPORTED TARGET: please switch to 'operator-deploy'"; exit 1
diff --git a/common/README.md b/common/README.md
deleted file mode 100644
index bb60d248..00000000
--- a/common/README.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Validated Patterns common/ repository
-
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-
-## Start Here
-
-This repository is never used as standalone. It is usually imported in each pattern as a subtree.
-In order to import the common/ the very first time you can use
-`https://github.com/hybrid-cloud-patterns/multicloud-gitops/blob/main/common/scripts/make_common_subtree.sh`
-
-In order to update your common subtree inside your pattern repository you can either use
-`https://github.com/hybrid-cloud-patterns/utilities/blob/main/scripts/update-common-everywhere.sh` or
-do it manually by doing the following:
-
-```sh
-git remote add -f upstream-common https://github.com/hybrid-cloud-patterns/common.git
-git merge -s subtree -Xtheirs -Xsubtree=common upstream-common/ha-vault
-```
-
-## Secrets
-
-There are two different secret formats parsed by the ansible bits. Both are documented [here](https://github.com/hybrid-cloud-patterns/common/tree/main/ansible/roles/vault_utils/README.md)
diff --git a/common/acm/.helmignore b/common/acm/.helmignore
deleted file mode 100644
index b25c15b8..00000000
--- a/common/acm/.helmignore
+++ /dev/null
@@ -1 +0,0 @@
-*~
diff --git a/common/acm/Chart.yaml b/common/acm/Chart.yaml
deleted file mode 100644
index 1c3db911..00000000
--- a/common/acm/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-description: A Helm chart to configure Advanced Cluster Manager for OpenShift
-keywords:
-- pattern
-name: acm
-version: 0.0.1
diff --git a/common/acm/templates/multiclusterhub.yaml b/common/acm/templates/multiclusterhub.yaml
deleted file mode 100644
index 79ef9339..00000000
--- a/common/acm/templates/multiclusterhub.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    {{- if kindIs "map" .Values.clusterGroup.subscriptions }}
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "{{ default "redhat-operators" .Values.clusterGroup.subscriptions.acm.source }}" }'
-    {{- end }}
-spec: {}
diff --git a/common/acm/templates/policies/acm-hub-ca-policy.yaml b/common/acm/templates/policies/acm-hub-ca-policy.yaml
deleted file mode 100644
index 890e6bae..00000000
--- a/common/acm/templates/policies/acm-hub-ca-policy.yaml
+++ /dev/null
@@ -1,71 +0,0 @@
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
-{{ if .Values.clusterGroup.isHubCluster }}
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: '{{ `{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}` }}'
-                  hub-openshift-service-ca.crt: '{{ `{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}` }}'
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
-{{ end }}
-
diff --git a/common/acm/templates/policies/application-policies.yaml b/common/acm/templates/policies/application-policies.yaml
deleted file mode 100644
index f1c7bbdd..00000000
--- a/common/acm/templates/policies/application-policies.yaml
+++ /dev/null
@@ -1,154 +0,0 @@
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- if not .hostedArgoSites }}
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: {{ .name }}-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: {{ .name }}-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: {{ $.Values.global.pattern }}-{{ .name }}
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: {{ coalesce .repoURL $.Values.global.repoURL }}
-                    targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }}
-                    path: {{ default "common/clustergroup" .path }}
-                    helm:
-                      ignoreMissingValueFiles: true
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-{{ .name }}.yaml"
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}.yaml'
-                      - '/values-{{ `{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}` }}-{{ .name }}.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}-{{ .name }}.yaml'
-                      {{- range $valueFile := .extraValueFiles }}
-                      - {{ $valueFile | quote }}
-                      {{- end }}
-                      parameters:
-                      - name: global.repoURL
-                        value: $ARGOCD_APP_SOURCE_REPO_URL
-                      - name: global.targetRevision
-                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: {{ $.Values.global.pattern }}
-                      - name: global.hubClusterDomain
-                        value: {{ $.Values.global.hubClusterDomain }}
-                      - name: global.localClusterDomain
-                        value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}` }}'
-                      # Requires ACM 2.6 or higher
-                      - name: global.clusterDomain
-                        value: '{{ `{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}` }}'
-                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-                      - name: global.clusterVersion
-                        value: '{{ `{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}` }}'
-                      - name: global.clusterPlatform
-                        value: {{ $.Values.global.clusterPlatform }}
-                      - name: clusterGroup.name
-                        value: {{ $group.name }}
-                     {{- range .helmOverrides }}
-                      - name: {{ .name }}
-                        value: {{ .value | quote }}
-                     {{- end }}
-                     {{- if .fileParameters }}
-                      fileParameters:
-                      {{- range .fileParameters }}
-                      - name: {{ .name }}
-                        path: {{ .path }}
-                      {{- end }}
-                     {{- end }}
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: {{ $.Values.global.pattern }}-{{ .name }}
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: {{ default 20 $.Values.global.options.applicationRetryLimit }}
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: {{ .name }}-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: {{ .name }}-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: {{ .name }}-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: {{ .name }}-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  {{- if .clusterSelector }}
-  clusterSelector: {{ .clusterSelector | toPrettyJson }}
-  {{- else if (not $group.acmlabels) }}
-  clusterSelector:
-    matchLabels:
-      clusterGroup: {{ $group.name }}
-  {{- else if eq (len $group.acmlabels) 0 }}
-  clusterSelector:
-    matchLabels:
-      clusterGroup: {{ $group.name }}
-  {{- else }}
-  clusterSelector:
-    matchLabels:
-    {{- range .acmlabels }}
-      {{ .name }}: {{ .value }}
-    {{- end }}
-  {{- end }}
----
-{{- end }}
-{{- end }}
diff --git a/common/acm/templates/policies/ocp-gitops-policy.yaml b/common/acm/templates/policies/ocp-gitops-policy.yaml
deleted file mode 100644
index 4691c18d..00000000
--- a/common/acm/templates/policies/ocp-gitops-policy.yaml
+++ /dev/null
@@ -1,82 +0,0 @@
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: {{ default "gitops-1.8" .Values.main.gitops.channel }}
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
----
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
diff --git a/common/acm/templates/provision/_install-config.tpl b/common/acm/templates/provision/_install-config.tpl
deleted file mode 100644
index b0336627..00000000
--- a/common/acm/templates/provision/_install-config.tpl
+++ /dev/null
@@ -1,66 +0,0 @@
-{{- define "cluster.install-config" -}}
-
-{{- $type := "None" }}
-{{- $cloud := "None" }}
-{{- $region := "None" }}
-
-{{- if .platform.aws }}
-{{- $cloud = "aws" }}
-{{- $region = .platform.aws.region }}
-{{- $type = "m5.xlarge" }}
-{{- else if .platform.azure }}
-{{- $cloud = "azure" }}
-{{- $region = .platform.azure.region }}
-{{- $type = "Standard_D8s_v3" }}
-{{- end }}
-
-apiVersion: v1
-metadata:
-  name: '{{ .name }}' 
-baseDomain: {{ .baseDomain }}
-controlPlane:
-  architecture: amd64
-  hyperthreading: Enabled
-  name: controlPlane
-  {{- if .controlPlane }}
-  replicas: {{ default 3 .controlPlane.count }}
-  {{- if .controlPlane.platform }}
-  platform:
-    {{- toYaml .controlPlane.platform | nindent 4 }}
-  {{- end }}
-  {{- else }}
-  replicas: 3
-  platform:
-    {{ $cloud }}:
-      type: {{ $type }}
-  {{- end }}
-compute:
-- hyperthreading: Enabled
-  architecture: amd64
-  name: 'worker'
-  {{- if .workers }}
-  replicas: {{ default 0 .workers.count }}
-  {{- if .workers.platform }}
-  platform:
-    {{- toYaml .workers.platform | nindent 4 }}
-  {{- end }}
-  {{- else }}
-  replicas: 3
-  platform:
-    {{ $cloud }}:
-      type: {{ $type }}
-  {{- end }}
-networking:
-  clusterNetwork:
-  - cidr: 10.128.0.0/14
-    hostPrefix: 23
-  machineNetwork:
-  - cidr: 10.0.0.0/16
-  networkType: OVNKubernetes
-  serviceNetwork:
-  - 172.30.0.0/16
-platform:
-{{- toYaml .platform | nindent 2 }}
-pullSecret: "" # skip, hive will inject based on it's secrets
-sshKey: ""     # skip, hive will inject based on it's secrets
-{{- end -}}
diff --git a/common/acm/templates/provision/clusterpool.yaml b/common/acm/templates/provision/clusterpool.yaml
deleted file mode 100644
index e2f9d3d1..00000000
--- a/common/acm/templates/provision/clusterpool.yaml
+++ /dev/null
@@ -1,95 +0,0 @@
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- if .clusterPools }}{{- /* We only create ManagedClusterSets if there are clusterPools defined */}}
-apiVersion: cluster.open-cluster-management.io/v1beta1
-kind: ManagedClusterSet
-metadata:
-  annotations:
-    cluster.open-cluster-management.io/submariner-broker-ns: {{ .name }}-broker
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: {{ .name }}
-spec:
-  clusterSelector:
-    selectorType: LegacyClusterSetLabel
----
-{{- range .clusterPools }}
-
-{{- $pool := . }}
-{{- $poolName := print .name "-" $group.name }}
-
-{{- $cloud := "None" }}
-{{- $region := "None" }}
-{{- $numClusters := 0 }}
-
-{{- if .platform.aws }}
-{{- $cloud = "aws" }}
-{{- $region = .platform.aws.region }}
-{{- else if .platform.azure }}
-{{- $cloud = "azure" }}
-{{- $region = .platform.azure.region }}
-{{- end }}
-
-{{- if .clusters }}
-{{- $numClusters = len .clusters }}
-{{- end }}
-
-apiVersion: hive.openshift.io/v1
-kind: ClusterPool
-metadata:
-  name: "{{ $poolName }}"
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  labels:
-    cloud: {{ $cloud }}
-    region: '{{ $region }}'
-    vendor: OpenShift
-    cluster.open-cluster-management.io/clusterset: {{ .name }}
-spec:
-  {{- if .size }}
-  size: {{ .size }}
-  {{- else }}
-  size: {{ $numClusters }}
-  {{- end }}
-  runningCount: {{ $numClusters }}
-  baseDomain: {{ .baseDomain }}
-  installConfigSecretTemplateRef:
-    name: {{ $poolName }}-install-config 
-  imageSetRef:
-    name: img{{ .openshiftVersion }}-multi-appsub
-  pullSecretRef:
-    name: {{ $poolName }}-pull-secret
-  skipMachinePools: true # Disable MachinePool as using custom install-config
-  platform:
-    {{ $cloud }}:
-      credentialsSecretRef:
-        name: {{ $poolName }}-creds
-      region: {{ $region }}
----
-{{- range .clusters }}
-apiVersion: hive.openshift.io/v1
-kind: ClusterClaim
-metadata:
-  name: '{{ lower . }}-{{ lower $group.name }}'
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    cluster.open-cluster-management.io/createmanagedcluster: "true"
-  labels:
-    clusterClaimName: {{ lower . }}-{{ lower $group.name }}
-  {{- if (not $group.acmlabels) }}
-    clusterGroup: {{ $group.name }}
-  {{- else if eq (len $group.acmlabels) 0 }}
-    clusterGroup: {{ $group.name }}
-  {{- else }}
-    {{- range $group.acmlabels }}
-    {{ .name }}: {{ .value }}
-    {{- end }}
-  {{- end }}
-spec:
-  clusterPoolName: {{ $poolName }}
----
-{{- end }}{{- /* range .range clusters */}}
-{{- end }}{{- /* range .clusterPools */}}
-{{- end }}{{- /* if .clusterPools) */}}
-{{- end }}{{- /* range .Values.clusterGroup.managedClusterGroups */}}
diff --git a/common/acm/templates/provision/secrets-aws.yaml b/common/acm/templates/provision/secrets-aws.yaml
deleted file mode 100644
index 002c9247..00000000
--- a/common/acm/templates/provision/secrets-aws.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- range .clusterPools }}
-{{- $poolName := print .name "-" $group.name }}
-{{- if .platform.aws }}
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-creds
-spec:
-  dataFrom:
-  - extract:
-      # Expects entries called: aws_access_key_id and aws_secret_access_key
-      key: {{ default "secret/data/hub/aws" .awsKeyPath }}
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
----
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-infra-creds
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: {{ default "secret/data/hub/openshiftPullSecret" .pullSecretKeyPath }}
-      property: content
-  - secretKey: awsKeyId
-    remoteRef:
-      key: {{ default "secret/data/hub/aws" .awsKeyPath }}
-      property: aws_access_key_id
-  - secretKey: awsAccessKey
-    remoteRef:
-      key: {{ default "secret/data/hub/aws" .awsKeyPath }}
-      property: aws_secret_access_key
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: {{ default "secret/data/hub/publickey" .sshPublicKeyPath }}
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: {{ default "secret/data/hub/privatekey" .sshPrivateKeyPath }}
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef: 
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        baseDomain: "{{ .baseDomain }}"
-        pullSecret: |-
-          {{ "{{ .openshiftPullSecret | toString }}" }}
-        aws_access_key_id: |-
-          {{ "{{ .awsKeyId | toString }}" }}
-        aws_secret_access_key: |-
-          {{ "{{ .awsAccessKey | toString }}" }}
-        ssh-privatekey: |-
-          {{ "{{ .sshPrivateKey | toString }}" }}
-        ssh-publickey: |-
-          {{ "{{ .sshPublicKey | toString }}" }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-{{- end }}
-{{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/common/acm/templates/provision/secrets-azure.yaml b/common/acm/templates/provision/secrets-azure.yaml
deleted file mode 100644
index 7fe6271b..00000000
--- a/common/acm/templates/provision/secrets-azure.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- range .clusterPools }}
-{{- $poolName := print .name "-" $group.name }}
-{{- if .platform.azure }}
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-creds
-spec:
-  data:
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: {{ default "secret/data/hub/azureOsServicePrincipal" .azureKeyPath }}
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        osServicePrincipal.json: |-
-          {{ "{{ .azureOsServicePrincipal | toString }}" }}
----
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-infra-creds
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: {{ default "secret/data/hub/openshiftPullSecret" .pullSecretKeyPath }}
-      property: content
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: {{ default "secret/data/hub/publickey" .sshPublicKeyPath }}
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: {{ default "secret/data/hub/privatekey" .sshPrivateKeyPath }}
-      property: content
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: {{ default "secret/data/hub/azureOsServicePrincipal" .azureKeyPath }}
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef: 
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        cloudName: AzurePublicCloud
-        osServicePrincipal.json: |-
-          {{ "{{ .azureOsServicePrincipal | toString }}" }}
-        baseDomain: "{{ .baseDomain }}"
-        baseDomainResourceGroupName: "{{ .platform.azure.baseDomainResourceGroupName | toString }}"
-        pullSecret: |-
-          {{ "{{ .openshiftPullSecret | toString }}" }}
-        ssh-privatekey: |-
-          {{ "{{ .sshPrivateKey | toString }}" }}
-        ssh-publickey: |-
-          {{ "{{ .sshPublicKey | toString }}" }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/common/acm/templates/provision/secrets-common.yaml b/common/acm/templates/provision/secrets-common.yaml
deleted file mode 100644
index 21a03b73..00000000
--- a/common/acm/templates/provision/secrets-common.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- range .clusterPools }}
-{{- $poolName := print .name "-" $group.name }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $poolName }}-install-config
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: {{ include "cluster.install-config" . | b64enc }} 
-type: Opaque
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-pull-secret
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: {{ default "secret/data/hub/openshiftPullSecret" .pullSecretKeyPath }}
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ "{{ .openshiftPullSecret | toString }}" }}
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: {{ $poolName }}-ssh-private-key
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: {{ default "secret/data/hub/privatekey" .sshPrivateKeyPath }}
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ $poolName }}-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ "{{ .sshPrivateKey | toString }}" }}
----
-{{- end }}
-{{- end }}
diff --git a/common/acm/test.yaml b/common/acm/test.yaml
deleted file mode 100644
index 669daf07..00000000
--- a/common/acm/test.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-clusterGroup:
-  managedClusterGroups:
-    exampleRegion:
-      name: region-one
-
-      # Before enabling cluster provisioning, ensure AWS/Azure credentials and OCP
-      #   pull secrets are defined in Vault. See values-secret.yaml.template
-      #
-      clusterPools:
-        exampleAWSPool:
-          name: aws-ap
-          openshiftVersion: 4.10.18
-          baseDomain: blueprints.rhecoeng.com
-          platform:
-            aws:
-              region: ap-southeast-2
-          clusters:
-          - One
-        exampleAzurePool:
-          name: azure-us
-          openshiftVersion: 4.10.18
-          baseDomain: blueprints.rhecoeng.com
-          platform:
-            azure:
-              baseDomainResourceGroupName: dojo-dns-zones
-              region: eastus
-          clusters:
-          - Two
-          - Three
-      acmlabels:
-      - name: clusterGroup
-        value: region-one
-      helmOverrides:
-      - name: clusterGroup.isHubCluster
-        value: false
diff --git a/common/acm/values.yaml b/common/acm/values.yaml
deleted file mode 100644
index 1f430370..00000000
--- a/common/acm/values.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-main:
-  gitops:
-    channel: "gitops-1.8"
-
-global:
-  pattern: none
-  repoURL: none
-  targetRevision: main
-
-
-clusterGroup:
-  subscriptions:
-    acm:
-      source: redhat-operators
-  managedClusterGroups:
-#    testRegion:
-#      name: region-one
-#      clusterPools:
-#        testPool:
-#          name: spoke
-#          openshiftVersion: 4.10.18
-#          provider:
-#            region: ap-southeast-2
-#            baseDomain: blueprints.rhecoeng.com
-#          clusters:
-#          - spoke1
-#      labels:
-#      - name: clusterGroup
-#        value: region-one
-
-secretStore:
-  name: vault-backend
-  kind: ClusterSecretStore
diff --git a/common/ansible/ansible.cfg b/common/ansible/ansible.cfg
deleted file mode 100644
index 652feb98..00000000
--- a/common/ansible/ansible.cfg
+++ /dev/null
@@ -1,6 +0,0 @@
-[defaults]
-localhost_warning=False
-library=./plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
-roles_path=./roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
-module_utils=~/.ansible/plugins/module_utils:./plugins/module_utils:/usr/share/ansible/plugins/module_utils
-filter_plugins=~/.ansible/plugins/filter:./plugins/filter:/usr/share/ansible/plugins/filter
diff --git a/common/ansible/playbooks/acm/acmhub-get-ca.yaml b/common/ansible/playbooks/acm/acmhub-get-ca.yaml
deleted file mode 100644
index 770333ff..00000000
--- a/common/ansible/playbooks/acm/acmhub-get-ca.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-# This playbook fetches the hub cluster's CAbundle from ACM's objects
-# and puts it in a secret inside the imperative namespace
----
-- name: ACM Get Hub CA
-  hosts: localhost
-  connection: local
-  gather_facts: false
-  become: false
-  vars:
-    ns: imperative
-  tasks:
-    - name: Find hub cluster
-      kubernetes.core.k8s_info:
-        kind: Secret
-        name: hub-kubeconfig-secret
-        namespace: open-cluster-management-agent
-      register: hub_cluster
-
-    - name: Do nothing when no managed clusters are found
-      ansible.builtin.meta: end_play
-      when: hub_cluster['resources'][0]['data']['kubeconfig'] is not defined
-
-    # FIXME(bandini) The assumption here is that there is a single hub cluster for each managed cluster
-    #
-    # oc extract secret/hub-kubeconfig-secret --keys=kubeconfig --to=- -n open-cluster-management-agent
-    # apiVersion: v1
-    # clusters:
-    # - cluster:
-    #     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhxZ0F3SU...
-    #     server: https://api.bandini-dc.blueprints.rhecoeng.com:6443
-    #   name: default-cluster
-    - name: Get hub cluster facts
-      ansible.builtin.set_fact:
-        # kubeconfig is just a b64-econded yaml
-        hub_cluster_kubeconfig: "{{ hub_cluster['resources'][0]['data']['kubeconfig'] | b64decode | from_yaml }}"
-
-    - name: Set CA fact
-      ansible.builtin.set_fact:
-        # The .get() call is needed because the key has dashes in it
-        hub_cluster_ca: "{{ hub_cluster_kubeconfig.clusters[0].cluster.get('certificate-authority-data') }}"
-
-    - name: Create secret with managed cluster's CA
-      kubernetes.core.k8s:
-        state: present
-        definition:
-          kind: Secret
-          apiVersion: v1
-          metadata:
-            name: "hub"
-            namespace: "{{ ns }}"
-          data:
-            caBundle: "{{ hub_cluster_ca }}"
-          type: Opaque
diff --git a/common/ansible/playbooks/hello-world/hello-world.yaml b/common/ansible/playbooks/hello-world/hello-world.yaml
deleted file mode 100644
index c0a992a7..00000000
--- a/common/ansible/playbooks/hello-world/hello-world.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# This playbook is a simple hello-world playbook to show capabilities
-# It creates a config-map inside the imperative namespace containing
-# the helm variable "global.clusterDomain"
----
-- name: Hello World Example
-  hosts: localhost
-  connection: local
-  gather_facts: false
-  become: false
-  vars:
-    ns: imperative
-  tasks:
-    - name: Create secret with managed cluster's CA
-      kubernetes.core.k8s:
-        state: present
-        definition:
-          kind: ConfigMap
-          apiVersion: v1
-          metadata:
-            name: "hello-world"
-            namespace: "{{ ns }}"
-          data:
-            hello-cluster-domain: "{{ global['clusterDomain'] }}"
diff --git a/common/ansible/playbooks/iib-ci/iib-ci.yaml b/common/ansible/playbooks/iib-ci/iib-ci.yaml
deleted file mode 100644
index dc6e45cb..00000000
--- a/common/ansible/playbooks/iib-ci/iib-ci.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# This playbook invokes the iib_ci role
----
-- name: IIB CI playbook
-  hosts: localhost
-  connection: local
-  gather_facts: false
-  roles:
-    - iib_ci
diff --git a/common/ansible/playbooks/iib-ci/lookup.yml b/common/ansible/playbooks/iib-ci/lookup.yml
deleted file mode 100644
index f7e42ca4..00000000
--- a/common/ansible/playbooks/iib-ci/lookup.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-- name: IIB CI playbook
-  hosts: localhost
-  connection: local
-  gather_facts: false
-  vars:
-    rh_url: "https://datagrepper.engineering.redhat.com/raw?topic=/topic/VirtualTopic.eng.ci.redhat-container-image.index.built&contains=%s&rows_per_page=20"
-    operator: "openshift-gitops-1-gitops-operator-bundle"
-    ocp_versions: {}
-  tasks:
-    - name: Set url fact
-      ansible.builtin.set_fact:
-        url: "{{ rh_url | format(operator + ':v') }}"
-
-    - name: Fetch URI
-      ansible.builtin.uri:
-        url: "{{ url }}"
-        return_content: true
-      register: jsoncontent
-
-    - name: Setting content
-      ansible.builtin.set_fact:
-        content: "{{ jsoncontent['content'] | from_json }}"
-
-    - name: Set messages fact
-      ansible.builtin.set_fact:
-        raw_messages: "{{ content.raw_messages }}"
-
-    # The when clause is because if we already have an IIB for an ocp version we do not
-    # want to override it (combine will always override existing keys)
-    # Reason for this is that the messages are sorted last first and we only want the
-    # last entries
-    - name: Set output
-      ansible.builtin.set_fact:
-        ocp_versions: "{{ ocp_versions | combine({item['msg']['index']['ocp_version']: {'indeximage': item['msg']['index']['index_image'], 'bundleimage': item['msg']['index']['added_bundle_images'][0]}}) }}"
-      loop: "{{ raw_messages }}"
-      when: item['msg']['index']['ocp_version'] is not in ocp_versions
-      loop_control:
-        label: "{{ item['msg']['index']['ocp_version'] }}"
-
-    - name: Print OCP versions for "{{ operator }}"
-      ansible.builtin.debug:
-        msg: "{{ item.key }} -> {{ item.value }}"
-      loop: "{{ ocp_versions | dict2items }}"
-      loop_control:
-        label: "{{ item.key }}"
diff --git a/common/ansible/playbooks/vault/vault.yaml b/common/ansible/playbooks/vault/vault.yaml
deleted file mode 100644
index 64711e47..00000000
--- a/common/ansible/playbooks/vault/vault.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Vault initialization
-  hosts: localhost
-  connection: local
-  gather_facts: false
-  roles:
-   - vault_utils
diff --git a/common/ansible/plugins/__init__.py b/common/ansible/plugins/__init__.py
deleted file mode 100644
index e69de29b..00000000
diff --git a/common/ansible/plugins/filter/parse_acm_secrets.py b/common/ansible/plugins/filter/parse_acm_secrets.py
deleted file mode 100644
index 0445d96d..00000000
--- a/common/ansible/plugins/filter/parse_acm_secrets.py
+++ /dev/null
@@ -1,83 +0,0 @@
-# This filter takes a bunch of acm secrets that represent the remote clusters
-# (Usually it is all secrets that are labeled with:
-# "apps.open-cluster-management.io/secret-type=acm-cluster")
-
-# These secrets are usually in the form of:
-# data:
-#   config: ewogIC...
-#   name: bWNnLW9uZQ==
-#   server: aHR0cHM6Ly9hcGkubWNnLW9uZS5ibHVlcHJpbnRzLnJoZWNvZW5nLmNvbTo2NDQz
-
-# The filter parses the secret (name, server, config) and returns a dictionary of secrets in the
-# following form:
-# <acm-name>:
-#  name: <acm-name>
-#  cluster_fqdn: <fqdn-without-api-prefix>
-#  server_api: https://api.<cluster_fqdn>:6443
-#  bearerToken: <bearerToken to access remote cluster>
-#  tlsClientConfig: <tlsClientConfig in ACM config field>
-#  vault_path: "hub" when it is the ACM hub or <fqdn-without-api-prefix> in the other cases
-
-import json
-from base64 import b64decode
-
-
-# These are the labels of an acm secret
-# labels:
-#   apps.open-cluster-management.io/cluster-name: local-cluster
-#   apps.open-cluster-management.io/cluster-server: api.mcg-hub.blueprints.rhecoeng.com
-#   apps.open-cluster-management.io/secret-type: acm-cluster
-def get_cluster_name(secret):
-    if "metadata" in secret and "labels" in secret["metadata"]:
-        return secret["metadata"]["labels"].get(
-            "apps.open-cluster-management.io/cluster-name", None
-        )
-    return None
-
-
-def is_cluster_a_hub(name):
-    if name == "local-cluster":
-        return True
-    return False
-
-
-def get_cluster_fqdn(secret):
-    if "metadata" in secret and "labels" in secret["metadata"]:
-        server = secret["metadata"]["labels"].get(
-            "apps.open-cluster-management.io/cluster-server", None
-        )
-        # It is rather hard to override this in an OCP deployment so we are
-        # okay in just dropping 'api.'
-        return server.removeprefix("api.")
-    return None
-
-
-def parse_acm_secrets(secrets):
-    ret = {}
-    for secret in secrets:
-        cluster = get_cluster_name(secret)
-        if cluster is None:
-            continue
-
-        ret[cluster] = {}
-        name = b64decode(secret["data"]["name"])
-        ret[cluster]["name"] = name
-        ret[cluster]["server_api"] = b64decode(secret["data"]["server"])
-        fqdn = get_cluster_fqdn(secret)
-        ret[cluster]["cluster_fqdn"] = fqdn
-        if is_cluster_a_hub(name):
-            ret[cluster]["vault_path"] = "hub"
-        else:
-            ret[cluster]["vault_path"] = fqdn
-
-        config = b64decode(secret["data"]["config"])
-        parsed_config = json.loads(config)
-        ret[cluster]["bearerToken"] = parsed_config["bearerToken"]
-        ret[cluster]["tlsClientConfig"] = parsed_config["tlsClientConfig"]
-
-    return ret
-
-
-class FilterModule:
-    def filters(self):
-        return {"parse_acm_secrets": parse_acm_secrets}
diff --git a/common/ansible/plugins/module_utils/load_secrets_common.py b/common/ansible/plugins/module_utils/load_secrets_common.py
deleted file mode 100644
index 1652a287..00000000
--- a/common/ansible/plugins/module_utils/load_secrets_common.py
+++ /dev/null
@@ -1,104 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Module that implements some common functions
-"""
-
-import configparser
-from collections.abc import MutableMapping
-
-
-def find_dupes(array):
-    """
-    Returns duplicate items in a list
-
-    Parameters:
-        l(list): Array to check for duplicate entries
-
-    Returns:
-        dupes(list): Array containing all the duplicates and [] is there are none
-    """
-    seen = set()
-    dupes = []
-    for x in array:
-        if x in seen:
-            dupes.append(x)
-        else:
-            seen.add(x)
-    return dupes
-
-
-def get_version(syaml):
-    """
-    Return the version: of the parsed yaml object. If it does not exist
-    return 1.0
-
-    Returns:
-        ret(str): The version value in of the top-level 'version:' key
-    """
-    return str(syaml.get("version", "1.0"))
-
-
-def flatten(dictionary, parent_key=False, separator="."):
-    """
-    Turn a nested dictionary into a flattened dictionary and also
-    drop any key that has 'None' as their value
-
-    Parameters:
-        dictionary(dict): The dictionary to flatten
-
-        parent_key(str): The string to prepend to dictionary's keys
-
-        separator(str): The string used to separate flattened keys
-
-    Returns:
-
-        dictionary: A flattened dictionary where the keys represent the
-        path to reach the leaves
-    """
-
-    items = []
-    for key, value in dictionary.items():
-        new_key = str(parent_key) + separator + key if parent_key else key
-        if isinstance(value, MutableMapping):
-            items.extend(flatten(value, new_key, separator).items())
-        elif isinstance(value, list):
-            for k, v in enumerate(value):
-                items.extend(flatten({str(k): v}, new_key).items())
-        else:
-            if value is not None:
-                items.append((new_key, value))
-    return dict(items)
-
-
-def get_ini_value(inifile, inisection, inikey):
-    """
-    Return a value from an ini-file or 'None' if it does not exist
-
-    Parameters:
-        inifile(str): The path to the ini-file
-
-        inisection(str): The section in the ini-file to look for the key
-
-        inikey(str): The key to look up inside the ini-file's section
-
-    Returns:
-
-        obj: The value of the key or None if it does not exist
-    """
-    config = configparser.ConfigParser()
-    config.read(inifile)
-    return config.get(inisection, inikey, fallback=None)
diff --git a/common/ansible/plugins/module_utils/load_secrets_v1.py b/common/ansible/plugins/module_utils/load_secrets_v1.py
deleted file mode 100644
index 6478ac26..00000000
--- a/common/ansible/plugins/module_utils/load_secrets_v1.py
+++ /dev/null
@@ -1,267 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Module that implements V1 of the values-secret.yaml spec
-"""
-
-import base64
-import os
-import time
-
-import yaml
-from ansible.module_utils.load_secrets_common import flatten, get_version
-
-
-class LoadSecretsV1:
-    def __init__(
-        self,
-        module,
-        syaml,
-        basepath,
-        namespace,
-        pod,
-        values_secret_template,
-        check_missing_secrets,
-    ):
-        self.module = module
-        self.basepath = basepath
-        self.namespace = namespace
-        self.pod = pod
-        self.values_secret_template = values_secret_template
-        self.check_missing_secrets = check_missing_secrets
-        self.syaml = syaml
-
-    def _run_command(self, command, attempts=1, sleep=3):
-        """
-        Runs a command on the host ansible is running on. A failing command
-        will raise an exception in this function directly (due to check=True)
-
-        Parameters:
-            command(str): The command to be run.
-            attempts(int): Number of times to retry in case of Error (defaults to 1)
-            sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s)
-
-        Returns:
-            ret(subprocess.CompletedProcess): The return value from run()
-        """
-        for attempt in range(attempts):
-            ret = self.module.run_command(
-                command,
-                check_rc=True,
-                use_unsafe_shell=True,
-                environ_update=os.environ.copy(),
-            )
-            if ret[0] == 0:
-                return ret
-            if attempt >= attempts - 1:
-                return ret
-            time.sleep(sleep)
-
-    def sanitize_values(self):
-        """
-        Sanitizes the secrets YAML object. If a specific secret key has
-        s3.accessKey and s3.secretKey but not s3Secret, the latter will be
-        generated as the base64 encoding of both s3.accessKey and s3.secretKey.
-
-          secrets:
-            test:
-              s3.accessKey: "1234"
-              s3.secretKey: "4321"
-
-        will push three secrets at 'secret/hub/test':
-
-        s3.accessKey: 1234
-        s3.secretKey: 4321
-        s3Secret: czMuYWNjZXNzS2V5OiAxMjM0CnMzLnNlY3JldEtleTogNDMyMQ==
-
-        Parameters:
-
-        Returns:
-            Nothing: Updates self.syaml(obj)
-        """
-        v = get_version(self.syaml)
-        if v != "1.0":
-            self.module.fail_json(f"Version is not 1.0: {v}")
-
-        if not ("secrets" in self.syaml or "files" in self.syaml):
-            self.module.fail_json(
-                f"Values secrets file does not contain 'secrets' or"
-                f"'files' keys: {self.syaml}"
-            )
-
-        if self.check_missing_secrets and self.values_secret_template == "":
-            self.module.fail_json(
-                "No values_secret_template defined and check_missing_secrets set to True"
-            )
-        # If the user specified check_for_missing_secrets then we read values_secret_template
-        # and check if there are any missing secrets. Makes sense only for v1.0
-        if self.check_missing_secrets:
-            self.check_for_missing_secrets()
-
-        secrets = self.syaml.get("secrets", {})
-        # We need to explicitely check for None because the file might contain the
-        # top-level 'secrets:' or 'files:' key but have nothing else under it which will
-        # return None and not {}
-        if secrets is None:
-            secrets = {}
-        files = self.syaml.get("files", {})
-        if files is None:
-            files = {}
-        if len(secrets) == 0 and len(files) == 0:
-            self.module.fail_json(
-                "Neither 'secrets' nor 'files have any secrets to be parsed"
-            )
-
-        if isinstance(secrets, list) or isinstance(files, list):
-            self.module.fail_json("Neither 'secrets' nor 'files can be lists")
-
-        for secret in secrets:
-            if not isinstance(secrets[secret], dict):
-                self.module.fail_json(
-                    "Each key under 'secrets' needs to point to "
-                    "a dictionary of key value pairs"
-                )
-
-        for file in files:
-            path = files[file]
-            if not os.path.isfile(os.path.expanduser(path)):
-                self.module.fail_json(f"File {path} does not exist")
-
-        # If s3Secret key does not exist but s3.accessKey and s3.secretKey do exist
-        # generate s3Secret so a user does not need to do it manually which tends to be error-prone
-        for secret in secrets:
-            tmp = secrets[secret]
-            if (
-                "s3.accessKey" in tmp
-                and "s3.secretKey" in tmp
-                and "s3Secret" not in tmp
-            ):
-                s3secret = (
-                    f"s3.accessKey: {tmp['s3.accessKey']}\n"
-                    f"s3.secretKey: {tmp['s3.secretKey']}"
-                )
-                s3secretb64 = base64.b64encode(s3secret.encode())
-                secrets[secret]["s3Secret"] = s3secretb64.decode("utf-8")
-
-    def get_secrets_vault_paths(self, keyname):
-        """
-        Walks a secrets yaml object to look for all top-level keys that start with
-        'keyname' and returns a list of tuples [(keyname1, path1), (keyname2, path2)...]
-        where the path is the relative vault path
-        For example, given a yaml with the following:
-            secrets:
-                foo: bar
-            secrets.region1:
-                foo: baz
-            secrets.region2:
-                foo: barbaz
-
-        a call with keyname set to 'secrets' will return the following:
-        [('secrets', 'hub'), ('secrets', 'region1'), ('secrets', 'region2')]
-
-        Parameters:
-            keyname(str): The keytypes to look for either usually 'secrets' or 'files'
-
-        Returns:
-            keys_paths(list): List of tuples containing (keyname, relative-vault-path)
-        """
-        all_keys = self.syaml.keys()
-        keys_paths = []
-        for key in all_keys:
-            # We skip any key that does not start with 'secrets' or 'files'
-            # (We should probably bail out in the presence of unexpected top-level keys)
-            if not key.startswith(keyname):
-                continue
-
-            # If there is no '.' after secrets or files, assume the secrets need to
-            # go to the hub vault path
-            if key == keyname:
-                keys_paths.append((key, "hub"))
-                continue
-
-            # We are in the presence of either 'secrets.region-one' or 'files.cluster1' top-level keys
-            tmp = key.split(".", 1)
-            if len(tmp) != 2:
-                self.module.fail_json(
-                    f"values-secrets.yaml key is non-conformant: {key}"
-                )
-
-            keys_paths.append((key, tmp[1]))
-
-        return keys_paths
-
-    # NOTE(bandini): we shell out to oc exec it because of
-    # https://github.com/ansible-collections/kubernetes.core/issues/506 and
-    # https://github.com/kubernetes/kubernetes/issues/89899. Until those are solved
-    # it makes little sense to invoke the APIs via the python wrappers
-    def inject_secrets(self):
-        """
-        Walks a secrets yaml object and injects all the secrets into the vault via 'oc exec' calls
-
-        Parameters:
-
-        Returns:
-            counter(int): The number of secrets injected
-        """
-        counter = 0
-        for i in self.get_secrets_vault_paths("secrets"):
-            path = f"{self.basepath}/{i[1]}"
-            for secret in self.syaml[i[0]] or []:
-                properties = ""
-                for key, value in self.syaml[i[0]][secret].items():
-                    properties += f"{key}='{value}' "
-                properties = properties.rstrip()
-                cmd = (
-                    f"oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                    f"\"vault kv put '{path}/{secret}' {properties}\""
-                )
-                self._run_command(cmd, attempts=3)
-                counter += 1
-
-        for i in self.get_secrets_vault_paths("files"):
-            path = f"{self.basepath}/{i[1]}"
-            for filekey in self.syaml[i[0]] or []:
-                file = os.path.expanduser(self.syaml[i[0]][filekey])
-                cmd = (
-                    f"cat '{file}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                    f"'cat - > /tmp/vcontent'; "
-                    f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | "
-                    f"vault kv put {path}/{filekey} b64content=- content=@/tmp/vcontent; "
-                    f"rm /tmp/vcontent'"
-                )
-                self._run_command(cmd, attempts=3)
-                counter += 1
-        return counter
-
-    def check_for_missing_secrets(self):
-        with open(self.values_secret_template, "r", encoding="utf-8") as file:
-            template_yaml = yaml.safe_load(file.read())
-        if template_yaml is None:
-            self.module.fail_json(f"Template {self.values_secret_template} is empty")
-
-        syaml_flat = flatten(self.syaml)
-        template_flat = flatten(template_yaml)
-
-        syaml_keys = set(syaml_flat.keys())
-        template_keys = set(template_flat.keys())
-
-        if template_keys <= syaml_keys:
-            return
-
-        diff = template_keys - syaml_keys
-        self.module.fail_json(
-            f"Values secret yaml is missing needed secrets from the templates: {diff}"
-        )
diff --git a/common/ansible/plugins/module_utils/load_secrets_v2.py b/common/ansible/plugins/module_utils/load_secrets_v2.py
deleted file mode 100644
index 05a5917e..00000000
--- a/common/ansible/plugins/module_utils/load_secrets_v2.py
+++ /dev/null
@@ -1,456 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Module that implements V2 of the values-secret.yaml spec
-"""
-
-import base64
-import getpass
-import os
-import time
-
-from ansible.module_utils.load_secrets_common import (
-    find_dupes,
-    get_ini_value,
-    get_version,
-)
-
-default_vp_vault_policies = {
-    "validatedPatternDefaultPolicy": (
-        "length=20\n"
-        'rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\n'
-        'rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\n'
-        'rule "charset" { charset = "0123456789" min-chars = 1 }\n'
-        'rule "charset" { charset = "!@#%^&*" min-chars = 1 }\n'
-    )
-}
-
-
-class LoadSecretsV2:
-    def __init__(self, module, syaml, namespace, pod):
-        self.module = module
-        self.namespace = namespace
-        self.pod = pod
-        self.syaml = syaml
-
-    def _run_command(self, command, attempts=1, sleep=3, checkrc=True):
-        """
-        Runs a command on the host ansible is running on. A failing command
-        will raise an exception in this function directly (due to check=True)
-
-        Parameters:
-            command(str): The command to be run.
-            attempts(int): Number of times to retry in case of Error (defaults to 1)
-            sleep(int): Number of seconds to wait in between retry attempts (defaults to 3s)
-
-        Returns:
-            ret(subprocess.CompletedProcess): The return value from run()
-        """
-        for attempt in range(attempts):
-            ret = self.module.run_command(
-                command,
-                check_rc=checkrc,
-                use_unsafe_shell=True,
-                environ_update=os.environ.copy(),
-            )
-            if ret[0] == 0:
-                return ret
-            if attempt >= attempts - 1:
-                return ret
-            time.sleep(sleep)
-
-    def _get_backingstore(self):
-        """
-        Return the backingStore: of the parsed yaml object. If it does not exist
-        return 'vault'
-
-        Returns:
-            ret(str): The value of the top-level 'backingStore:' key
-        """
-        return str(self.syaml.get("backingStore", "vault"))
-
-    def _get_vault_policies(self, enable_default_vp_policies=True):
-        # We start off with the hard-coded default VP policy and add the user-defined ones
-        if enable_default_vp_policies:
-            policies = default_vp_vault_policies.copy()
-        else:
-            policies = {}
-        policies.update(self.syaml.get("vaultPolicies", {}))
-        return policies
-
-    def _get_secrets(self):
-        return self.syaml.get("secrets", {})
-
-    def _get_field_on_missing_value(self, f):
-        # By default if 'onMissingValue' is missing we assume we need to
-        # error out whenever the value is missing
-        return f.get("onMissingValue", "error")
-
-    def _get_field_value(self, f):
-        return f.get("value", None)
-
-    def _get_field_path(self, f):
-        return f.get("path", None)
-
-    def _get_field_ini_file(self, f):
-        return f.get("ini_file", None)
-
-    def _get_field_kind(self, f):
-        # value: null will be interpreted with None, so let's just
-        # check for the existence of the field, as we use 'value: null' to say
-        # "we want a value/secret and not a file path"
-        found = []
-        for i in ["value", "path", "ini_file"]:
-            if i in f:
-                found.append(i)
-
-        if len(found) > 1:  # you can only have one of value, path and ini_file
-            self.module.fail_json(f"Both '{found[0]}' and '{found[1]}' cannot be used")
-
-        if len(found) == 0:
-            return ""
-        return found[0]
-
-    def _get_field_prompt(self, f):
-        return f.get("prompt", None)
-
-    def _get_field_base64(self, f):
-        return bool(f.get("base64", False))
-
-    def _get_field_override(self, f):
-        return bool(f.get("override", False))
-
-    # This function could use some rewriting and it should call a specific validation function
-    # for each type (value, path, ini_file)
-    def _validate_field(self, f):
-        # These fields are mandatory
-        try:
-            _ = f["name"]
-        except KeyError:
-            return (False, f"Field {f} is missing name")
-
-        on_missing_value = self._get_field_on_missing_value(f)
-        if on_missing_value not in ["error", "generate", "prompt"]:
-            return (False, f"onMissingValue: {on_missing_value} is invalid")
-
-        value = self._get_field_value(f)
-        path = self._get_field_path(f)
-        ini_file = self._get_field_ini_file(f)
-        kind = self._get_field_kind(f)
-        if kind == "ini_file":
-            # if we are using ini_file then at least ini_key needs to be defined
-            # ini_section defaults to 'default' when omitted
-            ini_key = f.get("ini_key", None)
-            if ini_key is None:
-                return (
-                    False,
-                    "ini_file requires at least ini_key to be defined",
-                )
-
-        # Test if base64 is a correct boolean (defaults to False)
-        _ = self._get_field_base64(f)
-        _ = self._get_field_override(f)
-
-        vault_policy = f.get("vaultPolicy", None)
-        if vault_policy is not None and vault_policy not in self._get_vault_policies():
-            return (
-                False,
-                f"Secret has vaultPolicy set to {vault_policy} but no such policy exists",
-            )
-
-        if on_missing_value in ["error"]:
-            if (
-                (value is None or len(value) < 1)
-                and (path is None or len(path) < 1)
-                and (ini_file is None or len(ini_file) < 1)
-            ):
-                return (
-                    False,
-                    "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set",
-                )
-            if path is not None and not os.path.isfile(os.path.expanduser(path)):
-                return (False, f"Field has non-existing path: {path}")
-
-            if ini_file is not None and not os.path.isfile(
-                os.path.expanduser(ini_file)
-            ):
-                return (False, f"Field has non-existing ini_file: {ini_file}")
-
-            if "override" in f:
-                return (
-                    False,
-                    "'override' attribute requires 'onMissingValue' to be set to 'generate'",
-                )
-
-        if on_missing_value in ["generate"]:
-            if value is not None:
-                return (
-                    False,
-                    "Secret has onMissingValue set to 'generate' but has a value set",
-                )
-            if path is not None:
-                return (
-                    False,
-                    "Secret has onMissingValue set to 'generate' but has a path set",
-                )
-            if vault_policy is None:
-                return (
-                    False,
-                    "Secret has no vaultPolicy but onMissingValue is set to 'generate'",
-                )
-
-        if on_missing_value in ["prompt"]:
-            # When we prompt, the user needs to set one of the following:
-            # - value: null # prompt for a secret without a default value
-            # - value: 123 # prompt for a secret but use a default value
-            # - path: null # prompt for a file path without a default value
-            # - path: /tmp/ca.crt # prompt for a file path with a default value
-            if "value" not in f and "path" not in f:
-                return (
-                    False,
-                    "Secret has onMissingValue set to 'prompt' but has no value nor path fields",
-                )
-
-            if "override" in f:
-                return (
-                    False,
-                    "'override' attribute requires 'onMissingValue' to be set to 'generate'",
-                )
-
-        return (True, "")
-
-    def _validate_secrets(self):
-        secrets = self._get_secrets()
-        if len(secrets) == 0:
-            self.module.fail_json("No secrets found")
-
-        names = []
-        for s in secrets:
-            # These fields are mandatory
-            for i in ["name"]:
-                try:
-                    _ = s[i]
-                except KeyError:
-                    return (False, f"Secret {s['name']} is missing {i}")
-            names.append(s["name"])
-
-            vault_prefixes = s.get("vaultPrefixes", ["hub"])
-            # This checks for the case when vaultPrefixes: is specified but empty
-            if vault_prefixes is None or len(vault_prefixes) == 0:
-                return (False, f"Secret {s['name']} has empty vaultPrefixes")
-
-            fields = s.get("fields", [])
-            if len(fields) == 0:
-                return (False, f"Secret {s['name']} does not have any fields")
-
-            field_names = []
-            for i in fields:
-                (ret, msg) = self._validate_field(i)
-                if not ret:
-                    return (False, msg)
-                field_names.append(i["name"])
-            field_dupes = find_dupes(field_names)
-            if len(field_dupes) > 0:
-                return (False, f"You cannot have duplicate field names: {field_dupes}")
-
-        dupes = find_dupes(names)
-        if len(dupes) > 0:
-            return (False, f"You cannot have duplicate secret names: {dupes}")
-        return (True, "")
-
-    def inject_vault_policies(self):
-        for name, policy in self._get_vault_policies().items():
-            cmd = (
-                f"echo '{policy}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                f"'cat - > /tmp/{name}.hcl';"
-                f"oc exec -n {self.namespace} {self.pod} -i -- sh -c 'vault write sys/policies/password/{name} "
-                f" policy=@/tmp/{name}.hcl'"
-            )
-            self._run_command(cmd, attempts=3)
-
-    def sanitize_values(self):
-        """
-        Sanitizes the secrets YAML object version 2.0
-
-        Parameters:
-
-        Returns:
-            Nothing: Updates self.syaml(obj) if needed
-        """
-        v = get_version(self.syaml)
-        if v != "2.0":
-            self.module.fail_json(f"Version is not 2.0: {v}")
-
-        backing_store = self._get_backingstore()
-        if backing_store != "vault":  # we currently only support vault
-            self.module.fail_json(
-                f"Currently only the 'vault' backingStore is supported: {backing_store}"
-            )
-
-        (ret, msg) = self._validate_secrets()
-        if not ret:
-            self.module.fail_json(msg)
-
-    def _get_secret_value(self, name, field):
-        on_missing_value = self._get_field_on_missing_value(field)
-        # We cannot use match + case as RHEL8 has python 3.9 (it needs 3.10)
-        # We checked for errors in _validate_secrets() already
-        if on_missing_value == "error":
-            return field.get("value")
-        elif on_missing_value == "prompt":
-            prompt = self._get_field_prompt(field)
-            if prompt is None:
-                prompt = f"Type secret for {name}/{field['name']}: "
-            value = self._get_field_value(field)
-            if value is not None:
-                prompt += f" [{value}]"
-            prompt += ": "
-            return getpass.getpass(prompt)
-        return None
-
-    def _get_file_path(self, name, field):
-        on_missing_value = self._get_field_on_missing_value(field)
-        if on_missing_value == "error":
-            return os.path.expanduser(field.get("path"))
-        elif on_missing_value == "prompt":
-            prompt = self._get_field_prompt(field)
-            path = self._get_field_path(field)
-            if path is None:
-                path = ""
-
-            if prompt is None:
-                text = f"Type path for file {name}/{field['name']} [{path}]: "
-            else:
-                text = f"{prompt} [{path}]: "
-
-            newpath = getpass.getpass(text)
-            if newpath == "":  # Set the default if no string was entered
-                newpath = path
-
-            if os.path.isfile(os.path.expanduser(newpath)):
-                return newpath
-            self.module.fail_json(f"File {newpath} not found, exiting")
-
-        self.module.fail_json("File with wrong onMissingValue")
-
-    def _vault_secret_attr_exists(self, mount, prefix, secret_name, attribute):
-        cmd = (
-            f"oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-            f'"vault kv get -mount={mount} -field={attribute} {prefix}/{secret_name}"'
-        )
-        # we ignore stdout and stderr
-        (ret, _, _) = self._run_command(cmd, attempts=1, checkrc=False)
-        if ret == 0:
-            return True
-
-        return False
-
-    def _inject_field(self, secret_name, f, mount, prefixes, first=False):
-        on_missing_value = self._get_field_on_missing_value(f)
-        override = self._get_field_override(f)
-        kind = self._get_field_kind(f)
-        # If we're generating the password then we just push the secret in the vault directly
-        verb = "put" if first else "patch"
-        b64 = self._get_field_base64(f)
-        if kind in ["value", ""]:
-            if on_missing_value == "generate":
-                if kind == "path":
-                    self.module.fail_json(
-                        "You cannot have onMissingValue set to 'generate' with a path"
-                    )
-                vault_policy = f.get("vaultPolicy")
-                gen_cmd = f"vault read -field=password sys/policies/password/{vault_policy}/generate"
-                if b64:
-                    gen_cmd += " | base64 --wrap=0"
-                for prefix in prefixes:
-                    # if the override field is False and the secret attribute exists at the prefix then we just
-                    # skip, as we do not want to overwrite the existing secret
-                    if not override and self._vault_secret_attr_exists(
-                        mount, prefix, secret_name, f["name"]
-                    ):
-                        continue
-                    cmd = (
-                        f"oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                        f"\"{gen_cmd} | vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}=-\""
-                    )
-                    self._run_command(cmd, attempts=3)
-                return
-
-            # If we're not generating the secret inside the vault directly we either read it from the file ("error")
-            # or we are prompting the user for it
-            secret = self._get_secret_value(secret_name, f)
-            if b64:
-                secret = base64.b64encode(secret.encode()).decode("utf-8")
-            for prefix in prefixes:
-                cmd = (
-                    f"oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                    f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}='{secret}'\""
-                )
-                self._run_command(cmd, attempts=3)
-
-        elif kind == "path":  # path. we upload files
-            # If we're generating the password then we just push the secret in the vault directly
-            verb = "put" if first else "patch"
-            path = self._get_file_path(secret_name, f)
-            for prefix in prefixes:
-                if b64:
-                    b64_cmd = "| base64 --wrap=0 "
-                else:
-                    b64_cmd = ""
-                cmd = (
-                    f"cat '{path}' | oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                    f"'cat - {b64_cmd}> /tmp/vcontent'; "
-                    f"oc exec -n {self.namespace} {self.pod} -i -- sh -c '"
-                    f"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}=@/tmp/vcontent; "
-                    f"rm /tmp/vcontent'"
-                )
-                self._run_command(cmd, attempts=3)
-        elif kind == "ini_file":  # ini_file. we parse an ini_file
-            verb = "put" if first else "patch"
-            ini_file = os.path.expanduser(f.get("ini_file"))
-            ini_section = f.get("ini_section", "default")
-            ini_key = f.get("ini_key")
-            secret = get_ini_value(ini_file, ini_section, ini_key)
-            if b64:
-                secret = base64.b64encode(secret.encode()).decode("utf-8")
-            for prefix in prefixes:
-                cmd = (
-                    f"oc exec -n {self.namespace} {self.pod} -i -- sh -c "
-                    f"\"vault kv {verb} -mount={mount} {prefix}/{secret_name} {f['name']}='{secret}'\""
-                )
-                self._run_command(cmd, attempts=3)
-
-    # This assumes that self.sanitize_values() has already been called
-    # so we do a lot less validation as it has already happened
-    def inject_secrets(self):
-        # This must come first as some passwords might depend on vault policies to exist.
-        # It is a noop when no policies are defined
-        self.inject_vault_policies()
-        secrets = self._get_secrets()
-
-        total_secrets = 0  # Counter for all the secrets uploaded
-        for s in secrets:
-            counter = 0  # This counter is to use kv put on first secret and kv patch on latter
-            sname = s.get("name")
-            fields = s.get("fields", [])
-            mount = s.get("vaultMount", "secret")
-            vault_prefixes = s.get("vaultPrefixes", ["hub"])
-            for i in fields:
-                self._inject_field(sname, i, mount, vault_prefixes, counter == 0)
-                counter += 1
-                total_secrets += 1
-
-        return total_secrets
diff --git a/common/ansible/plugins/modules/vault_load_secrets.py b/common/ansible/plugins/modules/vault_load_secrets.py
deleted file mode 100644
index 725b69b4..00000000
--- a/common/ansible/plugins/modules/vault_load_secrets.py
+++ /dev/null
@@ -1,209 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Ansible plugin module that loads secrets from a yaml file and pushes them
-inside the HashiCorp Vault in an OCP cluster. The values-secrets.yaml file is
-expected to be in the following format:
----
-# version is optional. When not specified it is assumed it is 1.0
-version: 1.0
-
-# These secrets will be pushed in the vault at secret/hub/test The vault will
-# have secret/hub/test with secret1 and secret2 as keys with their associated
-# values (secrets)
-secrets:
-  test:
-    secret1: foo
-    secret2: bar
-
-# This will create the vault key secret/hub/testfoo which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files:
-  testfoo: ~/ca.crt
-
-# These secrets will be pushed in the vault at secret/region1/test The vault will
-# have secret/region1/test with secret1 and secret2 as keys with their associated
-# values (secrets)
-secrets.region1:
-  test:
-    secret1: foo1
-    secret2: bar1
-
-# This will create the vault key secret/region2/testbar which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files.region2:
-  testbar: ~/ca.crt
-"""
-
-import os
-
-import yaml
-from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.load_secrets_common import get_version
-from ansible.module_utils.load_secrets_v1 import LoadSecretsV1
-from ansible.module_utils.load_secrets_v2 import LoadSecretsV2
-
-ANSIBLE_METADATA = {
-    "metadata_version": "1.1",
-    "status": ["preview"],
-    "supported_by": "community",
-}
-
-DOCUMENTATION = """
----
-module: vault_load_secrets
-short_description: Loads secrets into the HashiCorp Vault
-version_added: "2.11"
-author: "Michele Baldessari"
-description:
-  - Takes a values-secret.yaml file and uploads the secrets into the HashiCorp Vault
-options:
-  values_secrets:
-    description:
-      - Path to the values-secrets file (only one of values_secrets and
-        values_secrets_plaintext can be passed)
-    required: false
-    default: ''
-    type: str
-  values_secrets_plaintext:
-    description:
-      - The content of the values-secrets file (only one of values_secrets and
-        values_secrets_plaintext can be passed)
-    required: false
-    default: ''
-    type: str
-  namespace:
-    description:
-      - Namespace where the vault is running
-    required: false
-    type: str
-    default: vault
-  pod:
-    description:
-      - Name of the vault pod to use to inject secrets
-    required: false
-    type: str
-    default: vault-0
-  basepath:
-    description:
-      - Vault's kv initial part of the path. This is only supported on version 1.0 of the
-        secret format
-    required: false
-    type: str
-    default: secret
-  check_missing_secrets:
-    description:
-      - Validate the ~/values-secret.yaml file against the top-level
-        values-secret-template.yaml and error out if secrets are missing
-    required: false
-    type: bool
-    default: False
-  values_secret_template:
-    description:
-      - Path of the values-secret-template.yaml file of the pattern
-    required: false
-    type: str
-    default: ""
-"""
-
-RETURN = """
-"""
-
-EXAMPLES = """
-- name: Loads secrets file into the vault of a cluster
-  vault_load_secrets:
-    values_secrets: ~/values-secret.yaml
-"""
-
-
-def run(module):
-    """Main ansible module entry point"""
-    results = dict(changed=False)
-
-    args = module.params
-    values_secrets = os.path.expanduser(args.get("values_secrets", ""))
-    values_secrets_plaintext = args.get("values_secrets_plaintext", "")
-    if values_secrets != "" and values_secrets_plaintext != "":
-        module.fail_json("Cannot pass both values_secret and values_secret_plaintext")
-
-    values_secrets = os.path.expanduser(args.get("values_secrets"))
-    basepath = args.get("basepath")
-    namespace = args.get("namespace")
-    pod = args.get("pod")
-    check_missing_secrets = args.get("check_missing_secrets")
-    values_secret_template = args.get("values_secret_template")
-
-    if values_secrets != "" and not os.path.exists(values_secrets):
-        results["failed"] = True
-        results["error"] = f"Missing {values_secrets} file"
-        results["msg"] = f"Values secrets file does not exist: {values_secrets}"
-        module.exit_json(**results)
-
-    # We were passed a filename (aka the unencrypted path)
-    if values_secrets != "":
-        with open(values_secrets, "r", encoding="utf-8") as file:
-            syaml = yaml.safe_load(file.read())
-        if syaml is None:
-            syaml = {}
-        elif isinstance(syaml, str):
-            module.fail_json(f"Could not parse {values_secrets} file as yaml")
-    elif values_secrets_plaintext != "":
-        syaml = yaml.safe_load(values_secrets_plaintext)
-        if syaml is None:
-            syaml = {}
-        elif isinstance(syaml, str):
-            module.fail_json("Could not parse values_secrets_plaintext as yaml")
-    else:
-        module.fail_json("Both values_secrets and values_secrets_plaintext are unset")
-
-    version = get_version(syaml)
-    if version == "2.0":
-        secret_obj = LoadSecretsV2(module, syaml, namespace, pod)
-    elif version == "1.0":
-        secret_obj = LoadSecretsV1(
-            module,
-            syaml,
-            basepath,
-            namespace,
-            pod,
-            values_secret_template,
-            check_missing_secrets,
-        )
-
-    else:
-        module.fail_json(f"Version {version} is currently not supported")
-
-    secret_obj.sanitize_values()
-    nr_secrets = secret_obj.inject_secrets()
-    results["failed"] = False
-    results["changed"] = True
-    results["msg"] = f"{nr_secrets} secrets injected"
-    module.exit_json(**results)
-
-
-def main():
-    """Main entry point where the AnsibleModule class is instantiated"""
-    module = AnsibleModule(
-        argument_spec=yaml.safe_load(DOCUMENTATION)["options"],
-        supports_check_mode=False,
-    )
-    run(module)
-
-
-if __name__ == "__main__":
-    main()
diff --git a/common/ansible/roles/iib_ci/README.md b/common/ansible/roles/iib_ci/README.md
deleted file mode 100644
index 1d8b447e..00000000
--- a/common/ansible/roles/iib_ci/README.md
+++ /dev/null
@@ -1,85 +0,0 @@
-# IIB Utilities
-
-A set of ansible plays to fetch an IIB (Image Index Bundle, aka a container created by the operator sdk
-that contains a bunch of references to operators that can be installed in an OpenShift cluster)
-
-Run `make lookup` to see which IIBs are available.
-
-Typically IIB are prerelease stuff that lives on some internal boxes. What these scripts do is fetch
-the IIB internally, mirror it to the registry inside the cluster, parse all the needed images and mirror
-those to the internal cluster registry and then set up the registries.conf files on all nodes so
-that the images used are the ones pointing to the internal cluster.
-
-## Usage
-
-By default the operator to be installed from the IIB is `openshift-gitops-operator`. You can override this through the `OPERATOR` env variable.
-For example, to mirror an operator into an existing cluster you would do the following:
-
-```sh
-export KUBECONFIG=/tmp/foo/kubeconfig
-export OPERATOR=openshift-gitops-operator
-export IIB=492329
-export INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:${IIB}
-export KUBEADMINPASS="11111-22222-33333-44444"
-# This will push the IIB and all the needed images for the default openshift-gitops-operator into the cluster
-make load-iib
-# This will install the pattern using the gitops operator from the IIB
-```
-
-Then in case of the `openshift-gitops-operator` we would install with:
-
-```sh
-export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}')
-make EXTRA_HELM_OPTS="--set main.gitops.operatorSource=iib-${IIB} --set main.gitops.channel=${CHANNEL}" install
-```
-
-To install ACM (`export OPERATOR=advanced-cluster-management`) or any other
-operator (except the gitops one) from an IIB we would call the following as a
-final step:
-
-```sh
-export CHANNEL=$(oc get -n openshift-marketplace packagemanifests -l "catalog=iib-${IIB}" --field-selector "metadata.name=${OPERATOR}" -o jsonpath='{.items[0].status.defaultChannel}')
-make EXTRA_HELM_OPTS="--set main.extraParameters[0].name=clusterGroup.subscriptions.acm.source --set main.extraParameters[0].value=iib-${IIB} --set main.extraParameters[1].name=clusterGroup.subscriptions.acm.channel --set main.extraParameters[1].value=${CHANNEL}" install
-```
-
-*Note*: This needs VP operator version >= 0.0.14
-
-### OCP 4.13 and onwards
-
-Since 4.13 supports an internal registry that can cope with v2 docker manifests, we
-use that. Run `make iib` with the following environment variables set:
-
-* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329`
-* `KUBEADMINPASS="11111-22222-33333-44444"`
-
-### OCP 4.12 and previous versions
-
-Due to the lack of v2 manifest support on the internal registry, we use an external
-registry. Run `make iib` with the following environment variables set:
-
-* `INDEX_IMAGES=registry-proxy.engineering.redhat.com/rh-osbs/iib:492329`
-* `REGISTRY=quay.io/rhn_support_mbaldess/iib`
-* `REGISTRY_TOKEN=<username>:<token>`
-
-*Note*: For the REGISTRY_TOKEN go to your quay repository, add a robot with "Write" permissions. The robot created will have a "username" and "password" fields. Set the REGISTRY_TOKEN environment variable to that value.
-
-## Useful commands
-
-* List IIBs for an operator:
-
-```sh
-ansible-playbook common/ansible/playbooks/iib-ci/lookup.yml
-...
-ok: [localhost] => (item=v4.13) => {
-    "msg": "v4.13 -> {'indeximage': 'registry-proxy.engineering.redhat.com/rh-osbs/iib:509435', 'bundleimage': 'registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle:v99.9.0-106'}"
-}
-...
-```
-
-Override the `operator` value with the desired bundle name to figure out the last IIBs for it.
-
-* List all images uploaded to the internal registry:
-
-```sh
-oc exec -it -n openshift-image-registry $(oc get pods -n openshift-image-registry -o json | jq -r '.items[].metadata.name | select(. | test("^image-registry-"))' | head -n1) -- bash -c "curl -k -u kubeadmin:$(oc whoami -t) https://localhost:5000/v2/_catalog"
-```
diff --git a/common/ansible/roles/iib_ci/defaults/main.yml b/common/ansible/roles/iib_ci/defaults/main.yml
deleted file mode 100644
index 7605dba5..00000000
--- a/common/ansible/roles/iib_ci/defaults/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
-rh_internal_registry: registry-proxy.engineering.redhat.com
-iib_image: "{{ lookup('env', 'INDEX_IMAGE') }}"
-
-external_registry: "{{ lookup('env', 'REGISTRY') }}"
-external_registry_token: "{{ lookup('env', 'REGISTRY_TOKEN') }}"
-external_registry_email: noemail@localhost
-
-kubeadminpass: "{{ lookup('env', 'KUBEADMINPASS') }}"
-
-internal_registry_ns: openshift-marketplace
-internal_registry_email: noemail@localhost
-internal_registry_user: registry-custom-user
-internal_registry_pass: "{{ lookup('env', 'INTERNAL_REGISTRY_USER') }}"
-
-# We can use default(, true) below because OPERATOR is a string and not
-# a boolean
-operator: "{{ lookup('env', 'OPERATOR') | default('openshift-gitops-operator', true) }}"
diff --git a/common/ansible/roles/iib_ci/handlers/main.yml b/common/ansible/roles/iib_ci/handlers/main.yml
deleted file mode 100644
index a983544d..00000000
--- a/common/ansible/roles/iib_ci/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for vault_utils
diff --git a/common/ansible/roles/iib_ci/meta/main.yml b/common/ansible/roles/iib_ci/meta/main.yml
deleted file mode 100644
index c9d7005d..00000000
--- a/common/ansible/roles/iib_ci/meta/main.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-galaxy_info:
-  author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/
-  description: Internal module to work with IIBs (Image Index Bundles)
-
-  issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues
-  license: Apache-2.0
-  min_ansible_version: "2.1"
-
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  platforms:
-    - name: Fedora
-      versions:
-        - all
-    - name: Ubuntu
-      versions:
-        - all
-    - name: Debian
-      versions:
-        - all
-    - name: EL
-      versions:
-        - "8"
-        - "9"
-
-  galaxy_tags: []
-
-dependencies: []
diff --git a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml b/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml
deleted file mode 100644
index 10f083e9..00000000
--- a/common/ansible/roles/iib_ci/tasks/fetch-operator-images.yml
+++ /dev/null
@@ -1,95 +0,0 @@
-# This task fetches all the images given an operator name
-# the operator name is defined in the variable "item". This
-# set of tasks is to be included in a loop that goes over the
-# needed operators
-- name: Get default channel in the IIB for "{{ item }}"
-  ansible.builtin.shell: |
-    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \
-      -o jsonpath='{.items[0].status.defaultChannel}'
-  register: default_channel_raw
-  retries: 10
-  delay: 10
-  until: default_channel_raw is not failed
-
-- name: Set default channel fact
-  ansible.builtin.set_fact:
-    default_channel: "{{ default_channel_raw.stdout }}"
-
-- name: Get all related images in the IIB for "{{ item }}"
-  ansible.builtin.shell: |
-    oc get packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ item }}" \
-      -o jsonpath="{.items[0].status.channels[?(@.name==\"{{ default_channel }}\")].currentCSVDesc.relatedImages}"
-  register: related_images_raw
-
-- name: Set related_images fact
-  ansible.builtin.set_fact:
-    related_images: "{{ related_images_raw.stdout }}"
-
-# NOTE(bandini)
-# The following code is here to fund out what the operator bundle image is and to make
-# sure it is on the internal registry.
-# This is all potentially hacky, but so far I could not find a single place in the cluster
-# where the olm.bundle image is available. The info is in there in the IIB, but it certainly
-# is not in any package manifest nor catalogsource. This is why we resort to invoking opm
-# alpha commands inside the IIB image locally
-- name: Pull the IIB locally
-  ansible.builtin.command:
-    podman pull "{{ iib_image }}"
-
-# $ opm alpha list channels /configs advanced-cluster-management
-# PACKAGE                      CHANNEL      HEAD
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.4
-# advanced-cluster-management  release-2.8  advanced-cluster-management.v2.8.0-130
-- name: Read the operator bundle from the default channel
-  ansible.builtin.shell: |
-    set -o pipefail
-    podman run -it --rm "{{ iib_image }}" alpha list channels /configs "{{ item }}" | grep --word-regexp "{{ default_channel }}" | awk '{ print $3 }'
-  register: bundle_channel_raw
-
-- name: Set bundle fact
-  ansible.builtin.set_fact:
-    bundle_channel: "{{ bundle_channel_raw.stdout }}"
-
-- name: Fail if bundle_channel is empty
-  ansible.builtin.fail:
-    msg: "Failed to find bundle from channel: {{ bundle_channel_raw }}"
-  when: >
-    (bundle_channel is not defined) or (bundle_channel | length == 0)
-
-# $ opm alpha list bundles /configs advanced-cluster-management
-# PACKAGE                      CHANNEL      BUNDLE                                  REPLACES                            SKIPS  SKIP RANGE          IMAGE
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.0                                                 >=2.6.0 <2.7.0      registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:f63d0a9a0e3dc9d86e84279c50e9c613d8430e71a3821d418e168250ca3b747c
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.1      advanced-cluster-management.v2.7.0         >=2.6.0 <2.7.1      registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:a81a574f2f22d37681c44fe0c3b958074408705415de333de54d120145537533
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.2      advanced-cluster-management.v2.7.1         >=2.6.0 <2.7.2      registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:8a2c758689eaebe6a287315ca18fd9122f323e195ea3410db005b6a449060fad
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.3      advanced-cluster-management.v2.7.2         >=2.6.0 <2.7.3      registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:208f4d9473a923817c102bb7e5f138d3e1e8ed3057a23a220ffa8fe9c0c27128
-# advanced-cluster-management  release-2.7  advanced-cluster-management.v2.7.4      advanced-cluster-management.v2.7.3         >=2.6.0 <2.7.4      registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:75b6438e08800b2e3608aeb01c1c0a68810108d9905fff35916afd21e6d32685
-# advanced-cluster-management  release-2.8  advanced-cluster-management.v2.8.0-130                                             >=2.7.0 <2.8.0-130  registry.stage.redhat.io/rhacm2/acm-operator-bundle@sha256:6c385aa69256cdd964ae9e79e52ce52e1048391f0557af59843326c4ebe9bec0
-- name: Get bundle image
-  ansible.builtin.shell: |
-    set -o pipefail
-    podman run -it --rm "{{ iib_image }}" alpha list bundles /configs "{{ item }}" | grep -e "{{ default_channel }}\s\+{{ bundle_channel }}" | awk '{ print $NF }'
-  register: bundle_image_raw
-
-- name: Set bundle image fact
-  ansible.builtin.set_fact:
-    bundle_image: "{{ bundle_image_raw.stdout }}"
-
-- name: Fail if bundle_image is empty
-  ansible.builtin.fail:
-    msg: "Failed to find bundle image: {{ bundle_image_raw }}"
-  when: >
-    (bundle_image is not defined) or (bundle_image | length == 0)
-
-# all_images will be a list as follows:
-# [ "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40",
-#   "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b",
-#   "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759",
-#   "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3",
-#   "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792",
-#   "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2",
-#   "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461",
-#   "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5",
-#   "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0dda..." ]
-- name: Set all images fact (related images + operator bundles)
-  ansible.builtin.set_fact:
-    all_images: "{{ all_images + related_images + [bundle_image] }}"
diff --git a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml b/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml
deleted file mode 100644
index 4b39184c..00000000
--- a/common/ansible/roles/iib_ci/tasks/install-iib-in-cluster.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-- name: Remove manifest folder "{{ iib_local_folder }}"
-  ansible.builtin.file:
-    path: "{{ iib_local_folder }}"
-    state: absent
-
-- name: Create manifest folder "{{ iib_local_folder }}"
-  ansible.builtin.file:
-    path: "{{ iib_local_folder }}"
-    state: directory
-    mode: "0755"
-
-# This generates files in /tmp/manifest-IIB:
-# - mapping.txt
-# - catalogSource.yaml
-# - imageContentSourcePolicy.yaml
-- name: Mirror catalog manifests only to "{{ iib_local_folder }}"
-  ansible.builtin.shell: |
-    oc adm catalog mirror --insecure --manifests-only --to-manifests=. \
-      "{{ iib_image }}" "{{ rh_internal_registry }}/rh-osbs" > catalog.log 2>&1
-  args:
-    chdir: "{{ iib_local_folder }}"
-
-- name: Mirror IIB to "{{ mirror_iib }}"
-  ansible.builtin.shell: |
-    oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" \
-      "{{ iib_image }}={{ mirror_iib }}" --insecure --keep-manifest-list 2>&1
-  args:
-    chdir: "{{ iib_local_folder }}"
-  register: oc_mirror_result
-  retries: 10
-  delay: 5
-  until: oc_mirror_result is not failed
-
-- name: Template mirrored catalogsource
-  ansible.builtin.template:
-    src: ./templates/catalogSource.yaml.j2
-    dest: "{{ iib_local_folder }}/mirrored-catalogsource.yaml"
-    mode: "0644"
-
-- name: Apply mirrored catalogsource
-  ansible.builtin.shell: |
-    oc apply -f "{{ iib_local_folder }}/mirrored-catalogsource.yaml"
-
-- name: Wait for catalogsource to show up
-  ansible.builtin.shell: |
-    oc get -n "{{ internal_registry_ns }}" packagemanifests -l "catalog=iib-{{ iib }}" --field-selector "metadata.name={{ operator }}" \
-      -o jsonpath='{.items[0].status.defaultChannel}'
-  register: oc_catalogsource_result
-  retries: 30
-  delay: 10
-  until: oc_catalogsource_result is not failed
-  changed_when: false
diff --git a/common/ansible/roles/iib_ci/tasks/main.yml b/common/ansible/roles/iib_ci/tasks/main.yml
deleted file mode 100644
index ba6eb7c8..00000000
--- a/common/ansible/roles/iib_ci/tasks/main.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-- name: Check that INDEX_IMAGE env variable is set
-  ansible.builtin.fail:
-    msg: "INDEX_IMAGE: '{{ iib_image }}' is not set"
-  failed_when:
-    (iib_image is not defined or iib_image | length == 0)
-
-- name: Set IIB fact
-  ansible.builtin.set_fact:
-    iib: "{{ iib_image.split(':')[1] }}"
-
-- name: Set IIB local folder fact
-  ansible.builtin.set_fact:
-    iib_local_folder: "/tmp/manifest-{{ iib }}"
-
-- name: Get cluster version
-  # E.g. 4.13.0-rc.6 or 4.12.16
-  ansible.builtin.shell: |
-    oc get openshiftcontrollermanager/cluster -o yaml -o jsonpath='{.status.version}'
-  register: oc_version_raw
-  changed_when: false
-
-- name: Is OCP pre OCP 4.13? (aka registry supports v2 manifests)
-  ansible.builtin.set_fact:
-    use_internal_registry: "{{ oc_version_raw.stdout is version('4.13', '>=') }}"
-
-- name: Set up internal registry (OCP >= 4.13)
-  ansible.builtin.include_tasks: setup-internal-registry.yml
-  when: use_internal_registry
-
-- name: Set up external registry (OCP < 4.13)
-  ansible.builtin.include_tasks: setup-external-registry.yml
-  when: not use_internal_registry
-
-- name: Install new IIB in cluster
-  ansible.builtin.include_tasks: install-iib-in-cluster.yml
-
-- name: Mirror all related images
-  ansible.builtin.include_tasks: mirror-related-images.yml
-
-- name: Remove pullsecrets tempfolder
-  ansible.builtin.file:
-    path: "{{ pull_secrets_tempfolder.path }}"
-    state: absent
diff --git a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml b/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml
deleted file mode 100644
index 821e4be0..00000000
--- a/common/ansible/roles/iib_ci/tasks/mirror-related-images.yml
+++ /dev/null
@@ -1,226 +0,0 @@
-# This is needed because some operators like "advanced-cluster-management"
-# install a second operator "multicluster-engine"
-- name: Set operators list
-  ansible.builtin.set_fact:
-    operator_list: "{{ [operator] + (operator == 'advanced-cluster-management') | ternary(['multicluster-engine'], []) }}"
-
-- name: Set all images to empty list
-  ansible.builtin.set_fact:
-    all_images: []
-
-- name: Fetch operator images tasks
-  ansible.builtin.include_tasks: fetch-operator-images.yml
-  loop: "{{ operator_list }}"
-
-- name: Print all_images
-  ansible.builtin.debug:
-    msg: "{{ all_images }}"
-
-# A mapping.txt file will have lines like the following. Note how the image to the right of '='
-# does have a shortened hash! :
-# registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff...=registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8:8256cca6
-# registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf..=registry-proxy.engineering.redhat.com/rh-osbs/openshift4-ose-haproxy-router:a636cbea
-#
-# Now what we are doing here is the following:
-# 1. For every image we get from the bundle (contained in all_images var) we check if it exists. If it does great, skip to the next image
-# 2. If the image was not found above, we take the corresponding URL on the right hand side of the '=' sign in mapping.txt
-#    except that we drop the hash that exists on the right hand-side and just use the one we were given with the image.
-#    If the image is found, great. If not we need to error out because we have no idea where we can fetch it from
-- name: Find out which images really exist by consulting mapping.txt
-  ansible.builtin.shell: |
-    set -o pipefail
-    left_sha=$(echo "{{ image }}" | sed -e 's/^.*@//')
-    right=$(grep "{{ image }}" "{{ iib_local_folder }}/mapping.txt" | cut -f2 -d=)
-    right_base=$(echo $right | sed -e 's/:.*$//' -e 's/@.*$//')
-    right_log=$(echo "${right_base}@${left_sha}" | sed -e 's/\//-/g')
-    if skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"{{ image }}" &> /tmp/skopeo-"{{ image | regex_replace('/', '-') }}".log; then
-      echo "{{ image }}"
-    elif skopeo inspect --authfile "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" --no-tags docker://"${right_base}@${left_sha}" &> "/tmp/skopeo-${right_log}.log"; then
-      echo "${right_base}@${left_sha}"
-    else
-      echo "ERROR: both {{ image }} and echo ${right_base}@${left_sha} could not be found"
-      exit 1
-    fi
-  register: all_existing_images
-  with_items: "{{ all_images }}"
-  loop_control:
-    loop_var: image
-
-# The dictionary below will be in the following form:
-# {
-#   "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0": {
-#     "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-operator-bundle@sha256:e463314596098a4e774e0ddaed0009bfdad4d79b664e28fef219c796679ee6a0"
-#   },
-#   "registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759": {
-#       "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-argocd-rhel8@sha256:81e0574159c6aaabe7125d27782a5e6e5e72383a4a0ba76b44d465f3a3098759"
-#   },
-#   "registry.redhat.io/openshift-gitops-1/dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5": {
-#       "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-dex-rhel8@sha256:6a3eaee6a4f8cb9a35363bf4c7f83a7fa2042ae62bdaa700ecd0893dd52276f5"
-#   },
-#   "registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792": {
-#       "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8-operator@sha256:efbfb010f24894f715a50832a4b3d2cdc221f283cbbdca05e388850586e9d792"
-#   },
-#   "registry.redhat.io/openshift-gitops-1/gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b": {
-#       "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-gitops-rhel8@sha256:5ff915a399c1cc12d4f932652b410bf7399850934833e755267bdd409f4ce11b"
-#   },
-#   "registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461": {
-#       "source": "registry-proxy.engineering.redhat.com/rh-osbs/openshift-gitops-1-kam-delivery-rhel8@sha256:10c5a1b6a0858a812117e6fb2b28d37617d9eb83da5e4fb647059ff740a14461"
-#   },
-#   "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2": {
-#       "source": "registry.redhat.io/openshift4/ose-haproxy-router@sha256:edf7ce748b703e195220b7bd7b42fa2caa4cdfd96840445e096036a0d85f1ff2"
-#   },
-#   "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40": {
-#       "source": "registry.redhat.io/rh-sso-7/sso75-openshift-rhel8@sha256:d5829e880db4b82a50a4962d61ea148522a93644174931b256d7ad866eadcf40"
-#   },
-#   "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": {
-#       "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3"
-#   }
-# }
-- name: Create dict with full image name+sha -> url where we will fetch it from
-  ansible.builtin.set_fact:
-    image_urls: "{{ image_urls | default({}) | combine({item: {'source': all_existing_images.results[counter].stdout,
-      'source_nosha': all_existing_images.results[counter].stdout | regex_replace('@.*$', '')}}, recursive=true) }}"
-  loop: "{{ all_images }}"
-  loop_control:
-    index_var: counter
-
-- name: Create dict with full image name+sha -> mirror destination (OCP >= 4.13)
-  ansible.builtin.set_fact:
-    image_urls: "{{ image_urls | default({}) | combine({item:
-      {'mirrordest': mirror_dest + item | basename,
-       'mirrordest_nosha': (mirror_dest + item | basename) | regex_replace('@.*$', ''),
-       'mirrordest_tag': iib}}, recursive=true) }}"
-  loop: "{{ all_images }}"
-  when: use_internal_registry
-
-- name: Create dict with full image name+sha -> mirror destination (OCP < 4.13)
-  ansible.builtin.set_fact:
-    image_urls: "{{ image_urls | default({}) | combine({item:
-      {'mirrordest': mirror_dest + '@' + item | basename | regex_replace('^.*@', ''),
-       'mirrordest_nosha': mirror_dest,
-       'mirrordest_tag': 'tag-' + item | basename | regex_replace('^.*@sha256:', '')}}, recursive=true) }}"
-  loop: "{{ all_images }}"
-  when: not use_internal_registry
-
-- name: Create dict with full image name+sha -> image key without sha
-  ansible.builtin.set_fact:
-    image_urls: "{{ image_urls | default({}) | combine({item: {'image_nosha': item | regex_replace('@.*$', '')}}, recursive=true) }}"
-  loop: "{{ all_images }}"
-
-# At this point the dictionary looks as follows:
-# "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3": {
-#   "mirrordest": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6@sha256:535...
-#   "mirrordest_nosha": "default-route-openshift-image-registry.apps.mcg-hub.blueprints.rhecoeng.com/openshift-marketplace/redis-6",
-#   "source": "registry.redhat.io/rhel8/redis-6@sha256:53598a6effeb90e4f1b005b2521beffd2fa2b0c52d0e7f2347ee2abd2577cab3",
-#   "source_nosha": "registry.redhat.io/rhel8/redis-6"
-# }
-- name: Print dict with full images
-  ansible.builtin.debug:
-    msg: "{{ image_urls }}"
-
-# OCP 4.13 uses the new fangled "ImageDigestMirrorSet", older OCPs use "ImageContentSourcePolicy"
-- name: Template out imageMirror.yaml (OCP >= 4.13)
-  ansible.builtin.template:
-    src: ./templates/imageDigestMirror.yaml.j2
-    dest: "{{ iib_local_folder }}/imageMirror.yaml"
-    mode: "0644"
-  when: use_internal_registry
-
-- name: Template out imageMirror.yaml (OCP < 4.13)
-  ansible.builtin.template:
-    src: ./templates/imageContentSourcePolicy.yaml.j2
-    dest: "{{ iib_local_folder }}/imageMirror.yaml"
-    mode: "0644"
-  when: not use_internal_registry
-
-- name: Template out mirror.map
-  ansible.builtin.template:
-    src: ./templates/mirror.map.j2
-    dest: "{{ iib_local_folder }}/mirror.map"
-    mode: "0644"
-
-# NOTE(bandini): mirror.map *must* have a tag (we use the IIB number) on the image on the right side
-# otherwise, the image will be uplaoded and will exist in S3 but it won't exist in the registry's catalog!!
-- name: Mirror all the needed images
-  ansible.builtin.shell: |
-    set -o pipefail
-    oc image mirror -a "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson" -f mirror.map --insecure --keep-manifest-list 2>&1 | tee -a image-mirror.log
-  args:
-    chdir: "{{ iib_local_folder }}"
-  retries: 5
-  delay: 2
-  register: oc_mirror
-  until: oc_mirror is not failed
-
-- name: Fetch MCP observedGeneration worker
-  ansible.builtin.shell:
-    oc get mcp/worker -o jsonpath='{.status.observedGeneration}'
-  register: worker_observed_generation_raw
-
-- name: Fetch MCP machineCount worker
-  ansible.builtin.shell:
-    oc get mcp/worker -o jsonpath='{.status.machineCount}'
-  register: worker_machinecount_raw
-
-- name: Fetch MCP observedGeneration master
-  ansible.builtin.shell:
-    oc get mcp/master -o jsonpath='{.status.observedGeneration}'
-  register: master_observed_generation_raw
-
-- name: Fetch MCP machineCount master
-  ansible.builtin.shell:
-    oc get mcp/master -o jsonpath='{.status.machineCount}'
-  register: master_machinecount_raw
-
-- name: Will the imageMirror trigger any changes
-  ansible.builtin.command:
-    oc diff -f "{{ iib_local_folder }}/imageMirror.yaml"
-  failed_when: false
-  register: oc_mirror_diff
-
-# We only run this piece if there is an actual change in the mirror digest for images
-# cannot use 'is failed' as that is always false when setting failed_when: false above
-- name: Apply imageMirror and wait for MCP to complete
-  when: oc_mirror_diff.rc != 0
-  block:
-    - name: Apply imageMirror
-      ansible.builtin.command:
-        oc apply -f "{{ iib_local_folder }}/imageMirror.yaml"
-
-    # NOTE(bandini): The reason to not fail on these two observedGeneration waiting
-    # tasks, is to make this idempotent: If the 'oc apply' above does *not* trigger
-    # any changes, the observed generation tasks will just timeout. And then we still
-    # wait to make sure that the readyworker count is correct.
-    - name: Wait for MCP new observedGeneration worker
-      ansible.builtin.shell:
-        oc get mcp/worker -o jsonpath='{.status.observedGeneration}'
-      register: worker_current_observed_generation_raw
-      retries: 10
-      delay: 20
-      until: worker_current_observed_generation_raw.stdout != worker_observed_generation_raw.stdout
-      failed_when: false
-
-    - name: Wait for MCP new observedGeneration master
-      ansible.builtin.shell:
-        oc get mcp/master -o jsonpath='{.status.observedGeneration}'
-      register: master_current_observed_generation_raw
-      retries: 10
-      delay: 20
-      until: master_current_observed_generation_raw.stdout != master_observed_generation_raw.stdout
-      failed_when: false
-
-    - name: Wait for MCP readyMachineCount to be the same as before applying the digest (worker)
-      ansible.builtin.shell:
-        oc get mcp/worker -o jsonpath='{.status.readyMachineCount}'
-      register: worker_current_ready_machinecount_raw
-      retries: 30
-      delay: 10
-      until: worker_current_ready_machinecount_raw.stdout == worker_machinecount_raw.stdout
-
-    - name: Wait for MCP readyMachineCount to be the same as before applying the digest (master)
-      ansible.builtin.shell:
-        oc get mcp/master -o jsonpath='{.status.readyMachineCount}'
-      register: master_current_ready_machinecount_raw
-      retries: 30
-      delay: 10
-      until: master_current_ready_machinecount_raw.stdout == master_machinecount_raw.stdout
diff --git a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml
deleted file mode 100644
index a9a9b10a..00000000
--- a/common/ansible/roles/iib_ci/tasks/setup-external-registry.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-- name: Check that we can push to the external registry
-  ansible.builtin.fail:
-    msg: "REGISTRY: '{{ external_registry }}' and REGISTRY_TOKEN: '{{ external_registry_token }}'. Both need to be set"
-  failed_when: >
-    (external_registry is not defined or external_registry | length == 0) or
-    (external_registry_token is not defined or external_registry_token | length == 0)
-
-- name: Get current cluster pull secrets
-  ansible.builtin.command:
-    oc extract secret/pull-secret -n openshift-config --to=-
-  register: pull_secrets_raw
-
-- name: Add external registry to pull secrets and set auth fact
-  ansible.builtin.set_fact:
-    pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}"
-    external_registry_auth: "{{ external_registry_token | b64encode }}"
-
-- name: Add local registry to pull secrets
-  ansible.builtin.set_fact:
-    pull_secrets: "{{ pull_secrets_new | combine({'auths': {external_registry.split('/')[0]: {'email': external_registry_email, 'auth': external_registry_auth}}}, recursive=true) }}"
-
-- name: Get a tempfile for the pull secrets
-  ansible.builtin.tempfile:
-    state: directory
-  register: pull_secrets_tempfolder
-
-- name: Store pull secrets in tempfile
-  ansible.builtin.copy:
-    dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson"
-    content: "{{ pull_secrets | to_nice_json }}"
-    mode: "0644"
-
-# We cannot store the logins back in the cluster, because quay.io would be overwritten and not have
-# access to the images openshift needs. See:
-# https://github.com/moby/moby/issues/37569
-# - name: Update pull-secret in the cluster
-#   ansible.builtin.shell: |
-#     oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson"
-- name: Set Mirror URL fact for external mirror IIB
-  ansible.builtin.set_fact:
-    mirror_iib: "{{ external_registry }}"
-
-- name: Set Mirror URL fact for external mirror
-  ansible.builtin.set_fact:
-    mirror_dest: "{{ external_registry }}"
diff --git a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml b/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml
deleted file mode 100644
index 82ee7ac4..00000000
--- a/common/ansible/roles/iib_ci/tasks/setup-internal-registry.yml
+++ /dev/null
@@ -1,108 +0,0 @@
-- name: Check KUBEADMINPASS is set
-  ansible.builtin.fail:
-    msg: "KUBEADMINPASS: '{{ kubeadminpass }}' is not set"
-  failed_when: kubeadminpass is not defined or kubeadminpass | length == 0
-
-- name: Get kubeadmin api endpoint
-  ansible.builtin.command:
-    oc whoami --show-server=true
-  register: kubeadminapi_raw
-
-- name: Set kubeadminapi fact
-  ansible.builtin.set_fact:
-    kubeadminapi: "{{ kubeadminapi_raw.stdout }}"
-
-- name: Login via kubeadmin
-  ansible.builtin.command: |
-    oc login -u kubeadmin -p "{{ kubeadminpass }}" "{{ kubeadminapi }}"  --insecure-skip-tls-verify=true
-
-- name: Get kubeadmin token
-  ansible.builtin.command: |
-    oc whoami -t
-  register: oc_whoami_raw
-
-- name: Set kubeadmin token
-  ansible.builtin.set_fact:
-    kubeadmin_token: "{{ oc_whoami_raw.stdout }}"
-
-- name: Expose internal registry route
-  ansible.builtin.shell: |
-    oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
-
-- name: Fetch internal registry route value
-  ansible.builtin.command:
-    oc registry info --public=true
-  register: registry_route_raw
-  retries: 20
-  delay: 10
-  until:
-    - registry_route_raw is not failed
-    - registry_route_raw.stdout | length > 0
-
-- name: Set route fact
-  ansible.builtin.set_fact:
-    registry_route: "{{ registry_route_raw.stdout }}"
-
-- name: Set registry allowedRegistries
-  ansible.builtin.shell: >
-    oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"allowedRegistries\":[ \"registry.stage.redhat.io\", \"registry.access.redhat.com\", \"registry.connect.redhat.com\", \"ghcr.io\", \"gcr.io\", \"quay.io\", \"registry.redhat.io\",
-    \"registry-proxy.engineering.redhat.com\", \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge
-
-- name: Set registry insecureRegistries
-  ansible.builtin.shell: >
-    oc patch image.config.openshift.io/cluster --patch "{\"spec\":{\"registrySources\":{\"insecureRegistries\":[ \"registry-proxy.engineering.redhat.com\",
-    \"image-registry.openshift-image-registry.svc:5000\", \"{{ registry_route }}\"]}}}" --type=merge
-
-- name: Get current cluster pull secrets
-  ansible.builtin.command:
-    oc extract secret/pull-secret -n openshift-config --to=-
-  register: pull_secrets_raw
-
-- name: Add local registry to pull secrets and set auth fact
-  ansible.builtin.set_fact:
-    pull_secrets_new: "{{ pull_secrets_raw.stdout | from_json }}"
-    internal_registry_auth: "{{ ('kubeadmin:' + kubeadmin_token) | b64encode }}"
-
-- name: Add local registry to pull secrets
-  ansible.builtin.set_fact:
-    pull_secrets: "{{ pull_secrets_new | combine({'auths': {registry_route: {'email': internal_registry_email, 'auth': internal_registry_auth}}}, recursive=true) }}"
-
-- name: Get a tempfile for the pull secrets
-  ansible.builtin.tempfile:
-    state: directory
-  register: pull_secrets_tempfolder
-
-- name: Store pull secrets in tempfile
-  ansible.builtin.copy:
-    dest: "{{ pull_secrets_tempfolder.path }}/.dockerconfigjson"
-    content: "{{ pull_secrets | to_nice_json }}"
-    mode: "0644"
-
-- name: Update pull-secret in the cluster
-  ansible.builtin.shell: |
-    oc set data secret/pull-secret -n openshift-config --from-file="{{ pull_secrets_tempfolder.path }}/.dockerconfigjson"
-
-- name: Before proceeding here we need to make sure that the MCPs have all settled
-  ansible.builtin.shell: |
-    if [ $(oc get mcp/master -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/master -o jsonpath='{.status.machineCount}') ]; then
-      exit 1
-    fi
-    if [ $(oc get mcp/worker -o jsonpath='{.status.readyMachineCount}') != $(oc get mcp/worker -o jsonpath='{.status.machineCount}') ]; then
-      exit 1
-    fi
-  retries: 30
-  delay: 20
-  register: mcp_ready
-  until: mcp_ready is not failed
-
-- name: Login the internal registry with podman
-  ansible.builtin.command:
-    podman login --tls-verify=false --username unused --password "{{ kubeadmin_token }}" "{{ registry_route }}"
-
-- name: Set Mirror URL fact for internal mirror IIB
-  ansible.builtin.set_fact:
-    mirror_iib: "{{ registry_route }}/{{ internal_registry_ns }}/iib"
-
-- name: Set Mirror URL fact for internal mirror
-  ansible.builtin.set_fact:
-    mirror_dest: "{{ registry_route }}/{{ internal_registry_ns }}/"
diff --git a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2 b/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2
deleted file mode 100644
index 99087603..00000000
--- a/common/ansible/roles/iib_ci/templates/catalogSource.yaml.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: CatalogSource
-metadata:
-  name: iib-{{ iib }}
-  namespace: {{ internal_registry_ns }}
-spec:
-  image: {{ mirror_iib }}:{{ iib }}
-  sourceType: grpc
-  displayName: IIB {{ iib }}
diff --git a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml b/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml
deleted file mode 100644
index 8fc41821..00000000
--- a/common/ansible/roles/iib_ci/templates/htpasswd-oauth.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: config.openshift.io/v1
-kind: OAuth
-metadata:
-  name: cluster
-spec:
-  identityProviders:
-  - name: my_htpasswd_provider 
-    mappingMethod: claim 
-    type: HTPasswd
-    challenge: true
-    login: true
-    htpasswd:
-      fileData:
-        name: htpass-secret
diff --git a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2
deleted file mode 100644
index d0f417ec..00000000
--- a/common/ansible/roles/iib_ci/templates/imageContentSourcePolicy.yaml.j2
+++ /dev/null
@@ -1,19 +0,0 @@
----
-apiVersion: operator.openshift.io/v1alpha1
-kind: ImageContentSourcePolicy
-metadata:
-  labels:
-    operators.openshift.org/catalog: "true"
-  name: iib-{{ iib }}
-spec:
-  repositoryDigestMirrors:
-{% for item in image_urls.values() %}
-    - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.source_nosha }}
-      mirrorSourcePolicy: NeverContactSource
-    - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.image_nosha }}
-      mirrorSourcePolicy: NeverContactSource
-{% endfor %}
diff --git a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2 b/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2
deleted file mode 100644
index d23ab9f2..00000000
--- a/common/ansible/roles/iib_ci/templates/imageDigestMirror.yaml.j2
+++ /dev/null
@@ -1,18 +0,0 @@
-apiVersion: config.openshift.io/v1
-kind: ImageDigestMirrorSet
-metadata:
-  labels:
-    operators.openshift.org/catalog: "true"
-  name: iib-{{ iib }}
-spec:
-  imageDigestMirrors:
-{% for item in image_urls.values() %}
-    - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.source_nosha }}
-      mirrorSourcePolicy: NeverContactSource
-    - mirrors:
-        - {{ item.mirrordest_nosha }}
-      source: {{ item.image_nosha }}
-      mirrorSourcePolicy: NeverContactSource
-{% endfor %}
diff --git a/common/ansible/roles/iib_ci/templates/mirror.map.j2 b/common/ansible/roles/iib_ci/templates/mirror.map.j2
deleted file mode 100644
index ecef721c..00000000
--- a/common/ansible/roles/iib_ci/templates/mirror.map.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-{% for item in image_urls.values() %}
-{{ item.source }}={{ item.mirrordest_nosha }}:{{ item.mirrordest_tag }}
-{% endfor %}
diff --git a/common/ansible/roles/iib_ci/vars/main.yml b/common/ansible/roles/iib_ci/vars/main.yml
deleted file mode 100644
index 56894088..00000000
--- a/common/ansible/roles/iib_ci/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# vars file for iib_ci
diff --git a/common/ansible/roles/vault_utils/README.md b/common/ansible/roles/vault_utils/README.md
deleted file mode 100644
index 55babb03..00000000
--- a/common/ansible/roles/vault_utils/README.md
+++ /dev/null
@@ -1,224 +0,0 @@
-# Role Name
-
-Bunch of utilities to manage the vault inside k8s imperatively
-
-## Requirements
-
-ansible-galaxy collection install kubernetes.core (formerly known as community.kubernetes)
-
-## Role Variables
-
-Defaults as to where the values-secret.yaml file is and the two ways to connect to a kubernetes cluster
-(KUBERCONFIG and ~/.kube/config respectively):
-
-```yaml
-values_secret: "{{ lookup('env', 'HOME') }}/values-secret.yaml"
-kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config"
-```
-
-Default values for vault configuration:
-
-```yaml
-vault_ns: "vault"
-vault_pod: "vault-0"
-vault_hub: "hub"
-vault_hub_kubernetes_host: https://$KUBERNETES_PORT_443_TCP_ADDR:443
-# Needs extra escaping due to how it gets injected via shell in the vault
-vault_hub_capabilities: '[\\\"read\\\"]'
-vault_base_path: "secret"
-vault_path: "{{ vault_base_path }}/{{ vault_hub }}"
-vault_hub_ttl: "15m"
-vault_pki_max_lease_ttl: "8760h"
-external_secrets_ns: golang-external-secrets
-external_secrets_sa: golang-external-secrets
-unseal_secret: "vaultkeys"
-unseal_namespace: "imperative"
-```
-
-## Dependencies
-
-This relies on [kubernetes.core](https://docs.ansible.com/ansible/latest/collections/kubernetes/core/k8s_module.html)
-
-## Values secret file format
-
-Currently this role supports two formats: version 1.0 (which is the assumed default when not specified) and version 2.0.
-The latter is more fatureful and supports generating secrets directly into the vault and also prompting the user for a secret.
-By default, the first file that will looked up is `~/.config/hybrid-cloud-patterns/values-secret-<patternname>.yaml`, then
-`~/values-secret-<patternname>.yaml` and should that not exist it will look for `~/values-secret.yaml`.
-The paths can be overridden by setting the environment variable `VALUES_SECRET` to the path of the
-secret file.
-
-The values secret yaml files can be encrypted with `ansible-vault`. If the role detects they are encrypted, the password to
-decrypt them will be prompted when needed.
-
-### Version 1.0
-
-Here is a well-commented example of a version 1.0 file:
-
-```yaml
----
-# By default when a top-level 'version: 1.0' is missing it is assumed to be '1.0'
-# NEVER COMMIT THESE VALUES TO GIT
-
-secrets:
-  # These secrets will be pushed in the vault at secret/hub/test The vault will
-  # have secret/hub/test with secret1 and secret2 as keys with their associated
-  # values (secrets)
-  test:
-    secret1: foo
-    secret2: bar
-
-  # This ends up as the s3Secret attribute to the path secret/hub/aws
-  aws:
-    s3Secret: test-secret
-
-# This will create the vault key secret/hub/testfoo which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files:
-  testfoo: ~/ca.crt
-# These secrets will be pushed in the vault at secret/region1/test The vault will
-# have secret/region1/test with secret1 and secret2 as keys with their associated
-# values (secrets)
-secrets.region1:
-  test:
-    secret1: foo1
-    secret2: bar1
-# This will create the vault key secret/region2/testbar which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files.region2:
-  testbar: ~/ca.crt
-```
-
-### Version 2.0
-
-Here is a version 2.0 example file (specifying `version: 2.0` is mandatory in this case):
-
-```yaml
-# NEVER COMMIT THESE VALUES TO GIT (unless your file only uses generated
-# passwords or only points to files)
-
-# Needed to specify the new format (missing version means old version: 1.0 by default)
-version: 2.0
-
-backingStore: vault # 'vault' is the default when omitted
-
-# These are the vault policies to be created in the vault
-# these are used when we let the vault generate the passwords
-# by setting the 'onMissingValue' attribute to 'generate'
-# See https://developer.hashicorp.com/vault/docs/concepts/password-policies
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#$%^&*" min-chars = 1 }
-
-# This is the mandatory top-level secrets entry
-secrets:
-  # This will create the following keys + attributes:
-  # - secret/region-one/config-demo:
-  #     secret: ...<generated basicPolicy secret>...
-  #     secretprompt: ...<as input by the user>...
-  #     secretprompt2: ...<as input by the user. If just enter is pressed it will be 'defaultvalue'>...
-  #     secretfile: ...<content of the file as input by user. If just enter is pressed the file will be /tmp/ca.crt...0
-  #     ca_crt: ...<content of /tmp/ca.crt>...
-  #     ca_crt_b64: ...<content of /tmp/ca.crt base64-encoded before uploading to vault>...
-  # - secret/snowflake.blueprints.rhecoeng.com:
-  #     secret: ...<generated basicPolicy secret>...
-  #     secretprompt: ...<as input by the user>...
-  #     secretprompt2: ...<as input by the user. If just enter is pressed it will be 'defaultvalue'>...
-  #     secretfile: ...<content of the file as input by user. If just enter is pressed the file will be /tmp/ca.crt...0
-  #     ca_crt: ...<content of /tmp/ca.crt>...
-  #     ca_crt_b64: ...<content of /tmp/ca.crt base64-encoded before uploading to vault>...
-  - name: config-demo
-    # This is the default and passes the -mount=secret option to the vault commands
-    vaultMount: secret
-    # These represent the paths inside the vault maint
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate # One of: error,generate,prompt (generate is only valid for normal secrets)
-      # This override attribute is false by default. The attribute is only valid with 'generate'. If the secret already exists in the
-      # vault it won't be changed unless override is set to true
-      override: true
-      vaultPolicy: basicPolicy
-    - name: secretprompt
-      value: null
-      onMissingValue: prompt # when prompting for something you need to set either value: null or path: null as
-                             # we need to know if it is a secret plaintext or a file path
-      description: "Please specify the password for application ABC"
-    - name: secretprompt2
-      value: defaultvalue
-      onMissingValue: prompt
-      description: "Please specify the API key for XYZ"
-    - name: secretprompt3
-      onMissingValue: generate
-      vaultPolicy: validatedPatternDefaultPolicy  # This is an always-existing hard-coded policy
-    - name: secretfile
-      path: /tmp/ca.crt
-      onMissingValue: prompt
-      description: "Insert path to Certificate Authority"
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error # One of error, prompt (for path). generate makes no sense for file
-    - name: ca_crt_b64
-      path: /tmp/ca.crt
-      base64: true # defaults to false
-      onMissingValue: prompt # One of error, prompt (for path). generate makes no sense for file
-
-  - name: config-demo2
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: ca_crt2
-      path: /tmp/ca.crt # this will be the default shown when prompted
-      description: "Specify the path for ca_crt2"
-      onMissingValue: prompt # One of error, prompt (for path). generate makes no sense for file
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error # One of error, prompt (for path). generate makes no sense for file
-
-  # The following will read the ini-file at ~/.aws/credentials and place the ini_key "[default]/aws_access_key_id"
-  # in the aws_access_key_id_test vault attribute in the secret/hub/awsexample path
-  - name: awsexample
-    fields:
-    - name: aws_access_key_id_test
-      ini_file: ~/.aws/credentials
-      ini_section: default
-      ini_key: aws_access_key_id
-    - name: aws_secret_access_key_test
-      ini_file: ~/.aws/credentials
-      ini_key: aws_secret_access_key
-```
-
-Internals
----------
-
-Here is the rough high-level algorithm used to unseal the vault:
-
-1. Check vault status. If vault is not initialized go to 2. If initialized go to 3.
-2. Initialize vault and store unseal keys + login token inside a secret in k8s
-3. Check vault status. If vault is unsealed go to 5. else to to 4.
-4. Unseal the vault using the secrets read from the k8s secret
-5. Configure the vault (should be idempotent)
-
-## License
-
-Apache
-
-## Author Information
-
-Michele Baldessari <michele@redhat.com>
diff --git a/common/ansible/roles/vault_utils/defaults/main.yml b/common/ansible/roles/vault_utils/defaults/main.yml
deleted file mode 100644
index 4d263223..00000000
--- a/common/ansible/roles/vault_utils/defaults/main.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-# defaults file for vault_utils
-values_secret: "{{ lookup('env', 'HOME') }}/values-secret.yaml"
-kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}"
-kubeconfig_backup: "{{ lookup('env', 'HOME') }}/.kube/config"
-vault_ns: "vault"
-vault_pod: "vault-0"
-vault_hub: "hub"
-vault_pvc: "data-vault-0"
-vault_hub_kubernetes_host: https://$KUBERNETES_PORT_443_TCP_ADDR:443
-# Needs extra escaping due to how it gets injected via shell in the vault
-vault_hub_capabilities: '[\\\"read\\\"]'
-vault_base_path: "secret"
-vault_path: "{{ vault_base_path }}/{{ vault_hub }}"
-vault_hub_ttl: "15m"
-vault_spoke_capabilities: '[\\\"read\\\"]'
-vault_spoke_ttl: "15m"
-vault_global_policy: global
-vault_global_capabilities: '[\\\"read\\\"]'
-external_secrets_ns: golang-external-secrets
-external_secrets_sa: golang-external-secrets
-external_secrets_secret: golang-external-secrets
-unseal_secret: "vaultkeys"
-unseal_namespace: "imperative"
diff --git a/common/ansible/roles/vault_utils/handlers/main.yml b/common/ansible/roles/vault_utils/handlers/main.yml
deleted file mode 100644
index a983544d..00000000
--- a/common/ansible/roles/vault_utils/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# handlers file for vault_utils
diff --git a/common/ansible/roles/vault_utils/meta/main.yml b/common/ansible/roles/vault_utils/meta/main.yml
deleted file mode 100644
index c99eb3a9..00000000
--- a/common/ansible/roles/vault_utils/meta/main.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-galaxy_info:
-  author: Validated Patterns Team https://github.com/hybrid-cloud-patterns/
-  description: Utilities to manage vault in kubernetes (init, unseal, etc)
-
-  issue_tracker_url: https://github.com/hybrid-cloud-patterns/common/issues
-  license: Apache-2.0
-  min_ansible_version: "2.1"
-
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  platforms:
-    - name: Fedora
-      versions:
-        - all
-    - name: Ubuntu
-      versions:
-        - all
-    - name: Debian
-      versions:
-        - all
-    - name: EL
-      versions:
-        - "8"
-        - "9"
-
-  galaxy_tags: []
-
-dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
diff --git a/common/ansible/roles/vault_utils/tasks/main.yml b/common/ansible/roles/vault_utils/tasks/main.yml
deleted file mode 100644
index 1072e6b7..00000000
--- a/common/ansible/roles/vault_utils/tasks/main.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-- name: Run vault init tasks
-  ansible.builtin.import_tasks: vault_init.yaml
-  tags: vault_init
-
-- name: Unseal vault
-  ansible.builtin.import_tasks: vault_unseal.yaml
-  tags: vault_unseal
-
-- name: Vault secrets init
-  ansible.builtin.import_tasks: vault_secrets_init.yaml
-  tags: vault_secrets_init
-
-- name: Vault spoke backend init
-  ansible.builtin.import_tasks: vault_spokes_init.yaml
-  tags: vault_spokes_init
-
-- name: Load secrets
-  ansible.builtin.import_tasks: push_secrets.yaml
-  tags: push_secrets
diff --git a/common/ansible/roles/vault_utils/tasks/pre_check.yaml b/common/ansible/roles/vault_utils/tasks/pre_check.yaml
deleted file mode 100644
index 1dc5f445..00000000
--- a/common/ansible/roles/vault_utils/tasks/pre_check.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-- name: Check if the kubernetes python module is usable from ansible
-  ansible.builtin.command: "{{ ansible_python_interpreter }} -c 'import kubernetes'"
-  changed_when: false
-
-- name: Check if KUBECONFIG is correctly set
-  ansible.builtin.debug:
-    msg: "KUBECONFIG is not set, falling back to ~/.kube/config"
-  when: kubeconfig is not defined or kubeconfig | length == 0
-
-- name: Check if ~/.kube/config exists
-  ansible.builtin.stat:
-    path: "{{ kubeconfig_backup }}"
-  register: kubeconfig_result
-
-- name: Check if we're running inside an OCP cluster directly
-  ansible.builtin.set_fact:
-    running_in_ocp: "{{ lookup('env', 'KUBERNETES_SERVICE_HOST') | length > 0 | bool }}"
-
-- name: Fail if both KUBECONFIG and ~/.kube/config do not exist but only when not running in a cluster
-  ansible.builtin.fail:
-    msg: "{{ kubeconfig_backup }} not found and KUBECONFIG unset. Bailing out."
-  failed_when:
-    - not running_in_ocp
-    - not kubeconfig_result.stat.exists
-    - kubeconfig is not defined or kubeconfig | length == 0
diff --git a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml b/common/ansible/roles/vault_utils/tasks/push_secrets.yaml
deleted file mode 100644
index a820f40a..00000000
--- a/common/ansible/roles/vault_utils/tasks/push_secrets.yaml
+++ /dev/null
@@ -1,124 +0,0 @@
----
-- name: Vault pre checks
-  ansible.builtin.include_tasks: pre_check.yaml
-- name: Vault status check
-  ansible.builtin.include_tasks: vault_status.yaml
-
-# Unfortunately we cannot loop vault_status and just check if the vault is unsealed
-# https://github.com/ansible/proposals/issues/136
-# So here we keep running the 'vault status' command until sealed is set to false
-- name: If the vault is still sealed we need to retry
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault status -format=json
-  register: vault_status_json
-  until: "'stdout' in vault_status_json and (not (vault_status_json.stdout | from_json)['sealed'] | bool)"
-  retries: 20
-  delay: 45
-  failed_when: "'stdout_lines' not in vault_status_json"
-
-# This step is not really needed when running make vault-init + load-secrets as
-# everything is sequential
-# It is needed when the vault is unsealed/configured inside the cluster and load-secrets
-# gets run *while* the cronjob configures the vault. I.e. it might be half configured and return
-# errors
-- name: Make sure that the vault auth policy exists
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command:
-      sh -c "vault list auth/{{ vault_hub }}/role | grep '{{ vault_hub }}-role'"
-  register: vault_role_cmd
-  until: vault_role_cmd.rc == 0
-  retries: 20
-  delay: 45
-  changed_when: false
-
-# Once V1 support is dropped we can remove the whole secret_template support
-- name: Set secret_template fact
-  no_log: true
-  ansible.builtin.set_fact:
-    secret_template: "{{ pattern_dir }}/values-secret.yaml.template"
-
-- name: Is a VALUES_SECRET env variable set?
-  ansible.builtin.set_fact:
-    custom_env_values_secret: "{{ lookup('ansible.builtin.env', 'VALUES_SECRET') }}"
-
-- name: Check if VALUES_SECRET file exists
-  ansible.builtin.stat:
-    path: "{{ custom_env_values_secret }}"
-  register: custom_file_values_secret
-  when: custom_env_values_secret | default('') | length > 0
-
-- name: Set values-secret yaml file to {{ custom_file_values_secret.stat.path }}
-  ansible.builtin.set_fact:
-    found_file: "{{ custom_file_values_secret.stat.path }}"
-  when:
-    - custom_env_values_secret | default('') | length > 0
-    - custom_file_values_secret.stat.exists
-
-# FIXME(bandini): Eventually around end of 2023(?) we should drop
-# ~/values-secret-{{ pattern_name }}.yaml and ~/values-secret.yaml
-- name: Find first existing values-secret yaml file
-  ansible.builtin.set_fact:
-    found_file: "{{ lookup('ansible.builtin.first_found', findme) }}"
-  vars:
-    findme:
-      - "~/.config/hybrid-cloud-patterns/values-secret-{{ pattern_name }}.yaml"
-      - "~/values-secret-{{ pattern_name }}.yaml"
-      - "~/values-secret.yaml"
-      - "{{ pattern_dir }}/values-secret.yaml.template"
-  when: custom_env_values_secret | default('') | length == 0
-
-- name: Is found values secret file encrypted
-  no_log: true
-  ansible.builtin.shell: |
-    set -o pipefail
-    head -1 "{{ found_file }}" | grep -q \$ANSIBLE_VAULT
-  changed_when: false
-  register: encrypted
-  failed_when: (encrypted.rc not in [0, 1])
-
-# When HOME is set we replace it with '~' in this debug message
-# because when run from inside the container the HOME is /pattern-home
-# which is confusing for users
-- name: Is found values secret file encrypted
-  ansible.builtin.debug:
-    msg: "Using {{ (lookup('env', 'HOME') | length > 0) | ternary(found_file | regex_replace('^' + lookup('env', 'HOME'), '~'), found_file) }} to parse secrets"
-
-- name: Set encryption bool fact
-  no_log: true
-  ansible.builtin.set_fact:
-    is_encrypted: "{{ encrypted.rc == 0 | bool }}"
-
-- name: Get password for "{{ found_file }}"
-  ansible.builtin.pause:
-    prompt: "Input the password for {{ found_file }}"
-    echo: false
-  when: is_encrypted
-  register: vault_pass
-
-- name: Get decrypted content if {{ found_file }} was encrypted
-  no_log: true
-  ansible.builtin.shell:
-    ansible-vault view --vault-password-file <(cat <<<"{{ vault_pass.user_input }}") "{{ found_file }}"
-  register: values_secret_plaintext
-  when: is_encrypted
-  changed_when: false
-
-- name: Loads secrets file into the vault of a cluster
-  no_log: false
-  vault_load_secrets:
-    values_secrets: "{{ found_file }}"
-    check_missing_secrets: false
-    values_secret_template: "{{ secret_template }}"
-  when: not is_encrypted
-
-- name: Loads secrets file into the vault of a cluster
-  no_log: false
-  vault_load_secrets:
-    values_secrets_plaintext: "{{ values_secret_plaintext.stdout }}"
-    check_missing_secrets: false
-    values_secret_template: "{{ secret_template }}"
-  when: is_encrypted
diff --git a/common/ansible/roles/vault_utils/tasks/vault_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_init.yaml
deleted file mode 100644
index 16ce73df..00000000
--- a/common/ansible/roles/vault_utils/tasks/vault_init.yaml
+++ /dev/null
@@ -1,49 +0,0 @@
----
-- name: Vault pre checks
-  ansible.builtin.include_tasks: pre_check.yaml
-- name: Vault status check
-  ansible.builtin.include_tasks: vault_status.yaml
-
-# If the vault is already initialized we skip all the tasks below
-- name: Is the vault initialized?
-  ansible.builtin.set_fact:
-    vault_initialized: "{{ vault_status['initialized'] | bool }}"
-
-# We need to retry here because the vault service might be starting
-# and can return a 500 internal server until its state is fully ready
-- name: Init vault operator
-  no_log: true
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault operator init -format=json
-  register: vault_init_json_out
-  until: vault_init_json_out is not failed
-  retries: 10
-  delay: 15
-  when: not vault_initialized
-
-- name: Set vault init output json fact
-  no_log: true
-  ansible.builtin.set_fact:
-    vault_init_json: "{{ vault_init_json_out.stdout | from_json }}"
-  when: not vault_initialized
-
-# We store the the operator unseal keys and root token to a secret inside
-# the cluster when the vault was not already initialized *and* when
-# unseal_from_cluster is set to true
-- name: Save vault operator output (into a secret inside the cluster)
-  no_log: true
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: Opaque
-      metadata:
-        name: "{{ unseal_secret }}"
-        namespace: "{{ unseal_namespace }}"
-      data:
-        vault_data_json: "{{ vault_init_json | to_nice_json | b64encode }}"
-  when:
-    - not vault_initialized
diff --git a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml
deleted file mode 100644
index 7e0741aa..00000000
--- a/common/ansible/roles/vault_utils/tasks/vault_secrets_init.yaml
+++ /dev/null
@@ -1,99 +0,0 @@
----
-- name: Vault pre checks
-  ansible.builtin.include_tasks: pre_check.yaml
-
-- name: Is secrets backend already enabled
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      bash -e -c "vault secrets list | grep -e '^{{ vault_base_path }}'"
-  register: secrets_enabled
-  failed_when: false
-
-- name: Create secrets backend kv-v2
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault secrets enable -path="{{ vault_base_path }}" kv-v2
-  when: secrets_enabled.rc != 0
-
-- name: Is kubernetes backend already enabled
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      bash -e -c "vault auth list | grep -e '^{{ vault_hub }}'"
-  register: kubernetes_enabled
-  failed_when: false
-
-- name: Enable kubernetes backend on hub
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: "vault auth enable -path={{ vault_hub }} kubernetes"
-  when: kubernetes_enabled.rc != 0
-
-- name: Get token from service account secret {{ external_secrets_ns }}/{{ external_secrets_secret }}
-  no_log: true
-  kubernetes.core.k8s_info:
-    kind: Secret
-    namespace: "{{ external_secrets_ns }}"
-    name: "{{ external_secrets_secret }}"
-    api_version: v1
-  register: token_data
-  failed_when: token_data.resources | length == 0
-
-- name: Set sa_token fact
-  no_log: true
-  ansible.builtin.set_fact:
-    sa_token: "{{ token_data.resources[0].data.token | b64decode }}"
-
-- name: Configure hub kubernetes backend
-  no_log: true
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: bash -e -c "vault write auth/{{ vault_hub }}/config token_reviewer_jwt={{ sa_token }}
-        kubernetes_host={{ vault_hub_kubernetes_host }}
-        kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        issuer=https://kubernetes.default.svc"
-
-# This creates a {{ vault_global_policy }} policy that is applied to both hubs and spokes
-- name: Configure VP global policy template
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      bash -e -c "echo \"path \\\"secret/data/{{ vault_global_policy }}/*\\\" {
-        capabilities = {{ vault_global_capabilities }} }\" > /tmp/policy-{{ vault_global_policy }}.hcl"
-
-- name: Configure VP global policy
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: "vault policy write {{ vault_global_policy }}-secret /tmp/policy-{{ vault_global_policy }}.hcl"
-
-- name: Configure policy template for hub
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      bash -e -c "echo \"path \\\"secret/data/{{ vault_hub }}/*\\\" {
-        capabilities = {{ vault_hub_capabilities }} }\" > /tmp/policy-{{ vault_hub }}.hcl"
-
-- name: Configure policy for hub
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: "vault policy write {{ vault_hub }}-secret /tmp/policy-{{ vault_hub }}.hcl"
-
-- name: Configure kubernetes role for hub
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      vault write auth/"{{ vault_hub }}"/role/"{{ vault_hub }}"-role
-        bound_service_account_names="{{ external_secrets_sa }}"
-        bound_service_account_namespaces="{{ external_secrets_ns }}"
-        policies="default,{{ vault_global_policy }}-secret,{{ vault_hub }}-secret" ttl="{{ vault_hub_ttl }}"
diff --git a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml b/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
deleted file mode 100644
index af1a02fd..00000000
--- a/common/ansible/roles/vault_utils/tasks/vault_spokes_init.yaml
+++ /dev/null
@@ -1,193 +0,0 @@
----
-- name: Vault pre checks
-  ansible.builtin.include_tasks: pre_check.yaml
-
-- name: Find managed clusters
-  kubernetes.core.k8s_info:
-    kind: ManagedCluster
-    api_version: "cluster.open-cluster-management.io/v1"
-  register: managed_clusters
-
-- name: Set resource fact
-  ansible.builtin.set_fact:
-    resources: "{{ managed_clusters['resources'] }}"
-
-- name: Do nothing when no managed clusters are found
-  ansible.builtin.meta: end_play
-  when: resources | length == 0 or managed_clusters.failed or not managed_clusters.api_found
-
-- name: Loop over returned ACM managedclusters
-  ansible.builtin.set_fact:
-    clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'caBundle': item.spec.managedClusterClientConfigs[0].caBundle | b64decode}}) }}"
-  loop: "{{ resources }}"
-  when: item.spec.managedClusterClientConfigs[0].caBundle is defined
-  loop_control:
-    label: "{{ item.metadata.name }}"
-
-- name: Extract ClusterGroup
-  ansible.builtin.set_fact:
-    clusters: "{{ clusters | default({}) | combine({item.metadata.name: {'clusterGroup': item.metadata.labels.clusterGroup}}, recursive=True) }}"
-  when: "'clusterGroup' in item.metadata.labels"
-  loop: "{{ resources }}"
-  loop_control:
-    label: "{{ item.metadata.name }}"
-
-- name: Fetch all ACM secrets
-  kubernetes.core.k8s_info:
-    kind: Secret
-    label_selectors:
-    - "apps.open-cluster-management.io/secret-type=acm-cluster"
-  register: acm_secrets
-
-- name: Set cleaned_acm_secrets fect
-  ansible.builtin.set_fact:
-    cleaned_acm_secrets: "{{ acm_secrets.resources | parse_acm_secrets }}"
-
-- name: Merge the two dicts together
-  ansible.builtin.set_fact:
-    clusters_info: "{{ clusters | default({}) | combine(cleaned_acm_secrets, recursive=True) }}"
-
-- name: Write out CAs
-  ansible.builtin.copy:
-    content: "{{ item.value['caBundle'] }}"
-    dest: "/tmp/{{ item.key }}.ca"
-    mode: "0640"
-  loop: "{{ clusters_info | dict2items }}"
-  when: item.value['caBundle'] is defined
-  loop_control:
-    label: "{{ item.key }}"
-
-# FIXME(bandini): validate_certs is false due to an ACM bug when using
-# letsencrypt certificates with API endpoints: https://issues.redhat.com/browse/ACM-4398
-# We always verify the CA chain except when letsencrypt.api_endpoint is set to true
-- name: If we are using letsencrypt on the API endpoints we cannot use the validate_certs later
-  ansible.builtin.set_fact:
-    validate_certs_api_endpoint: "{{ not letsencrypt.api_endpoint | default(True) | bool }}"
-
-- name: Fetch remote ansible to remote cluster
-  kubernetes.core.k8s_info:
-    api_key: "{{ item.value['bearerToken'] }}"
-    ca_cert: /tmp/{{ item.key }}.ca
-    host: "{{ item.value['server_api'] }}"
-    kind: Secret
-    namespace: "{{ external_secrets_ns }}"
-    name: "{{ external_secrets_secret }}"
-    api_version: v1
-    validate_certs: "{{ validate_certs_api_endpoint }}"
-  register: remote_external_secrets_sa
-  when:
-    - clusters_info[item.key]['bearerToken'] is defined
-    - clusters_info[item.key]['server_api'] is defined
-    - clusters_info[item.key]['caBundle'] is defined
-  loop: "{{ clusters_info | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-
-# 'token' will be empty if the remote cluster has no golang-external-secret
-# app configured and running
-- name: Loop over returned ESO tokens
-  ansible.builtin.set_fact:
-    clusters_info: "{{ clusters_info | default({}) | combine({item['item']['key']: {'esoToken': item['resources'][0]['data']['token'] | b64decode}}, recursive=True) }}"
-  loop: "{{ remote_external_secrets_sa.results }}"
-  when: item['resources'][0]['data']['token'] is defined
-  loop_control:
-    label: "{{ item['item']['key'] }}"
-
-# At this point clusters_info contains a per cluster hash table with *all* the right attributes. For example:
-# "mcg-one": {
-#   "bearerToken": "ey...",
-#   "caBundle": "-----BEGIN CERTIFICATE-----\nMIIDMjCCA",
-#   "clusterGroup": "group-one",
-#   "cluster_fqdn": "mcg-one.blueprints.rhecoeng.com",
-#   "vault_path": "hub" (when the hub) and the cluster_fqdn when not hub,
-#   "esoToken": (optional) only if there was an external golang-external-secrets namespace+service account
-#   "name": "mcg-one",
-#   "server_api": "https://api.mcg-one.blueprints.rhecoeng.com:6443",
-#   "tlsClientConfig": {
-#     "insecure": true
-#   }
-# }
-- name: Dump CABundles into the vault
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: bash -e -c "echo '{{ item.value['caBundle'] }}' > /tmp/{{ item.value['vault_path'] }}.ca"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
-
-- name: Is kubernetes backend already enabled
-  no_log: true
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: bash -e -c "if vault auth list | grep -e ^'{{ item.value['vault_path'] }}'; then
-        echo done; else
-        vault auth enable -path='{{ item.value['vault_path'] }}' kubernetes; fi"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
-
-- name: Configure kubernetes backend
-  no_log: true
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: bash -e -c "vault write auth/{{ item.value['vault_path'] }}/config
-        token_reviewer_jwt=\"{{ item.value['esoToken'] }}\"
-        kubernetes_host=\"{{ item.value['server_api'] }}\"
-        kubernetes_ca_cert=@/tmp/{{ item.value['vault_path'] }}.ca"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
-
-- name: Configure policy template
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      bash -e -c "echo \"path \\\"secret/data/{{ item.value['vault_path'] }}/*\\\" {
-        capabilities = {{ vault_spoke_capabilities }} }\" > /tmp/policy-{{ item.value['vault_path'] }}.hcl"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
-
-- name: Configure policy for spokes
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: "vault policy write {{ item.value['vault_path'] }}-secret /tmp/policy-{{ item.value['vault_path'] }}.hcl"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
-
-- name: Configure kubernetes role for spokes
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: >
-      vault write auth/"{{ item.value['vault_path'] }}"/role/"{{ item.value['vault_path'] }}"-role
-        bound_service_account_names="{{ external_secrets_ns }}"
-        bound_service_account_namespaces="{{ external_secrets_sa }}"
-        policies="default,{{ vault_global_policy }}-secret,{{ item.value['vault_path'] }}-secret" ttl="{{ vault_spoke_ttl }}"
-  loop: "{{ clusters_info | dict2items }}"
-  when:
-    - item.value['esoToken'] is defined
-    - item.key != "local-cluster"
-  loop_control:
-    label: "{{ item.key }}"
diff --git a/common/ansible/roles/vault_utils/tasks/vault_status.yaml b/common/ansible/roles/vault_utils/tasks/vault_status.yaml
deleted file mode 100644
index 9dc3e426..00000000
--- a/common/ansible/roles/vault_utils/tasks/vault_status.yaml
+++ /dev/null
@@ -1,61 +0,0 @@
----
-# Registers a variable valled vault_status containing the vault's status json dict
-- name: Check for vault namespace
-  kubernetes.core.k8s_info:
-    kind: Namespace
-    name: "{{ vault_ns }}"
-  register: vault_ns_rc
-  until: vault_ns_rc.resources | length > 0
-  retries: 20
-  delay: 45
-
-- name: Check if the vault pod is present
-  kubernetes.core.k8s_info:
-    kind: Pod
-    namespace: "{{ vault_ns }}"
-    name: "{{ vault_pod }}"
-  register: vault_pod_rc
-  until: vault_pod_rc.resources | length > 0
-  retries: 20
-  delay: 45
-
-# This needs retrying because during startup we can just get
-# Failed to execute on pod vault-0 due to : (0)\nReason: Handshake status 500 Internal Server Error
-# In the above case there is no 'rc' in vault_status. So first we wait for 'rc' to show up and ignore
-# any errors, and then we bail out if rc is 2 as it means the vault is already initialized
-- name: Check for the vault status
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault status -format=json
-  register: vault_status_json
-  until: "'rc' in vault_status_json"
-  retries: 20
-  delay: 45
-  failed_when: "'stdout_lines' not in vault_status_json"
-
-- name: Set vault status output json fact
-  ansible.builtin.set_fact:
-    vault_status: "{{ vault_status_json.stdout | from_json }}"
-  when: vault_status_json.stdout_lines | length > 0
-
-- name: List Vault pods
-  kubernetes.core.k8s_info:
-    namespace: "{{ vault_ns }}"
-    kind: Pod
-    label_selectors:
-      - "component = server"
-  register: vault_pods_list
-
-- name: "Get pods"
-  ansible.builtin.set_fact:
-    vault_pods: "{{ vault_pods + [item.metadata.name] }}"
-  loop: "{{ vault_pods_list.resources }}"
-  loop_control:
-    label: "{{ item.metadata.name }}"
-  vars:
-    vault_pods: []
-
-- name: "Followers"
-  ansible.builtin.set_fact:
-    followers: "{{ vault_pods | difference(vault_pod) }}"
diff --git a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml b/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml
deleted file mode 100644
index 862f19d8..00000000
--- a/common/ansible/roles/vault_utils/tasks/vault_unseal.yaml
+++ /dev/null
@@ -1,90 +0,0 @@
----
-- name: Vault pre checks
-  ansible.builtin.include_tasks: pre_check.yaml
-- name: Vault status check
-  ansible.builtin.include_tasks: vault_status.yaml
-
-# If the vault is already unsealed we skip all the tasks below
-- name: Is the vault sealed?
-  ansible.builtin.set_fact:
-    vault_sealed: "{{ vault_status['sealed'] | bool }}"
-
-# We reparse the json vault init secret in case unseal was called without operator init before
-- name: Parse vaultkeys
-  kubernetes.core.k8s_info:
-    kind: Secret
-    namespace: "{{ unseal_namespace }}"
-    name: "{{ unseal_secret }}"
-    api_version: v1
-  register: vault_init_data
-  when: vault_sealed
-
-- name: Does the vaultkeys secret exist?
-  ansible.builtin.set_fact:
-    vaultkeys_exists: "{{ vault_init_data.resources | length > 0 }}"
-  when: vault_sealed
-
-- name: Vaultkeys does not exist and the vault is sealed, so exit
-  ansible.builtin.meta: end_play
-  when:
-    - vault_sealed
-    - not vaultkeys_exists
-
-- name: Set vault init json
-  ansible.builtin.set_fact:
-    vault_init_json: "{{ vault_init_data.resources[0].data.vault_data_json | b64decode | from_json }}"
-  when: vault_sealed
-
-- name: Set root token and unseal_keys
-  ansible.builtin.set_fact:
-    root_token: "{{ vault_init_json['root_token'] }}"
-    unseal_keys: "{{ vault_init_json['unseal_keys_hex'] }}"
-  when: vault_sealed
-
-- name: Unseal leader
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault operator unseal "{{ item }}"
-  loop: "{{ unseal_keys }}"
-  loop_control:
-    extended: true
-    label: "Unsealing with key {{ ansible_loop.index }}"
-  when: vault_sealed
-
-- name: Join Raft cluster
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ item }}"
-    command: vault operator raft join http://{{ vault_pod }}.{{ vault_ns }}-internal:8200
-  register: join_raft_cluster_out
-  until: join_raft_cluster_out is not failed
-  retries: 10
-  delay: 15
-  loop: "{{ followers }}"
-  loop_control:
-    extended: true
-    label: "Joining Raft Cluster on http://{{ vault_pod }}.{{ vault_ns }}-internal:8200"
-  when:
-    - vault_sealed
-    - followers | length > 0
-
-- name: Unseal followers
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ item.0 }}"
-    command: vault operator unseal "{{ item.1 }}"
-  loop: "{{ followers | product(unseal_keys) | list }}"
-  loop_control:
-    extended: true
-    label: "Unsealing {{ item.0 }} with key {{ ansible_loop.index }}"
-  when:
-    - vault_sealed
-    - followers | length > 0
-
-- name: Login into vault
-  kubernetes.core.k8s_exec:
-    namespace: "{{ vault_ns }}"
-    pod: "{{ vault_pod }}"
-    command: vault login "{{ root_token }}"
-  when: vault_sealed
diff --git a/common/ansible/roles/vault_utils/tests/inventory b/common/ansible/roles/vault_utils/tests/inventory
deleted file mode 100644
index 878877b0..00000000
--- a/common/ansible/roles/vault_utils/tests/inventory
+++ /dev/null
@@ -1,2 +0,0 @@
-localhost
-
diff --git a/common/ansible/roles/vault_utils/tests/test.yml b/common/ansible/roles/vault_utils/tests/test.yml
deleted file mode 100644
index b4da5c68..00000000
--- a/common/ansible/roles/vault_utils/tests/test.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: Test Play
-  hosts: localhost
-  remote_user: root
-  roles:
-    - vault_utils
diff --git a/common/ansible/roles/vault_utils/values-secrets.v1.schema.json b/common/ansible/roles/vault_utils/values-secrets.v1.schema.json
deleted file mode 100644
index 3cb8c530..00000000
--- a/common/ansible/roles/vault_utils/values-secrets.v1.schema.json
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-06/schema#",
-  "$ref": "#/definitions/valuesSecretsV1",
-  "meta:license": [
-    "Copyright 2022 Red Hat, Inc. All rights reserved.",
-    "This file is licensed to you under the Apache License, Version 2.0 (the 'License');",
-    "you may not use this file except in compliance with the License. You may obtain a copy",
-    "of the License at http://www.apache.org/licenses/LICENSE-2.0"
-  ],
-  "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V1",
-  "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)",
-  "type": "object",
-  "examples": [],
-  "definitions": {
-    "valuesSecretsV1": {
-      "title": "Values Secrets V1 Format",
-      "type": "object",
-      "additionalProperties": true,
-      "properties": {
-        "version": {
-          "type": [ "string", "null" ],
-          "description": "Version of the secret specification",
-          "default": "1.0"
-        }
-      },
-      "patternProperties": {
-        "secrets[a-z0-9.]*$": {
-          "type": "object",
-          "additionalProperties": true
-        },
-        "files[a-z0-9.]*$": {
-          "type": "object",
-          "additionalProperties": true
-        }
-      }
-    }
-  }
-}
diff --git a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json b/common/ansible/roles/vault_utils/values-secrets.v2.schema.json
deleted file mode 100644
index c9723d6f..00000000
--- a/common/ansible/roles/vault_utils/values-secrets.v2.schema.json
+++ /dev/null
@@ -1,305 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "$ref": "#/definitions/valuesSecretsV2",
-  "meta:license": [
-    "Copyright 2022 Red Hat, Inc. All rights reserved.",
-    "This file is licensed to you under the Apache License, Version 2.0 (the 'License');",
-    "you may not use this file except in compliance with the License. You may obtain a copy",
-    "of the License at http://www.apache.org/licenses/LICENSE-2.0"
-  ],
-  "title": "Hybrid Cloud Patterns - values-secret.yaml files schema V2",
-  "description": "This schema defines the values-secret.yaml file as used by [Validated Patterns](https://hybrid-cloud-patterns.io)",
-  "type": "object",
-  "examples": [ 
-    {
-      "version": "2.0",
-      "backingStore": "vault",
-      "vaultPolicies": {
-        "basicPolicy": "length=10\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\n",
-        "advancedPolicy": "length=20\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\nrule \"charset\" { charset = \"!@#$%^&*\" min-chars = 1 }\n"
-      },
-      "secrets": [
-        {
-          "name": "config-demo",
-          "vaultMount": "secret",
-          "vaultPrefixes": [
-            "region-one",
-            "snowflake.blueprints.rhecoeng.com"
-          ],
-          "fields": [
-            {
-              "name": "secret",
-              "onMissingValue": "generate",
-              "override": true,
-              "vaultPolicy": "basicPolicy"
-            },
-            {
-              "name": "secretprompt",
-              "value": null,
-              "onMissingValue": "prompt",
-              "prompt": "Please specify the password for application ABC"
-            },
-            {
-              "name": "secretprompt2",
-              "value": "defaultvalue",
-              "onMissingValue": "prompt",
-              "prompt": "Please specify the API key for XYZ"
-            },
-            {
-              "name": "secretfile",
-              "path": "/tmp/ca.crt",
-              "onMissingValue": "prompt",
-              "prompt": "Insert path to Certificate Authority"
-            },
-            {
-              "name": "ca_crt",
-              "path": "/tmp/ca.crt",
-              "onMissingValue": "error"
-            },
-            {
-              "name": "ca_crt_b64",
-              "path": "/tmp/ca.crt",
-              "base64": true,
-              "onMissingValue": "prompt"
-            }
-          ]
-        },
-        {
-          "name": "config-demo2",
-          "vaultPrefixes": [
-            "region-one",
-            "snowflake.blueprints.rhecoeng.com"
-          ],
-          "fields": [
-            {
-              "name": "ca_crt2",
-              "path": null,
-              "onMissingValue": "prompt"
-            },
-            {
-              "name": "ca_crt",
-              "path": "/tmp/ca.crt",
-              "onMissingValue": "error"
-            }
-          ]
-        }
-      ]
-    }
-  ],
-  "definitions": {
-    "valuesSecretsV2": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "version": {
-          "type": [ "string", "null" ],
-          "description": "Version of the secret specification",
-          "default": "1.0"
-        },
-        "backingStore": {
-          "type": "string",
-          "description": "Secrets backing store type",
-          "default": "vault"
-        },
-        "vaultPolicies": {
-          "$ref": "#/definitions/VaultPolicies",
-          "description": "A dictionary of {name}:{policy} of custom vault password policies"
-        },
-        "secrets": {
-          "$ref": "#/definitions/Secrets",
-          "description": "The list of actual secrets to be uploaded in the vault"
-        }
-      },
-      "required": [
-        "secrets"
-      ],
-      "title": "Values Secrets V2 Format"
-    },
-    "VaultPolicies": {
-      "type": "object",
-      "description": "A dictionary of {name}:{policy} of custom vault password policies",
-      "items": {
-        "$ref": "#/definitions/VaultPolicy"
-      },
-      "examples": [
-        {
-          "vaultPolicies": {
-            "basicPolicy": "length=10\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\n",
-            "advancedPolicy": "length=20\nrule \"charset\" { charset = \"abcdefghijklmnopqrstuvwxyz\" min-chars = 1 }\nrule \"charset\" { charset = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\" min-chars = 1 }\nrule \"charset\" { charset = \"0123456789\" min-chars = 1 }\nrule \"charset\" { charset = \"!@#$%^&*\" min-chars = 1 }\n"
-          }
-        }
-      ]
-    },
-    "VaultPolicy": {
-      "type": "string",
-      "description": "A password policy to be created in the vault. See https://developer.hashicorp.com/vault/docs/concepts/password-policies"
-    },
-    "Secrets": {
-      "type": "array",
-      "description": "The list of secrets to be injected into the vault",
-      "items": {
-        "$ref": "#/definitions/Secret"
-      }
-    },
-    "Secret": {
-      "type": "object",
-      "description": "The single secret to be injected into the vault",
-      "additionalProperties": false,
-      "required": [ "name", "fields" ],
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "This is the name of the top level key that will be created at the vaultMount point and that will contain one secret per field inside its attributes"
-        },
-        "vaultMount": {
-          "type": "string",
-          "description": "This is the vault -mount=<...> mount point used in vault commands",
-          "default": "secret"
-        },
-        "vaultPrefixes": {
-          "type": "array",
-          "description": "This is the list of prefixes the secret will be uploaded to. It defaults to ['hub'] when not specified",
-          "items": {
-            "type": "string",
-            "minItems": 1,
-            "uniqueItems": true
-          },
-          "default": [ "hub" ]
-        },
-        "fields": {
-          "type": "array",
-          "description": "This is the list of actual secret material that will be placed in a vault key's attributes",
-          "items": {
-            "type": "object",
-            "$ref": "#/definitions/Field",
-            "minItems": 1,
-            "uniqueItems": true
-          }
-        }
-      }
-    },
-    "Field": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": [
-         "name"
-       ],
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "This is the name of the attribute inside vault"
-         },
-         "onMissingValue": {
-          "type": "string",
-          "default": "error",
-          "description": "'error' will generate an error if the secret (via value or via path attributes) are not defined. 'generate' will create a secret using a defined vaultPolicy. 'prompt' will ask the user for input and it requires to set a value or a path depending if the user should input a secret or a path to a secret file. Non-null entries represent the default value when prompted.",
-          "enum": [
-            "error",
-            "generate",
-            "prompt"
-          ]
-         },
-         "prompt": {
-           "type": "string",
-           "description": "Represents the prompt used when onMissingValue is set to prompt"
-         },
-         "value": {
-           "type": [
-             "string",
-             "null"
-           ],
-           "description": "Is the value of a secret. Represents the default value when onMissingValue is set to prompt"
-         },
-         "path": {
-           "type": [
-             "string",
-             "null"
-           ],
-           "description": "Is the path to a secret file. Represents the default path when onMissingValue is set to prompt"
-         },
-         "ini_file": {
-           "type": [
-             "string",
-             "null"
-           ],
-           "description": "Is the path to an ini_file containing secret material"
-         },
-         "ini_section": {
-           "type": [
-             "string",
-             "null"
-           ],
-           "description": "Is the section in an ini file where a user-defined key will be looked up",
-           "default": "default"
-         },
-         "ini_key": {
-           "type": [
-             "string",
-             "null"
-           ],
-           "description": "Is the key inside a section in an inifile whose value will be used"
-         },
-         "vaultPolicy": {
-           "type": "string",
-           "description": "When onMissingValue is set to 'generate', uses this policy to create the secret inside the vault directly"
-         },
-         "base64": {
-           "type": "boolean",
-           "description": "Before uploading the secret the content is base-64 encoded. It is recommended to set this to true when dealing with files",
-           "default": "false"
-         },
-         "override": {
-           "type": "boolean",
-           "description": "When onMissingValue is set to 'generate' and the secret already exists in the vault update it",
-           "default": "false"
-         }
-      },
-      "dependentRequired": {
-        "ini_file": ["ini_key"]
-      },
-      "allOf": [
-        {
-          "if": {
-            "properties": { "onMissingValue": { "enum": ["prompt"] } }
-          },
-          "then": {
-            "oneOf": [
-              {
-                "required": [ "path" ]
-              },
-              {
-                "required": [ "value" ]
-              }
-            ]
-          }
-        },
-        {
-          "if": {
-            "properties": { "onMissingValue": { "enum": ["generate"] } }
-          },
-          "then": {
-            "required": [ "vaultPolicy" ]
-          }
-        },
-        {
-          "if": {
-            "properties": { "onMissingValue": { "enum": ["error"] } }
-          },
-          "then": {
-            "oneOf": [
-              {
-                "required": [ "path" ]
-              },
-              {
-                "required": [ "ini_file" ]
-              },
-              {
-                "required": [ "value" ]
-              }
-            ]
-          }
-        }
-      ]
-    }
-  }
-}
diff --git a/common/ansible/roles/vault_utils/vars/main.yml b/common/ansible/roles/vault_utils/vars/main.yml
deleted file mode 100644
index f6e02b93..00000000
--- a/common/ansible/roles/vault_utils/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-# vars file for vault_utils
diff --git a/common/ansible/tests/unit/test_ini_file.py b/common/ansible/tests/unit/test_ini_file.py
deleted file mode 100644
index e92280cb..00000000
--- a/common/ansible/tests/unit/test_ini_file.py
+++ /dev/null
@@ -1,56 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Simple module to test ini parsing function
-"""
-
-import os
-import sys
-import unittest
-
-# TODO(bandini): I could not come up with something better to force the imports to be existing
-# when we 'import vault_load_secrets'
-sys.path.insert(1, "./ansible/plugins/module_utils")
-sys.path.insert(1, "./ansible/plugins/modules")
-import load_secrets_common  # noqa: E402
-
-
-class TestMyModule(unittest.TestCase):
-    def setUp(self):
-        self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2")
-
-    def test_ensure_ini_file_parsed_correctly(self):
-        f = os.path.join(self.testdir_v2, "aws-example.ini")
-        key_id = load_secrets_common.get_ini_value(f, "default", "aws_access_key_id")
-        access_key = load_secrets_common.get_ini_value(
-            f, "default", "aws_secret_access_key"
-        )
-        self.assertEqual(key_id, "A123456789012345678A")
-        self.assertEqual(access_key, "A12345678901234567890123456789012345678A")
-
-    def test_ensure_ini_file_missing_value_is_none(self):
-        f = os.path.join(self.testdir_v2, "aws-example.ini")
-        missing_id = load_secrets_common.get_ini_value(f, "default", "nonexisting")
-        self.assertEqual(missing_id, None)
-
-    def test_ensure_ini_file_missing_section_is_none(self):
-        f = os.path.join(self.testdir_v2, "aws-example.ini")
-        missing_id = load_secrets_common.get_ini_value(f, "nonexisting", "nonexisting")
-        self.assertEqual(missing_id, None)
-
-
-if __name__ == "__main__":
-    unittest.main()
diff --git a/common/ansible/tests/unit/test_vault_load_secrets.py b/common/ansible/tests/unit/test_vault_load_secrets.py
deleted file mode 100644
index 12deeb3f..00000000
--- a/common/ansible/tests/unit/test_vault_load_secrets.py
+++ /dev/null
@@ -1,388 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Simple module to test vault_load_secrets
-"""
-
-import json
-import os
-import sys
-import unittest
-from unittest.mock import call, patch
-
-from ansible.module_utils import basic
-from ansible.module_utils.common.text.converters import to_bytes
-
-# TODO(bandini): I could not come up with something better to force the imports to be existing
-# when we 'import vault_load_secrets'
-sys.path.insert(1, "./ansible/plugins/module_utils")
-sys.path.insert(1, "./ansible/plugins/modules")
-import load_secrets_common  # noqa: E402
-
-sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common
-import load_secrets_v1  # noqa: E402
-import load_secrets_v2  # noqa: E402
-
-sys.modules["ansible.module_utils.load_secrets_v1"] = load_secrets_v1
-sys.modules["ansible.module_utils.load_secrets_v2"] = load_secrets_v2
-import vault_load_secrets  # noqa: E402
-
-
-def set_module_args(args):
-    """prepare arguments so that they will be picked up during module creation"""
-    args = json.dumps({"ANSIBLE_MODULE_ARGS": args})
-    basic._ANSIBLE_ARGS = to_bytes(args)
-
-
-class AnsibleExitJson(Exception):
-    """Exception class to be raised by module.exit_json and caught by the test case"""
-
-    pass
-
-
-class AnsibleFailJson(Exception):
-    """Exception class to be raised by module.fail_json and caught by the test case"""
-
-    pass
-
-
-def exit_json(*args, **kwargs):
-    """function to patch over exit_json; package return data into an exception"""
-    if "changed" not in kwargs:
-        kwargs["changed"] = False
-    raise AnsibleExitJson(kwargs)
-
-
-def fail_json(*args, **kwargs):
-    """function to patch over fail_json; package return data into an exception"""
-    kwargs["failed"] = True
-    kwargs["args"] = args
-    raise AnsibleFailJson(kwargs)
-
-
-class TestMyModule(unittest.TestCase):
-    def setUp(self):
-        self.mock_module_helper = patch.multiple(
-            basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json
-        )
-        self.mock_module_helper.start()
-        self.addCleanup(self.mock_module_helper.stop)
-        self.testdir_v1 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v1")
-        self.testfile = open("/tmp/ca.crt", "w")
-
-    def tearDown(self):
-        self.testfile.close()
-        try:
-            os.remove("/tmp/ca.crt")
-        except OSError:
-            pass
-
-    def test_module_fail_when_required_args_missing(self):
-        with self.assertRaises(AnsibleFailJson):
-            set_module_args({})
-            vault_load_secrets.main()
-
-    def test_module_fail_when_values_secret_not_existing(self):
-        with self.assertRaises(AnsibleExitJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": "/tmp/nonexisting",
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        self.assertEqual(ret["error"], "Missing /tmp/nonexisting file")
-        self.assertEqual(
-            ret["msg"], "Values secrets file does not exist: /tmp/nonexisting"
-        )
-
-    def test_ensure_empty_files_but_not_secrets_is_ok(self):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v1,
-                    "values-secret-empty-files.yaml",
-                )
-            }
-        )
-
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 2
-
-        calls = [
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='VALUE'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/aws' access_key_id='VALUE' secret_access_key='VALUE'\"",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_broken_files_fail(self):
-        for i in (
-            "values-secret-broken1.yaml",
-            "values-secret-broken2.yaml",
-            "values-secret-broken3.yaml",
-        ):
-            with self.assertRaises(AnsibleFailJson) as ansible_err:
-                set_module_args({"values_secrets": os.path.join(self.testdir_v1, i)})
-                vault_load_secrets.main()
-
-            ret = ansible_err.exception.args[0]
-            self.assertEqual(ret["failed"], True)
-
-    def test_ensure_empty_secrets_but_not_files_is_ok(self):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v1,
-                    "values-secret-empty-secrets.yaml",
-                ),
-            }
-        )
-
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 1
-
-        calls = [
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/hub/publickey b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_command_called(self):
-        set_module_args(
-            {"values_secrets": os.path.join(self.testdir_v1, "values-secret-good.yaml")}
-        )
-
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 9
-
-        calls = [
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='demo123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/googleapi' key='test123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/cluster_alejandro' name='alejandro' bearerToken='sha256~bumxi-012345678901233455675678678098-abcdef'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test' s3.accessKey='1234' s3.secretKey='4321' s3Secret='czMuYWNjZXNzS2V5OiAxMjM0CnMzLnNlY3JldEtleTogNDMyMQ=='\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test2' s3.accessKey='accessKey' s3.secretKey='secretKey' s3Secret='fooo'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test3' s3.accessKey='aaaaa' s3.secretKey='bbbbbbbb' s3Secret='czMuYWNjZXNzS2V5OiBhYWFhYQpzMy5zZWNyZXRLZXk6IGJiYmJiYmJi'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/region-one/config-demo' secret='region123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/hub/cluster_alejandro_ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/region-one/ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_good_template_checking(self):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v1, "mcg-values-secret.yaml"
-                ),
-                "check_missing_secrets": True,
-                "values_secret_template": os.path.join(
-                    self.testdir_v1, "template-mcg-working.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 1
-
-        calls = [
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/config-demo' secret='VALUE' additionalsecret='test'\"",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_bad_template_checking(self):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v1, "mcg-values-secret.yaml"
-                ),
-                "check_missing_secrets": True,
-                "values_secret_template": os.path.join(
-                    self.testdir_v1, "template-mcg-missing.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr
-
-            with self.assertRaises(AnsibleFailJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(result.exception.args[0]["failed"])
-            # In case of failure args[1] contains the msg of the failure
-            assert (
-                result.exception.args[0]["args"][1]
-                == "Values secret yaml is missing needed secrets from the templates: {'secrets.config-demo.foo'}"
-            )
-            assert mock_run_command.call_count == 0
-
-    def test_ensure_fqdn_secrets(self):
-        set_module_args(
-            {"values_secrets": os.path.join(self.testdir_v1, "values-secret-fqdn.yaml")}
-        )
-
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 3
-
-        calls = [
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/hub/test' secret1='foo'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put 'secret/region-one.blueprints.rhecoeng.com/config-demo' secret='region123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'base64 --wrap=0 /tmp/vcontent | vault kv put secret/region-one/ca b64content=- content=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_check_missing_secrets_errors_out(self):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v1, "mcg-values-secret.yaml"
-                ),
-                "check_missing_secrets": True,
-                "values_secret_template": "",
-            }
-        )
-        with patch.object(
-            load_secrets_v1.LoadSecretsV1, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr
-
-            with self.assertRaises(AnsibleFailJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(result.exception.args[0]["failed"])
-            # In case of failure args[1] contains the msg of the failure
-            assert (
-                result.exception.args[0]["args"][1]
-                == "No values_secret_template defined and check_missing_secrets set to True"
-            )
-            assert mock_run_command.call_count == 0
-
-
-if __name__ == "__main__":
-    unittest.main()
diff --git a/common/ansible/tests/unit/test_vault_load_secrets_v2.py b/common/ansible/tests/unit/test_vault_load_secrets_v2.py
deleted file mode 100644
index d0e5881c..00000000
--- a/common/ansible/tests/unit/test_vault_load_secrets_v2.py
+++ /dev/null
@@ -1,760 +0,0 @@
-# Copyright 2022 Red Hat, Inc.
-# All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-"""
-Simple module to test vault_load_secrets
-"""
-
-import configparser
-import json
-import os
-import sys
-import unittest
-from unittest import mock
-from unittest.mock import call, patch
-
-from ansible.module_utils import basic
-from ansible.module_utils.common.text.converters import to_bytes
-
-# TODO(bandini): I could not come up with something better to force the imports to be existing
-# when we 'import vault_load_secrets'
-sys.path.insert(1, "./ansible/plugins/module_utils")
-sys.path.insert(1, "./ansible/plugins/modules")
-import load_secrets_common  # noqa: E402
-
-sys.modules["ansible.module_utils.load_secrets_common"] = load_secrets_common
-import load_secrets_v1  # noqa: E402
-import load_secrets_v2  # noqa: E402
-
-sys.modules["ansible.module_utils.load_secrets_v1"] = load_secrets_v1
-sys.modules["ansible.module_utils.load_secrets_v2"] = load_secrets_v2
-import vault_load_secrets  # noqa: E402
-
-
-def set_module_args(args):
-    """prepare arguments so that they will be picked up during module creation"""
-    args = json.dumps({"ANSIBLE_MODULE_ARGS": args})
-    basic._ANSIBLE_ARGS = to_bytes(args)
-
-
-class AnsibleExitJson(Exception):
-    """Exception class to be raised by module.exit_json and caught by the test case"""
-
-    pass
-
-
-class AnsibleFailJson(Exception):
-    """Exception class to be raised by module.fail_json and caught by the test case"""
-
-    pass
-
-
-def exit_json(*args, **kwargs):
-    """function to patch over exit_json; package return data into an exception"""
-    if "changed" not in kwargs:
-        kwargs["changed"] = False
-    raise AnsibleExitJson(kwargs)
-
-
-def fail_json(*args, **kwargs):
-    """function to patch over fail_json; package return data into an exception"""
-    kwargs["failed"] = True
-    kwargs["args"] = args
-    raise AnsibleFailJson(kwargs)
-
-
-@mock.patch("getpass.getpass")
-class TestMyModule(unittest.TestCase):
-    def create_inifile(self):
-        self.inifile = open("/tmp/awscredentials", "w")
-        config = configparser.ConfigParser()
-        config["default"] = {
-            "aws_access_key_id": "123123",
-            "aws_secret_access_key": "abcdefghi",
-        }
-        config["foobar"] = {
-            "aws_access_key_id": "345345",
-            "aws_secret_access_key": "rstuvwxyz",
-        }
-        with self.inifile as configfile:
-            config.write(configfile)
-
-    def setUp(self):
-        self.mock_module_helper = patch.multiple(
-            basic.AnsibleModule, exit_json=exit_json, fail_json=fail_json
-        )
-        self.mock_module_helper.start()
-        self.addCleanup(self.mock_module_helper.stop)
-        self.testdir_v2 = os.path.join(os.path.dirname(os.path.abspath(__file__)), "v2")
-        self.testfile = open("/tmp/ca.crt", "w")
-        self.create_inifile()
-
-    def tearDown(self):
-        self.testfile.close()
-        try:
-            os.remove("/tmp/ca.crt")
-            # os.remove("/tmp/awscredentials")
-        except OSError:
-            pass
-
-    def test_module_fail_when_required_args_missing(self, getpass):
-        with self.assertRaises(AnsibleFailJson):
-            set_module_args({})
-            vault_load_secrets.main()
-
-    def test_module_fail_when_values_secret_not_existing(self, getpass):
-        with self.assertRaises(AnsibleExitJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": "/tmp/nonexisting",
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        self.assertEqual(ret["error"], "Missing /tmp/nonexisting file")
-        self.assertEqual(
-            ret["msg"], "Values secrets file does not exist: /tmp/nonexisting"
-        )
-
-    def test_ensure_no_vault_policies_is_ok(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-nopolicies.yaml"
-                ),
-            }
-        )
-        getpass.return_value = "foo"
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 5
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/region-one/config-demo secret='value123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo secret='value123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/region-two/config-demo-file ca_crt=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv put -mount=secret secret/snowflake.blueprints.rhecoeng.com/config-demo-file ca_crt=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_policies_are_injected(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-base.yaml"
-                ),
-            }
-        )
-        # this will be used for both a secret and a file path
-        getpass.return_value = "/tmp/ca.crt"
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 11
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy  policy=@/tmp/basicPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy  policy=@/tmp/advancedPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret region-one/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret region-one/config-demo secret2='/tmp/ca.crt'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret2='/tmp/ca.crt'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret region-one/config-demo ca_crt=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo ca_crt=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret region-one/config-demo ca_crt2=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "cat '/tmp/ca.crt' | oc exec -n vault vault-0 -i -- sh -c 'cat - | base64 --wrap=0 > /tmp/vcontent'; oc exec -n vault vault-0 -i -- sh -c 'vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo ca_crt2=@/tmp/vcontent; rm /tmp/vcontent'",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_error_wrong_onmissing_value(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-wrong-onmissingvalue.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "Secret has vaultPolicy set to nonExisting but no such policy exists"
-        )
-
-    def test_ensure_error_wrong_vaultpolicy(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-wrong-vaultpolicy.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "Secret has vaultPolicy set to nonExisting but no such policy exists"
-        )
-
-    def test_ensure_error_file_wrong_onmissing_value(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2,
-                        "values-secret-v2-files-wrong-onmissingvalue.yaml",
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "Secret has onMissingValue set to 'generate' but has a path set"
-        )
-
-    def test_ensure_error_file_emptypath(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-files-emptypath.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "Secret has onMissingValue set to 'error' and has neither value nor path nor ini_file set"
-        )
-
-    def test_ensure_error_file_wrongpath(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-files-wrongpath.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert ret["args"][1] == "Field has non-existing path: /tmp/nonexisting"
-
-    def test_ensure_error_empty_vaultprefix(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-emptyvaultprefix.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert ret["args"][1] == "Secret config-demo has empty vaultPrefixes"
-
-    def test_ensure_default_no_vaultprefix(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-novaultprefix.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 2
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/config-demo secret='value123'\"",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_only_generate_passwords_works(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-onlygenerate.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 7
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy  policy=@/tmp/basicPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy  policy=@/tmp/advancedPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=foo region-one/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=foo snowflake.blueprints.rhecoeng.com/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/advancedPolicy/generate | vault kv patch -mount=foo region-one/config-demo secret2=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/advancedPolicy/generate | vault kv patch -mount=foo snowflake.blueprints.rhecoeng.com/config-demo secret2=-"',  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_generate_password_base64_works(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-generate-base64.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 4
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy  policy=@/tmp/basicPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret region-one/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | base64 --wrap=0 | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_error_secrets_same_name(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-same-secret-names.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1] == "You cannot have duplicate secret names: ['config-demo']"
-        )
-
-    def test_ensure_error_fields_same_name(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-same-field-names.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert ret["args"][1] == "You cannot have duplicate field names: ['secret']"
-
-    def test_password_base64_secret(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-secret-base64.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 2
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret test/config-demo secret='Zm9v'\"",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_error_on_unsupported_backingstore(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2,
-                        "values-secret-v2-nonexisting-backingstore.yaml",
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "Currently only the 'vault' backingStore is supported: nonexisting"
-        )
-
-    def test_password_default_vp_policy(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-defaultvp-policy.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 6
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy  policy=@/tmp/basicPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret region-one/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/basicPolicy/generate | vault kv put -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/validatedPatternDefaultPolicy/generate | vault kv patch -mount=secret region-one/config-demo secret2=-"',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault read -field=password sys/policies/password/validatedPatternDefaultPolicy/generate | vault kv patch -mount=secret snowflake.blueprints.rhecoeng.com/config-demo secret2=-"',  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_error_on_wrong_override(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2,
-                        "values-secret-v2-wrong-override.yaml",
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert (
-            ret["args"][1]
-            == "'override' attribute requires 'onMissingValue' to be set to 'generate'"
-        )
-
-    def test_ensure_override_works(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-test-override.yaml"
-                ),
-            }
-        )
-        # this will be used for both a secret and a file path
-        getpass.return_value = "/tmp/ca.crt"
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 5
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=10\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/basicPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/basicPolicy  policy=@/tmp/basicPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/advancedPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/advancedPolicy  policy=@/tmp/advancedPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault kv get -mount=secret -field=secret region-one/config-demo"',  # noqa: E501
-                attempts=1,
-                checkrc=False,
-            ),
-            call(
-                'oc exec -n vault vault-0 -i -- sh -c "vault kv get -mount=secret -field=secret snowflake.blueprints.rhecoeng.com/config-demo"',  # noqa: E501
-                attempts=1,
-                checkrc=False,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-    def test_ensure_error_wrong_ini_file(self, getpass):
-        with self.assertRaises(AnsibleFailJson) as ansible_err:
-            set_module_args(
-                {
-                    "values_secrets": os.path.join(
-                        self.testdir_v2, "values-secret-v2-wrong-ini-file.yaml"
-                    ),
-                }
-            )
-            vault_load_secrets.main()
-
-        ret = ansible_err.exception.args[0]
-        self.assertEqual(ret["failed"], True)
-        assert ret["args"][1] == "ini_file requires at least ini_key to be defined"
-
-    def test_ensure_ini_file_works(self, getpass):
-        set_module_args(
-            {
-                "values_secrets": os.path.join(
-                    self.testdir_v2, "values-secret-v2-ini-file.yaml"
-                ),
-            }
-        )
-        with patch.object(
-            load_secrets_v2.LoadSecretsV2, "_run_command"
-        ) as mock_run_command:
-            stdout = "configuration updated"
-            stderr = ""
-            ret = 0
-            mock_run_command.return_value = ret, stdout, stderr  # successful execution
-
-            with self.assertRaises(AnsibleExitJson) as result:
-                vault_load_secrets.main()
-            self.assertTrue(
-                result.exception.args[0]["changed"]
-            )  # ensure result is changed
-            assert mock_run_command.call_count == 5
-
-        calls = [
-            call(
-                'echo \'length=20\nrule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }\nrule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }\nrule "charset" { charset = "0123456789" min-chars = 1 }\nrule "charset" { charset = "!@#%^&*" min-chars = 1 }\n\' | oc exec -n vault vault-0 -i -- sh -c \'cat - > /tmp/validatedPatternDefaultPolicy.hcl\';oc exec -n vault vault-0 -i -- sh -c \'vault write sys/policies/password/validatedPatternDefaultPolicy  policy=@/tmp/validatedPatternDefaultPolicy.hcl\'',  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/aws aws_access_key_id='123123'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret hub/aws aws_secret_access_key='abcdefghi'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv put -mount=secret hub/awsfoobar aws_access_key_id='345345'\"",  # noqa: E501
-                attempts=3,
-            ),
-            call(
-                "oc exec -n vault vault-0 -i -- sh -c \"vault kv patch -mount=secret hub/awsfoobar aws_secret_access_key='rstuvwxyz'\"",  # noqa: E501
-                attempts=3,
-            ),
-        ]
-        mock_run_command.assert_has_calls(calls)
-
-
-if __name__ == "__main__":
-    unittest.main()
diff --git a/common/ansible/tests/unit/v1/mcg-values-secret.yaml b/common/ansible/tests/unit/v1/mcg-values-secret.yaml
deleted file mode 100644
index 8586f1a6..00000000
--- a/common/ansible/tests/unit/v1/mcg-values-secret.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  config-demo:
-    # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-    secret: VALUE
-    additionalsecret: test
-
-  # Required for automated spoke deployment
-  # aws:
-  #    access_key_id: VALUE
-  #    secret_access_key: VALUE
-
-# Required for automated spoke deployment
-files:
-  # # ssh-rsa AAA...
-  # publickey: ~/.ssh/id_rsa.pub
-  #
-  # # -----BEGIN RSA PRIVATE KEY
-  # # ...
-  # # -----END RSA PRIVATE KEY
-  # privatekey: ~/.ssh/id_rsa
-  #
-  # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}}
-  # openshiftPullSecret: ~/.dockerconfigjson
-  #
-  # azureOsServicePrincipal: ~/osServicePrincipal.json
diff --git a/common/ansible/tests/unit/v1/template-mcg-missing.yaml b/common/ansible/tests/unit/v1/template-mcg-missing.yaml
deleted file mode 100644
index eca36b2e..00000000
--- a/common/ansible/tests/unit/v1/template-mcg-missing.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  config-demo:
-    # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-    secret: VALUE
-    foo: bar
-
-  # Required for automated spoke deployment
-  # aws:
-  #    access_key_id: VALUE
-  #    secret_access_key: VALUE
-
-# Required for automated spoke deployment
-files:
-  # # ssh-rsa AAA...
-  # publickey: ~/.ssh/id_rsa.pub
-  #
-  # # -----BEGIN RSA PRIVATE KEY
-  # # ...
-  # # -----END RSA PRIVATE KEY
-  # privatekey: ~/.ssh/id_rsa
-  #
-  # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}}
-  # openshiftPullSecret: ~/.dockerconfigjson
-  #
-  # azureOsServicePrincipal: ~/osServicePrincipal.json
diff --git a/common/ansible/tests/unit/v1/template-mcg-working.yaml b/common/ansible/tests/unit/v1/template-mcg-working.yaml
deleted file mode 100644
index 8445c6f3..00000000
--- a/common/ansible/tests/unit/v1/template-mcg-working.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  config-demo:
-    # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-    secret: VALUE
-
-  # Required for automated spoke deployment
-  # aws:
-  #    access_key_id: VALUE
-  #    secret_access_key: VALUE
-
-# Required for automated spoke deployment
-files:
-  # # ssh-rsa AAA...
-  # publickey: ~/.ssh/id_rsa.pub
-  #
-  # # -----BEGIN RSA PRIVATE KEY
-  # # ...
-  # # -----END RSA PRIVATE KEY
-  # privatekey: ~/.ssh/id_rsa
-  #
-  # # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}}
-  # openshiftPullSecret: ~/.dockerconfigjson
-  #
-  # azureOsServicePrincipal: ~/osServicePrincipal.json
diff --git a/common/ansible/tests/unit/v1/values-secret-broken1.yaml b/common/ansible/tests/unit/v1/values-secret-broken1.yaml
deleted file mode 100644
index ecfc9df4..00000000
--- a/common/ansible/tests/unit/v1/values-secret-broken1.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-secrets:
-  # empty
-
-files:
-  # empty
diff --git a/common/ansible/tests/unit/v1/values-secret-broken2.yaml b/common/ansible/tests/unit/v1/values-secret-broken2.yaml
deleted file mode 100644
index 82477acd..00000000
--- a/common/ansible/tests/unit/v1/values-secret-broken2.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# secrets:
-#   empty
-
-# files:
-#   empty
diff --git a/common/ansible/tests/unit/v1/values-secret-broken3.yaml b/common/ansible/tests/unit/v1/values-secret-broken3.yaml
deleted file mode 100644
index 6d7295ba..00000000
--- a/common/ansible/tests/unit/v1/values-secret-broken3.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-secrets:
-  - borked1
-  - borked2
-
-files:
-  foo:
-    - broken
-    - broken2
diff --git a/common/ansible/tests/unit/v1/values-secret-empty-files.yaml b/common/ansible/tests/unit/v1/values-secret-empty-files.yaml
deleted file mode 100644
index 078166a0..00000000
--- a/common/ansible/tests/unit/v1/values-secret-empty-files.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  config-demo:
-    # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-    secret: VALUE
-
-  # Required for automated spoke deployment
-  aws:
-    access_key_id: VALUE
-    secret_access_key: VALUE
-
-# Required for automated spoke deployment
-files:
-  # # ssh-rsa AAA...
diff --git a/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml b/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml
deleted file mode 100644
index 13739a27..00000000
--- a/common/ansible/tests/unit/v1/values-secret-empty-secrets.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  # config-demo:
-  #   # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-  #   secret: VALUE
-
-  # # Required for automated spoke deployment
-  # aws:
-  #     access_key_id: VALUE
-  #     secret_access_key: VALUE
-
-# Required for automated spoke deployment
-files:
-  # # ssh-rsa AAA...
-  publickey: /tmp/ca.crt
diff --git a/common/ansible/tests/unit/v1/values-secret-fqdn.yaml b/common/ansible/tests/unit/v1/values-secret-fqdn.yaml
deleted file mode 100644
index c77496c1..00000000
--- a/common/ansible/tests/unit/v1/values-secret-fqdn.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-secrets:
-  test:
-    secret1: foo
-
-secrets.region-one.blueprints.rhecoeng.com:
-  config-demo:
-    secret: region123
-
-files.region-one:
-  ca: /tmp/ca.crt
diff --git a/common/ansible/tests/unit/v1/values-secret-good.yaml b/common/ansible/tests/unit/v1/values-secret-good.yaml
deleted file mode 100644
index 6db47285..00000000
--- a/common/ansible/tests/unit/v1/values-secret-good.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
----
-secrets:
-  # NEVER COMMIT THESE VALUES TO GIT
-  config-demo:
-    # Secret used for demonstrating vault storage, external secrets, and ACM distribution
-    secret: demo123
-  googleapi:
-    key: test123
-
-  cluster_alejandro:
-    name: alejandro
-    bearerToken: sha256~bumxi-012345678901233455675678678098-abcdef
-
-  test:
-    s3.accessKey: "1234"
-    s3.secretKey: "4321"
-
-  test2:
-    s3.accessKey: accessKey
-    s3.secretKey: secretKey
-    s3Secret: fooo
-
-  test3:
-    s3.accessKey: "aaaaa"
-    s3.secretKey: "bbbbbbbb"
-
-files:
-  # oc extract -n openshift-config cm/kube-root-ca.crt --to=/home/michele/ --keys=ca.crt
-  cluster_alejandro_ca: /tmp/ca.crt
-
-secrets.region-one:
-  config-demo:
-    secret: region123
-
-files.region-one:
-  ca: /tmp/ca.crt
diff --git a/common/ansible/tests/unit/v2/aws-example.ini b/common/ansible/tests/unit/v2/aws-example.ini
deleted file mode 100644
index 5e38bfd8..00000000
--- a/common/ansible/tests/unit/v2/aws-example.ini
+++ /dev/null
@@ -1,4 +0,0 @@
-; https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
-[default]
-aws_access_key_id     = A123456789012345678A
-aws_secret_access_key = A12345678901234567890123456789012345678A
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-base.yaml b/common/ansible/tests/unit/v2/values-secret-v2-base.yaml
deleted file mode 100644
index bf9670d8..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-base.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      override: true
-      vaultPolicy: basicPolicy
-    - name: secret2
-      value: null
-      onMissingValue: prompt
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error
-    - name: ca_crt2
-      path: null
-      base64: true
-      onMissingValue: prompt
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml b/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml
deleted file mode 100644
index e284d300..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-defaultvp-policy.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      override: true
-      vaultPolicy: basicPolicy
-    - name: secret2
-      onMissingValue: generate
-      override: true
-      vaultPolicy: validatedPatternDefaultPolicy
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml b/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml
deleted file mode 100644
index df1d420a..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-emptyvaultprefix.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    fields:
-    - name: secret
-      value: value123
-      onMissingValue: error
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml
deleted file mode 100644
index 9c1142aa..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-files-emptypath.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-version: "2.0"
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: ca_crt
-      onMissingValue: error
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml
deleted file mode 100644
index 36b0e715..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-files-wrong-onmissingvalue.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-version: "2.0"
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: generate
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml b/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml
deleted file mode 100644
index 35e5cfcf..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-files-wrongpath.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-version: "2.0"
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: ca_crt
-      path: /tmp/nonexisting
-      onMissingValue: error
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml
deleted file mode 100644
index eed8b402..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-generate-base64.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-version: "2.0"
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      base64: true
-      override: true
-      vaultPolicy: basicPolicy
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml b/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml
deleted file mode 100644
index c69a1429..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-ini-file.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-version: "2.0"
-secrets:
-  - name: aws
-    fields:
-    - name: aws_access_key_id
-      ini_file: /tmp/awscredentials
-      ini_section: default
-      ini_key: aws_access_key_id
-    - name: aws_secret_access_key
-      ini_file: /tmp/awscredentials
-      ini_key: aws_secret_access_key
-  - name: awsfoobar
-    fields:
-    - name: aws_access_key_id
-      ini_file: /tmp/awscredentials
-      ini_section: foobar
-      ini_key: aws_access_key_id
-    - name: aws_secret_access_key
-      ini_file: /tmp/awscredentials
-      ini_section: foobar
-      ini_key: aws_secret_access_key
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml
deleted file mode 100644
index 906e3167..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-nonexisting-backingstore.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-version: "2.0"
-
-backingStore: nonexisting
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      vaultPolicy: basicPolicy
-    - name: secret2
-      value: null
-      onMissingValue: prompt
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error
-    - name: ca_crt2
-      path: null
-      base64: true
-      onMissingValue: prompt
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml b/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml
deleted file mode 100644
index 3b465700..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-nopolicies.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      value: value123
-      onMissingValue: error
-
-  - name: config-demo-file
-    vaultPrefixes:
-    - secret/region-two
-    - secret/snowflake.blueprints.rhecoeng.com
-
-    fields:
-    - name: ca_crt
-      path: /tmp/ca.crt
-      base64: true
-      onMissingValue: error
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml b/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml
deleted file mode 100644
index 92449dae..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-novaultprefix.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    fields:
-    - name: secret
-      value: value123
-      onMissingValue: error
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml b/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml
deleted file mode 100644
index 2a5ef0b6..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-onlygenerate.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultMount: foo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      override: true
-      vaultPolicy: basicPolicy
-    - name: secret2
-      onMissingValue: generate
-      override: true
-      vaultPolicy: advancedPolicy
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml b/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml
deleted file mode 100644
index 4845e269..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-same-field-names.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      value: foo
-      onMissingValue: error
-    - name: secret
-      value: bar
-      onMissingValue: prompt
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml b/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml
deleted file mode 100644
index 3e17e536..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-same-secret-names.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      value: foo
-      onMissingValue: error
-
-  - name: config-demo
-    vaultPrefixes:
-    - region-two
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret2
-      value: bar
-      onMissingValue: prompt
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml b/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml
deleted file mode 100644
index b361b34d..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-secret-base64.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - test
-    fields:
-    - name: secret
-      value: foo
-      onMissingValue: error
-      base64: true
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml b/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml
deleted file mode 100644
index 8efdd95c..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-test-override.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#%^&*" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      override: false
-      vaultPolicy: basicPolicy
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml
deleted file mode 100644
index fb9b253c..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-ini-file.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-version: "2.0"
-secrets:
-  - name: aws
-    fields:
-    - name: aws_key_id
-      ini_file: ~/.aws/credentials
-      ini_section: default
-      # The below is required
-      # ini_key: aws_access_key_id
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml
deleted file mode 100644
index 2d53807e..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-onmissingvalue.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      vaultPolicy: nonExisting
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml
deleted file mode 100644
index 650e93b5..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-override.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-version: "2.0"
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - region-one
-    fields:
-    - name: secret
-      value: null
-      onMissingValue: prompt
-      override: true
diff --git a/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml b/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml
deleted file mode 100644
index 2d53807e..00000000
--- a/common/ansible/tests/unit/v2/values-secret-v2-wrong-vaultpolicy.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-version: "2.0"
-
-backingStore: vault
-
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-secrets:
-  - name: config-demo
-    vaultPrefixes:
-    - secret/region-one
-    - secret/snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      vaultPolicy: nonExisting
diff --git a/common/clustergroup/.helmignore b/common/clustergroup/.helmignore
deleted file mode 100644
index b25c15b8..00000000
--- a/common/clustergroup/.helmignore
+++ /dev/null
@@ -1 +0,0 @@
-*~
diff --git a/common/clustergroup/Chart.yaml b/common/clustergroup/Chart.yaml
deleted file mode 100644
index 38ece255..00000000
--- a/common/clustergroup/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-description: A Helm chart to create per-clustergroup ArgoCD applications and any required namespaces or subscriptions
-keywords:
-- pattern
-name: clustergroup
-version: 0.0.1
diff --git a/common/clustergroup/templates/_helpers.tpl b/common/clustergroup/templates/_helpers.tpl
deleted file mode 100644
index c3a730fb..00000000
--- a/common/clustergroup/templates/_helpers.tpl
+++ /dev/null
@@ -1,42 +0,0 @@
-{{/*
-Default always defined top-level variables for helm charts
-*/}}
-{{- define "clustergroup.app.globalvalues.helmparameters" -}}
-- name: global.repoURL
-  value: $ARGOCD_APP_SOURCE_REPO_URL
-- name: global.targetRevision
-  value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-- name: global.namespace
-  value: $ARGOCD_APP_NAMESPACE
-- name: global.pattern
-  value: {{ $.Values.global.pattern }}
-- name: global.clusterDomain
-  value: {{ $.Values.global.clusterDomain }}
-- name: global.clusterVersion
-  value: "{{ $.Values.global.clusterVersion }}"
-- name: global.clusterPlatform
-  value: "{{ $.Values.global.clusterPlatform }}"
-- name: global.hubClusterDomain
-  value: {{ $.Values.global.hubClusterDomain }}
-- name: global.localClusterDomain
-  value: {{ coalesce $.Values.global.localClusterDomain $.Values.global.hubClusterDomain }}
-{{- end }} {{/* clustergroup.globalvaluesparameters */}}
-
-
-{{/*
-Default always defined valueFiles to be included in Applications
-*/}}
-{{- define "clustergroup.app.globalvalues.valuefiles" -}}
-- "/values-global.yaml"
-- "/values-{{ $.Values.clusterGroup.name }}.yaml"
-{{- if $.Values.global.clusterPlatform }}
-- "/values-{{ $.Values.global.clusterPlatform }}.yaml"
-  {{- if $.Values.global.clusterVersion }}
-- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml"
-  {{- end }}
-- "/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml"
-{{- end }}
-{{- if $.Values.global.clusterVersion }}
-- "/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml"
-{{- end }}
-{{- end }} {{/* clustergroup.app.globalvalues.valuefiles */}}
diff --git a/common/clustergroup/templates/core/catalog-sources.yaml b/common/clustergroup/templates/core/catalog-sources.yaml
deleted file mode 100644
index 73c2e949..00000000
--- a/common/clustergroup/templates/core/catalog-sources.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{- range .Values.clusterGroup.indexImages }}
-{{- $name := mustRegexReplaceAll "[^/]*/(.*):.*" .image "${1}" | replace "/" "-" }}
-apiVersion: operators.coreos.com/v1alpha1
-kind: CatalogSource
-metadata:
-  name: {{ coalesce .name $name }}
-  namespace: openshift-marketplace
-spec:
-  sourceType: grpc
-  image: {{ .image }}
----
-{{- end -}}
-{{- end -}}
diff --git a/common/clustergroup/templates/core/namespaces.yaml b/common/clustergroup/templates/core/namespaces.yaml
deleted file mode 100644
index dfa6ae1a..00000000
--- a/common/clustergroup/templates/core/namespaces.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{- range $ns := .Values.clusterGroup.namespaces }}
-apiVersion: v1
-kind: Namespace
-metadata:
-  {{- if kindIs "map" $ns }}
-  {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}}
-  name: {{ $k }}
-  labels:
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
-    {{- if $v.labels }}
-    {{- range $key, $value := $v.labels }} {{- /* We loop here even though the map has always just one key */}}
-    {{ $key }}: {{ $value | default "" | quote }}
-    {{- end }}
-    {{- end }}
-  {{- if $v.annotations }}
-  annotations:
-    {{- range $key, $value := $v.annotations }} {{- /* We loop through the map to get key/value pairs */}}
-    {{ $key }}: {{ $value | default "" | quote }}
-    {{- end }}
-  {{- end }}{{- /* if $v.annotations */}}
-  {{- end }}{{- /* range $k, $v := $ns */}}
-
-  {{- else if kindIs "string" $ns }}
-  labels:
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
-  name: {{ $ns }}
-  {{- end }} {{- /* if kindIs "string" $ns */}}
-spec:
----
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/core/operatorgroup.yaml b/common/clustergroup/templates/core/operatorgroup.yaml
deleted file mode 100644
index 66774fa6..00000000
--- a/common/clustergroup/templates/core/operatorgroup.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{- range $ns := .Values.clusterGroup.namespaces }}
-
-{{- if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) }}
-
-  {{- if kindIs "map" $ns }}
-  {{- range $k, $v := $ns }}{{- /* We loop here even though the map has always just one key */}}
-
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: {{ $k }}-operator-group
-  namespace: {{ $k }}
-spec:
-  targetNamespaces:
-  - {{ $k }}
-  {{- end }}{{- /* range $k, $v := $ns */}}
-
-  {{- else if kindIs "string" $ns }}
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: {{ . }}-operator-group
-  namespace: {{ . }}
-spec:
-  targetNamespaces:
-  - {{ . }}
-  {{- end }} {{- /* if kindIs "string" $ns */}}
----
-{{- end }} {{- /* if or (empty $.Values.clusterGroup.operatorgroupExcludes) (not (has . $.Values.clusterGroup.operatorgroupExcludes)) */}}
-{{- end }} {{- /* range $ns := .Values.clusterGroup.namespaces */}}
-{{- end }} {{- /* if not (eq .Values.enabled "plumbing") */}}
diff --git a/common/clustergroup/templates/core/subscriptions.yaml b/common/clustergroup/templates/core/subscriptions.yaml
deleted file mode 100644
index f58f6c28..00000000
--- a/common/clustergroup/templates/core/subscriptions.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{- range .Values.clusterGroup.subscriptions }}
-{{- $subs := . }}
-{{- $installPlanValue := .installPlanApproval }}
-
-{{- if $subs.namespaces }}
-{{- if not $subs.disabled }}
-{{- range .namespaces }}
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: {{ $subs.name }}
-  namespace: {{ . }}
-spec:
-  name: {{ $subs.name }}
-  source: {{ default "redhat-operators" $subs.source }}
-  sourceNamespace: {{ default "openshift-marketplace" $subs.sourceNamespace }}
-  {{- if $subs.channel }}
-  channel: {{ $subs.channel }}
-  {{- end }}
-  installPlanApproval: {{ coalesce $installPlanValue $.Values.global.options.installPlanApproval }}
-  {{- if $subs.config }}
-  {{- if $subs.config.env }}
-  config:
-    env:
-  {{- range $subs.config.env }}
-      - name: {{ .name }}
-        value: {{ .value }}
-  {{- end }}
-  {{- end }}
-  {{- end }}
-  {{- if $.Values.global.options.useCSV }}
-  startingCSV: {{ $subs.csv }}
-  {{- else if $subs.csv }}
-  startingCSV: {{ $subs.csv }}
-  {{- end }}
----
-{{- end }}
-{{- end }}
-{{- else if not $subs.disabled }}
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: {{ $subs.name }}
-  namespace: {{ default "openshift-operators" $subs.namespace }}
-spec:
-  name: {{ $subs.name }}
-  source: {{ default "redhat-operators" $subs.source }}
-  sourceNamespace: {{ default "openshift-marketplace" $subs.sourceNamespace }}
-  {{- if $subs.channel }}
-  channel: {{ $subs.channel }}
-  {{- end }}
-  installPlanApproval: {{ coalesce  $installPlanValue $.Values.global.options.installPlanApproval }}
-  {{- if $subs.config }}
-  {{- if $subs.config.env }}
-  config:
-    env:
-  {{- range $subs.config.env }}
-      - name: {{ .name }}
-        value: {{ .value }}
-  {{- end }}
-  {{- end }}
-  {{- end }}
-  {{- if $.Values.global.options.useCSV }}
-  startingCSV: {{ $subs.csv }}
-  {{- else if $subs.csv }}
-  startingCSV: {{ $subs.csv }}
-  {{- end }}
----
-{{- end }}
-{{- end }}
----
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/_helpers.tpl b/common/clustergroup/templates/imperative/_helpers.tpl
deleted file mode 100644
index 8a946b3c..00000000
--- a/common/clustergroup/templates/imperative/_helpers.tpl
+++ /dev/null
@@ -1,38 +0,0 @@
-{{/* git-init InitContainer */}}
-{{- define "imperative.initcontainers.gitinit" }}
-- name: git-init
-  image: {{ $.Values.clusterGroup.imperative.image }}
-  imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
-  env:
-    - name: HOME
-      value: /git/home
-  command:
-  - 'sh'
-  - '-c'
-  - "mkdir /git/{repo,home};git clone --single-branch --branch {{ $.Values.global.targetRevision }} --depth 1 -- {{ $.Values.global.repoURL }} /git/repo;chmod 0770 /git/{repo,home}"
-  volumeMounts:
-  - name: git
-    mountPath: "/git"
-{{- end }}
-
-{{/* Final done container */}}
-{{- define "imperative.containers.done" }}
-- name: "done"
-  image: {{ $.Values.clusterGroup.imperative.image }}
-  imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
-  command:
-    - 'sh'
-    - '-c'
-    - 'echo'
-    - 'done'
-    - '\n'
-{{- end }}
-
-{{/* volume-mounts for all containers */}}
-{{- define "imperative.volumemounts" }}
-- name: git
-  mountPath: "/git"
-- name: values-volume
-  mountPath: /values/values.yaml
-  subPath: values.yaml
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/clusterrole.yaml b/common/clustergroup/templates/imperative/clusterrole.yaml
deleted file mode 100644
index e3646917..00000000
--- a/common/clustergroup/templates/imperative/clusterrole.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.clusterRoleName }}
-rules:
-{{- if $.Values.clusterGroup.imperative.clusterRoleYaml -}}
-  {{ toYaml $.Values.clusterGroup.imperative.clusterRoleYaml | nindent 2 }}
-{{- else }}
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/configmap.yaml b/common/clustergroup/templates/imperative/configmap.yaml
deleted file mode 100644
index 8ca5a176..00000000
--- a/common/clustergroup/templates/imperative/configmap.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- $valuesyaml := toYaml $.Values -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
-  namespace: {{ $.Values.clusterGroup.imperative.namespace}}
-data:
-  values.yaml: |
-{{ tpl $valuesyaml . | indent 4 }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/job.yaml b/common/clustergroup/templates/imperative/job.yaml
deleted file mode 100644
index b9437c3f..00000000
--- a/common/clustergroup/templates/imperative/job.yaml
+++ /dev/null
@@ -1,69 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* Define this if needed (jobs defined */}}
-{{- if (gt (len $.Values.clusterGroup.imperative.jobs) 0) -}}
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.cronJobName }}
-  namespace: {{ $.Values.clusterGroup.imperative.namespace}}
-spec:
-  schedule: {{ $.Values.clusterGroup.imperative.schedule | quote }}
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: {{ $.Values.clusterGroup.imperative.activeDeadlineSeconds }}
-      template:
-        metadata:
-          name: {{ $.Values.clusterGroup.imperative.jobName }}
-        spec:
-          serviceAccountName: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there
-            {{- include  "imperative.initcontainers.gitinit" . | indent 12 }}
-    {{- range $.Values.clusterGroup.imperative.jobs }}
-      {{- if ne (.disabled | default "false" | toString | lower ) "true" }}
-            - name: {{ .name }}
-              image: {{ .image | default $.Values.clusterGroup.imperative.image }}
-              imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - {{ .timeout | default "600" | quote }}
-                - ansible-playbook
-                {{- if .verbosity }}
-                - {{ .verbosity }}
-                {{- end }}
-                {{- if .tags }}
-                - -t
-                - {{ .tags }}
-                {{- end }}
-                - -e
-                - "@/values/values.yaml"
-                {{- range .extravars }}
-                - -e
-                - {{ . | quote }}
-                {{- end }}
-                - {{ .playbook }}
-              volumeMounts:
-                {{- include "imperative.volumemounts" . | indent 16 }}
-      {{- end }}
-    {{- end }}
-          containers:
-          {{- include "imperative.containers.done" . | indent 12 }}
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
-          restartPolicy: Never
-{{- end }}
-{{- end }}
\ No newline at end of file
diff --git a/common/clustergroup/templates/imperative/namespace.yaml b/common/clustergroup/templates/imperative/namespace.yaml
deleted file mode 100644
index ee7b8adb..00000000
--- a/common/clustergroup/templates/imperative/namespace.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: {{ $.Values.clusterGroup.imperative.namespace }}
-    argocd.argoproj.io/managed-by: {{ $.Values.global.pattern }}-{{ $.Values.clusterGroup.name }}
-  name: {{ $.Values.clusterGroup.imperative.namespace }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/rbac.yaml b/common/clustergroup/templates/imperative/rbac.yaml
deleted file mode 100644
index 1a4b3e2b..00000000
--- a/common/clustergroup/templates/imperative/rbac.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $.Values.clusterGroup.imperative.clusterRoleName }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
-    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.namespace }}-admin-rolebinding
-  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $.Values.clusterGroup.imperative.roleName }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
-    namespace: {{ $.Values.clusterGroup.imperative.namespace }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/role.yaml b/common/clustergroup/templates/imperative/role.yaml
deleted file mode 100644
index 63ad37d1..00000000
--- a/common/clustergroup/templates/imperative/role.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.roleName }}
-  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
-rules:
-{{- if $.Values.clusterGroup.imperative.roleYaml -}}
-  {{ toYaml $.Values.clusterGroup.imperative.roleYaml | nindent 2 }}
-{{- else }}
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/serviceaccount.yaml b/common/clustergroup/templates/imperative/serviceaccount.yaml
deleted file mode 100644
index ac051348..00000000
--- a/common/clustergroup/templates/imperative/serviceaccount.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{/* This is always defined as we always unseal the cluster with an imperative job */}}
-{{- if $.Values.clusterGroup.imperative.serviceAccountCreate -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
-  namespace: {{ $.Values.clusterGroup.imperative.namespace }}
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/imperative/unsealjob.yaml b/common/clustergroup/templates/imperative/unsealjob.yaml
deleted file mode 100644
index d0dbc3c7..00000000
--- a/common/clustergroup/templates/imperative/unsealjob.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-{{- if $.Values.clusterGroup.isHubCluster }}
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: {{ $.Values.clusterGroup.imperative.namespace}}
-spec:
-  schedule: {{ $.Values.clusterGroup.imperative.insecureUnsealVaultInsideClusterSchedule | quote }}
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: {{ $.Values.clusterGroup.imperative.activeDeadlineSeconds }}
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: {{ $.Values.clusterGroup.imperative.serviceAccountName }}
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there
-            {{- include  "imperative.initcontainers.gitinit" . | indent 12 }}
-            - name: unseal-playbook
-              image: {{ $.Values.clusterGroup.imperative.image }}
-              imagePullPolicy: {{ $.Values.clusterGroup.imperative.imagePullPolicy }}
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - {{ .timeout | default "600" | quote }}
-                - ansible-playbook
-                {{- if $.Values.clusterGroup.imperative.verbosity }}
-                - {{ $.Values.clusterGroup.imperative.verbosity }}
-                {{- end }}
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:
-                {{- include "imperative.volumemounts" . | indent 16 }}
-          containers:
-          {{- include "imperative.containers.done" . | indent 12 }}
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: {{ $.Values.clusterGroup.imperative.valuesConfigMap }}-{{ $.Values.clusterGroup.name }}
-          restartPolicy: Never
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/applications.yaml b/common/clustergroup/templates/plumbing/applications.yaml
deleted file mode 100644
index 6e52e667..00000000
--- a/common/clustergroup/templates/plumbing/applications.yaml
+++ /dev/null
@@ -1,207 +0,0 @@
-{{- if not (eq .Values.enabled "core") }}
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
-{{- if (eq .Values.enabled "plumbing") }}
-{{- $namespace = "openshift-gitops" }}
-{{- end }}
-{{- range .Values.clusterGroup.applications }}
-{{- if or (.generators) (.generatorFile) (.useGeneratorValues) (.destinationServer) (.destinationNamespace) }}
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: {{ .name }}
-  namespace: {{ $namespace }}
-  labels:
-    app: {{ .name }}
-spec:
-  {{- if .generators }}
-  generators: {{ .generators | toPrettyJson }}
-  {{- else }}
-  generators:
-    - git:
-        repoURL: {{ $.Values.global.repoURL }}
-        revision: {{ $.Values.global.targetRevision }}
-        {{- if .generatorFile }}
-        files:
-          - path: {{ .generatorFile | quote }}
-        {{- end }}
-  {{- end }}
-  template:
-    metadata:
-      name: {{ coalesce .namespace $namespace }}
-    spec:
-      project: {{ .project }}
-      {{- if .syncPolicy }}
-      syncPolicy: {{ .syncPolicy | toPrettyJson }}
-      {{- else }}
-      syncPolicy:
-        automated: {}
-        retry:
-          limit: {{ default 20 $.Values.global.options.applicationRetryLimit }}
-      {{- end }}
-      {{- if .ignoreDifferences }}
-      ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }}
-      {{- end }}
-      source:
-        repoURL: {{ coalesce .repoURL $.Values.global.repoURL }}
-        targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }}
-        {{- if .chart }}
-        chart: {{ .chart }}
-        {{- end }}
-        {{- if .path }}
-        path: {{ .path }}
-        {{- end }}
-        {{- if .plugin }}
-        plugin: {{ .plugin }}
-        {{- end }}
-        {{- if not .kustomize }}
-        helm:
-          ignoreMissingValueFiles: true
-          valueFiles:
-          {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 12 }}
-        {{- range .extraValueFiles }}
-            - {{ . | quote }}
-        {{- end }}
-        {{- if .useGeneratorValues }}
-          values: |-
-            {{ `{{ values }}` }}
-        {{- end }}
-          parameters:
-          {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 12 }}
-            - name: global.repoURL
-              value: {{ $.Values.global.repoURL }}
-            - name: global.targetRevision
-              value: {{ $.Values.global.targetRevision }}
-            - name: global.namespace
-              value: {{ $.Values.global.namespace }}
-            - name: clusterGroup.name
-              value: {{ .Values.clusterGroup.name }}
-        {{- range .extraHubClusterDomainFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.hubClusterDomain }}
-        {{- end }}
-        {{- range .extraLocalClusterDomainFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.localClusterDomain }}
-        {{- end }}
-        {{- range .extraRepoURLFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.repoURL }}
-        {{- end }}
-        {{- range .extraTargetRevisionFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.targetRevision }}
-        {{- end }}
-        {{- range .extraNamespaceFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.namespace }}
-        {{- end }}
-        {{- range .extraPatternNameFields }}
-            - name: {{ . }}
-              value: {{ $.Values.global.pattern }}
-        {{- end }}
-        {{- range $k, $v := $.Values.extraParametersNested }}
-            - name: {{ $k }}
-              value: {{ $v }}
-        {{- end }}
-        {{- range .overrides }}
-            - name: {{ .name  }}
-              value: {{ .value | quote  }}
-        {{- if .forceString }}
-              forceString: true
-        {{- end }}
-        {{- end }}
-        {{- end }}
-      destination:
-        server: {{ coalesce .destinationServer "https://kubernetes.default.svc" }}
-        namespace: {{ coalesce .destinationNamespace .namespace $namespace }}
-{{- else }}
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ .name }}
-  namespace: {{ $namespace }}
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: {{ $.Values.clusterGroup.targetCluster }}
-    namespace: {{ default $namespace .namespace }}
-  project: {{ .project }}
-  source:
-    repoURL: {{ coalesce .repoURL $.Values.global.repoURL }}
-    targetRevision: {{ coalesce .targetRevision $.Values.global.targetRevision }}
-    {{- if .chart }}
-    chart: {{ .chart }}
-    {{- else }}
-    path: {{ .path }}
-    {{- end }}
-    {{- if .plugin }}
-    plugin: {{ .plugin | toPrettyJson }}
-    {{- else if not .kustomize }}
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      {{- include "clustergroup.app.globalvalues.valuefiles" $ | nindent 6 }}
-      {{- range $valueFile := .extraValueFiles }}
-      - {{ $valueFile | quote }}
-      {{- end }}
-      parameters:
-        {{- include "clustergroup.app.globalvalues.helmparameters" $ | nindent 8 }}
-        {{- range .extraHubClusterDomainFields }}
-        - name: {{ . }}
-          value: {{ $.Values.global.hubClusterDomain }}
-        {{- end }}
-        {{- range .extraLocalClusterDomainFields }}
-        - name: {{ . }}
-          value: {{ $.Values.global.localClusterDomain }}
-        {{- end }}
-        {{- range .extraRepoURLFields }}
-        - name: {{ . }}
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        {{- end }}
-        {{- range .extraTargetRevisionFields }}
-        - name: {{ . }}
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        {{- end }}
-        {{- range .extraNamespaceFields }}
-        - name: {{ . }}
-          value: $ARGOCD_APP_NAMESPACE
-        {{- end }}
-        {{- range .extraPatternNameFields }}
-        - name: {{ . }}
-          value: {{ $.Values.global.pattern }}
-        {{- end }}
-        {{- range $k, $v := $.Values.extraParametersNested }}
-        - name: {{ $k }}
-          value: {{ $v }}
-        {{- end }}
-        {{- range .overrides }}
-        - name: {{ .name }}
-          value: {{ .value | quote }}
-        {{- if .forceString }}
-          forceString: true
-        {{- end }}
-        {{- end }}
-      {{- if .fileParameters }}
-      fileParameters:
-      {{- range .fileParameters }}
-        - name: {{ .name }}
-          path: {{ .path }}
-      {{- end }}
-      {{- end }}
-    {{- end }}
-  {{- if .ignoreDifferences }}
-  ignoreDifferences: {{ .ignoreDifferences | toPrettyJson }}
-  {{- end }}
-  {{- if .syncPolicy }}
-  syncPolicy: {{ .syncPolicy | toPrettyJson }}
-  {{- else }}
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: {{ default 20 $.Values.global.applicationRetryLimit }}
-  {{- end }}
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/argocd-super-role.yaml b/common/clustergroup/templates/plumbing/argocd-super-role.yaml
deleted file mode 100644
index 2d5f8f76..00000000
--- a/common/clustergroup/templates/plumbing/argocd-super-role.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-{{- if (eq .Values.enabled "all") }}
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: {{ .Values.clusterGroup.name }}-gitops-argocd-application-controller
-    namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: {{ .Values.clusterGroup.name }}-gitops-argocd-server
-    namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: {{ .Values.clusterGroup.name }}-gitops-argocd-dex-server
-    namespace: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/argocd.yaml b/common/clustergroup/templates/plumbing/argocd.yaml
deleted file mode 100644
index 84643644..00000000
--- a/common/clustergroup/templates/plumbing/argocd.yaml
+++ /dev/null
@@ -1,151 +0,0 @@
-{{- if (eq .Values.enabled "all") }}
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: {{ .Values.clusterGroup.name }}-gitops
-  namespace: {{ $namespace }}
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-{{ .Values.clusterGroup.name }}.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern={{ .Values.global.pattern }}
-            --set global.clusterDomain={{ .Values.global.clusterDomain }}
-            --set global.hubClusterDomain={{ .Values.global.hubClusterDomain }}
-            --set global.localClusterDomain={{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }}
-            --set clusterGroup.name={{ .Values.clusterGroup.name }}
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: {{ .Values.clusterGroup.name }}-gitops-link
-  namespace: {{ $namespace }}
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://{{ .Values.clusterGroup.name }}-gitops-server-{{ $namespace }}.{{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }}'
-  location: ApplicationMenu
-  text: '{{ title .Values.clusterGroup.name }} ArgoCD'
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml b/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml
deleted file mode 100644
index 20d6f261..00000000
--- a/common/clustergroup/templates/plumbing/cluster-external-secrets.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-{{- if (eq .Values.enabled "plumbing") }}
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
-apiVersion: "external-secrets.io/v1beta1"
-kind: ExternalSecret
-metadata:
-  name: {{ .Values.clusterGroup.targetCluster | kebabcase }}-secret
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/sync-wave: "100"
-spec:
-  refreshInterval: 15s
-  secretStoreRef:
-    name: {{ $.Values.secretStore.name }}
-    kind: {{ $.Values.secretStore.kind }}
-  target:
-    name: {{ .Values.clusterGroup.targetCluster | kebabcase }}-secret
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          argocd.argoproj.io/secret-type: cluster
-      data:
-        name: {{ .Values.clusterGroup.targetCluster }}
-        server: https://api.{{ .Values.global.clusterDomain }}:6443
-        config: |
-          {
-            "bearerToken": {{ "{{ .kubeBearer | toString | quote }}" }},
-            "tlsClientConfig": {
-              "insecure": false,
-              "caData": {{ "{{ .kubeCA | toString | quote }}" }}
-            }
-          }
-  data:
-  - secretKey: kubeBearer
-    remoteRef:
-      key: {{ $.Values.clusterGroup.hostedSite.secretsPath }}
-      property: bearerToken
-  - secretKey: kubeCA
-    remoteRef:
-      key: {{ $.Values.clusterGroup.hostedSite.secretsPath }}
-      property: caCert
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/gitops-namespace.yaml b/common/clustergroup/templates/plumbing/gitops-namespace.yaml
deleted file mode 100644
index 3cd7608d..00000000
--- a/common/clustergroup/templates/plumbing/gitops-namespace.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{- if not (eq .Values.enabled "plumbing") }}
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: {{ $.Values.global.pattern }}-{{ .Values.clusterGroup.name }}
-spec: {}
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/hosted-sites.yaml b/common/clustergroup/templates/plumbing/hosted-sites.yaml
deleted file mode 100644
index f1f57374..00000000
--- a/common/clustergroup/templates/plumbing/hosted-sites.yaml
+++ /dev/null
@@ -1,172 +0,0 @@
-{{- if (eq .Values.enabled "all") }}
-{{- range .Values.clusterGroup.managedClusterGroups }}
-{{- $group := . }}
-{{- if .hostedArgoSites }}
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: {{ .name }}
-  namespace: openshift-gitops
-spec:
-  description: "Cluster Group {{ $group.name }}"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-{{- end }}
-{{- range .hostedArgoSites }}
-{{ $secretsPathDefault := print "secret/data/hub/cluster_" .name }}
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ $.Values.global.pattern }}-{{ $group.name }}-{{ .name }}
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: {{ $group.name }}
-  source:
-    repoURL: {{ coalesce $group.repoURL $.Values.global.repoURL }}
-    targetRevision: {{ coalesce $group.targetRevision $.Values.global.targetRevision }}
-    path: {{ default "common/clustergroup" $group.path }}
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-{{ $group.name }}.yaml"
-      {{- range $valueFile := $group.extraValueFiles }}
-      - {{ $valueFile | quote }}
-      {{- end }}
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: {{ $.Values.global.pattern }}
-      - name: global.hubClusterDomain
-        value: {{ $.Values.global.hubClusterDomain }}
-      - name: global.localClusterDomain
-        value: apps.{{ .domain }}
-      - name: global.clusterDomain
-        value: {{ .domain }}
-      - name: enabled
-        value: core
-      - name: clusterGroup.name
-        value: {{ $group.name }}
-      - name: clusterGroup.targetCluster
-        value: {{ .name }}
-      - name: clusterGroup.hostedSite.secretsPath
-        value: {{ default $secretsPathDefault .secretsPath }}
-     {{- range $group.helmOverrides }}
-      - name: {{ .name }}
-        value: {{ .value | quote }}
-     {{- end }}
-     {{- if $group.fileParameters }}
-      fileParameters:
-      {{- range $group.fileParameters }}
-      - name: {{ .name }}
-        path: {{ .path }}
-      {{- end }}
-     {{- end }}
-  destination:
-    name: {{ .name }}
-    namespace: {{ $.Values.global.pattern }}-{{ $group.name }}
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: {{ $.Values.global.pattern }}-{{ $group.name }}-{{ .name }}-plumbing
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: {{ $group.name }}
-  source:
-    repoURL: {{ coalesce $group.repoURL $.Values.global.repoURL }}
-    targetRevision: {{ coalesce $group.targetRevision $.Values.global.targetRevision }}
-    path: {{ default "common/clustergroup" $group.path }}
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-{{ $group.name }}.yaml"
-      {{- range $valueFile := $group.extraValueFiles }}
-      - {{ $valueFile | quote }}
-      {{- end }}
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: {{ $.Values.global.pattern }}
-      - name: global.hubClusterDomain
-        value: {{ $.Values.global.hubClusterDomain }}
-      - name: global.localClusterDomain
-        value: apps.{{ .domain }}
-      - name: global.clusterDomain
-        value: {{ .domain }}
-      - name: enabled
-        value: plumbing
-      - name: clusterGroup.name
-        value: {{ $group.name }}
-      - name: clusterGroup.targetCluster
-        value: {{ .name }}
-      - name: clusterGroup.hostedSite.secretsPath
-        value: {{ default $secretsPathDefault .secretsPath }}
-     {{- range $group.helmOverrides }}
-      - name: {{ .name }}
-        value: {{ .value | quote }}
-     {{- end }}
-     {{- if $group.fileParameters }}
-      fileParameters:
-      {{- range $group.fileParameters }}
-      - name: {{ .name }}
-        path: {{ .path }}
-      {{- end }}
-     {{- end }}
-  destination:
-    name: in-cluster
-    namespace: openshift-gitops
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-{{- end }}
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/templates/plumbing/projects.yaml b/common/clustergroup/templates/plumbing/projects.yaml
deleted file mode 100644
index 7f3b8c22..00000000
--- a/common/clustergroup/templates/plumbing/projects.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-{{- if not (eq .Values.enabled "core") }}
-{{- $namespace := print $.Values.global.pattern "-" $.Values.clusterGroup.name }}
-{{- range .Values.clusterGroup.projects }}
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: {{ . }}
-{{- if (eq $.Values.enabled "plumbing") }}
-  namespace: openshift-gitops
-{{- else }}
-  namespace: {{ $namespace }}
-{{- end }}
-spec:
-  description: "Pattern {{ . }}"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-{{- end }}
-{{- end }}
diff --git a/common/clustergroup/test.yaml b/common/clustergroup/test.yaml
deleted file mode 100644
index 3c0afc6f..00000000
--- a/common/clustergroup/test.yaml
+++ /dev/null
@@ -1,100 +0,0 @@
-clusterGroup:
-  name: hub
-  isHubCluster: true
-
-  namespaces:
-  - open-cluster-management
-  - vault
-  - golang-external-secrets
-  - config-demo
-
-  indexImages:
-  - name: snr
-    image: quay.io/mshitrit/self-node-remediation-manager-index:0.0.104
-
-  subscriptions:
-    acm:
-      name: advanced-cluster-management
-      namespace: open-cluster-management
-      channel: release-2.5
-      csv: advanced-cluster-management.v2.5.0
-
-  projects:
-  - hub
-  - config-demo
-
-  applications:
-    acm:
-      name: acm
-      namespace: open-cluster-management
-      project: hub
-      path: common/acm
-      ignoreDifferences:
-      - group: internal.open-cluster-management.io
-        kind: ManagedClusterInfo
-        jsonPointers:
-          - /spec/loggingCA
-
-    vault:
-      name: vault
-      namespace: vault
-      project: hub
-      chart: vault
-      repoURL: https://helm.releases.hashicorp.com
-      targetRevision: v0.21.0
-      overrides:
-      - name: global.openshift
-        value: "true"
-      - name: injector.enabled
-        value: "false"
-      - name: ui.enabled
-        value: "true"
-      - name: ui.serviceType
-        value: LoadBalancer
-      - name: server.route.enabled
-        value: "true"
-      - name: server.route.host
-        value: null
-      - name: server.route.tls.termination
-        value: edge
-      - name: server.image.repository
-        value: "registry.connect.redhat.com/hashicorp/vault"
-      - name: server.image.tag
-        value: "1.11.2-ubi"
-
-    golang-external-secrets:
-      name: golang-external-secrets
-      namespace: golang-external-secrets
-      project: hub
-      path: common/golang-external-secrets
-
-    config-demo:
-      name: config-demo
-      namespace: config-demo
-      project: config-demo
-      path: charts/all/config-demo
-
-  imperative:
-    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
-    # The default schedule is every 10 minutes: imperative.schedule
-    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
-    # imagePullPolicy is set to always: imperative.imagePullPolicy
-    # For additional overrides that apply to the jobs, please refer to
-    # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations
-    jobs:
-    - name: regional-ca
-      # ansible playbook to be run
-      playbook: ansible/playbooks/on-hub-get-regional-ca.yml
-      # per playbook timeout in seconds
-      timeout: 234
-      # verbosity: "-v"
-
-  managedClusterGroups:
-    region-one:
-      name: region-one
-      hostedArgoSites:
-      - perth
-      - sydney
-      helmOverrides:
-      - name: clusterGroup.isHubCluster
-        value: false
diff --git a/common/clustergroup/values.schema.json b/common/clustergroup/values.schema.json
deleted file mode 100644
index e64a8125..00000000
--- a/common/clustergroup/values.schema.json
+++ /dev/null
@@ -1,828 +0,0 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "$ref": "#/definitions/ValidatedPatterns",
-  "definitions": {
-    "ValidatedPatterns": {
-      "type": "object",
-      "additionalProperties": true,
-      "properties": {
-        "enabled": {
-          "type": "string",
-          "enum": [
-            "all",
-            "core",
-            "plumbing"
-          ]
-        },
-        "secretStore": {
-          "$ref": "#/definitions/SecretStore"
-        },
-        "main": {
-          "$ref": "#/definitions/Main"
-        },
-        "global": {
-          "$ref": "#/definitions/Global"
-        },
-        "clusterGroup": {
-          "$ref": "#/definitions/ClusterGroup"
-        }
-      },
-      "required": [
-        "clusterGroup"
-      ],
-      "title": "ValidatedPatterns"
-    },
-    "SecretStore": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "Name of the external secret backend",
-          "default": "vault-backend"
-        },
-        "kind": {
-          "type": "string",
-          "description": "Type of the external secret backend",
-          "default": "ClusterSecretStore"
-        }
-      },
-      "required": [
-        "name",
-        "kind"
-      ],
-      "title": "SecretsStore"
-    },
-    "Main": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": [
-        "clusterGroupName"
-      ],
-      "title": "Main",
-      "description": "This section contains the 'main' variables which are used by the install chart only and are passed to helm via the Makefile",
-      "properties": {
-        "clusterGroupName": {
-          "type": "string"
-        },
-        "git": {
-          "type": "object",
-          "additionalProperties": false,
-          "required": [
-            "repoURL",
-            "revision"
-          ],
-          "properties": {
-            "repoURL": {
-              "type": "string",
-              "description": "URL of the pattern's git repository"
-            },
-            "revision": {
-              "type": "string",
-              "description": "revision (branch/commit/ref) to use on the pattern's git repository"
-            }
-          }
-        },
-        "gitops": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "channel": {
-              "type": "string",
-              "description": "The channel from which to install the gitops operator"
-            }
-          }
-        }
-      }
-    },
-    "Global": {
-      "type": "object",
-      "additionalProperties": true,
-      "properties": {
-        "pattern": {
-          "type": "string",
-          "readOnly": true,
-          "description": "The name of the pattern being installed. The default is the name of the repository's folder and is automatically set by the Makefile"
-        },
-        "clusterDomain": {
-          "type": "string",
-          "readOnly": true,
-          "description": "The FQDN domain of the cluster without the 'apps.' component. For example: mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework"
-        },
-        "localClusterDomain": {
-          "type": "string",
-          "readOnly": true,
-          "description": "The FQDN domain of the cluster including the 'apps.' component. For example: apps.mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework"
-        },
-        "targetRevision": {
-          "type": "string",
-          "readOnly": true,
-          "description": "revision (branch/commit/ref) to use on the pattern's git repository, it is set automatically by the pattern's operator"
-        },
-        "repoURL": {
-          "type": "string",
-          "readOnly": true,
-          "description": "URL of the pattern's git repository, it is set automatically by the pattern's operator"
-        },
-        "hubClusterDomain": {
-          "type": "string",
-          "readOnly": true,
-          "description": "The FQDN domain of the hub cluster including the 'apps.' component. For example: apps.mcg-hub.blueprints.rhecoeng.com. Gets set automatically by the framework. Only makes sense when using ACM"
-        },
-        "namespace": {
-          "type": "string",
-          "readOnly": true,
-          "description": "The namespace in which the ArgoCD instance is running. Automatically set to either 'openshift-operators' or '$ARGOCD_APP_NAMESPACE'"
-        },
-        "git": {
-          "$ref": "#/definitions/GlobalGit"
-        },
-        "options": {
-          "$ref": "#/definitions/Options"
-        }
-      },
-      "required": [
-        "options"
-      ],
-      "title": "Global"
-    },
-    "GlobalGit": {
-      "type": "object",
-      "additionalProperties": true,
-      "description": "The git configuration used to support Tekton pipeline tasks.",
-      "properties": {
-        "hostname": {
-          "type": "string",
-          "description": "The hostname for the Git provider being used.  e.g. github.com or gitlab.com"
-        },
-        "account": {
-          "type": "string",
-          "description": "The account for the Git provider. Accounts allow you to organize and control access to that code. There are three types of accounts on GitHub.  Personal accounts Organization accounts Enterprise accounts e.g. hybrid-cloud-patterns or claudiol"
-        },
-        "email": {
-          "type": "string",
-          "description": "The contact email for the Git account. e.g. account@gmail.com"
-        },
-        "dev_revision": {
-          "type": "string",
-          "deprecated": true,
-          "description": "This is used by the pipelines as the branch for the development repository. e.g. v2.0. This is marked as deprecated"
-        }
-      },
-      "required": [
-        "hostname",
-        "account",
-        "email"
-      ],
-      "title": "GlobalGit"
-    },
-    "Options": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "useCSV": {
-          "type": "boolean",
-          "deprecated": true
-        },
-        "syncPolicy": {
-          "type": "string",
-          "description": "This is the sync policy for the ArgoCD applications. When set to Automatic ArgoCD will automatically sync an application when it detects differences between the desired manifests in Git."
-        },
-        "installPlanApproval": {
-          "type": "string",
-          "deprecated": true,
-          "description": "This is used to approval strategy for the subscriptions of OpenShift Operators being installed. You can choose Automatic or Manual updates. NOTE: This setting is now available in the subcriptions description in the values file."
-        },
-        "applicationRetryLimit": {
-          "type": "integer",
-          "description": "Number of failed sync attempt retries; unlimited number of attempts if less than 0"
-        }
-      },
-      "required": [
-        "installPlanApproval",
-        "syncPolicy",
-        "useCSV"
-      ],
-      "title": "Options"
-    },
-    "ClusterGroup": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "The name of the cluster group."
-        },
-        "targetCluster": {
-          "type": "string"
-        },
-        "isHubCluster": {
-          "type": "boolean",
-          "description": "If set to true the values is used to identify whether this is the hub cluster or an edge/spoke cluster configuration."
-        },
-        "namespaces": {
-          "type": "array",
-          "description": "This is the array of namespaces that the VP framework will create.  In addition, operator groups will also be created for each namespace.",
-          "items": {
-            "$ref": "#/definitions/Namespaces"
-          }
-        },
-        "indexImages": {
-          "anyOf": [
-            {
-              "type": "array"
-            },
-            {
-              "type": "object"
-            }
-          ],
-          "description": "List of index images for overriding default catalog sources.",
-          "items": {
-            "$ref": "#/definitions/IndexImages"
-          }
-        },
-        "operatorgroupExcludes": {
-          "type": "array",
-          "description": "List of namespaces to exclude the creation of operator groups.",
-          "items": {
-            "type": "string"
-          }
-        },
-        "hostedSite": {
-          "type": "object",
-          "items": {
-            "$ref": "#/definitions/HostedSite"
-          }
-        },
-        "subscriptions": {
-          "anyOf": [
-            {
-              "type": "null"
-            },
-            {
-              "type": "array"
-            },
-            {
-              "type": "object"
-            }
-          ],
-          "description": "Description of the subscriptions that the VP Framework will install in the cluster.  Two ways of defining subscriptions: Using a list or using a dictionary.",
-          "items": {
-            "$ref": "#/definitions/Subscription"
-          }
-        },
-        "projects": {
-          "type": "array",
-          "description": "The list of projects that will be created in the ArgoCD instances.",
-          "items": {
-            "type": "string"
-          }
-        },
-        "applications": {
-          "anyOf": [
-            {
-              "type": "array"
-            },
-            {
-              "type": "object"
-            }
-          ],
-          "description": "Description of the applications that will be created in the ArgoCD instances. Two ways of defining applications: Using a list or using a dictionary.",
-          "items": {
-            "$ref": "#/definitions/Applications"
-          }
-        },
-        "imperative": {
-          "$ref": "#/definitions/Imperative"
-        },
-        "managedClusterGroups": {
-          "anyOf": [
-            {
-              "type": "array"
-            },
-            {
-              "type": "object"
-            }
-          ],
-          "description": "Description of the managed clusters that ACM will be able to manage. Two ways of defining managed clusters: Using a list or using a dictionary.",
-          "items": {
-            "$ref": "#/definitions/ManagedClusterGroup"
-          }
-        },
-        "externalClusters": {
-          "type": "array"
-        }
-      },
-      "required": [
-        "applications",
-        "isHubCluster",
-        "name",
-        "namespaces",
-        "projects"
-      ],
-      "title": "ClusterGroup"
-    },
-    "Namespaces": {
-      "anyOf": [
-        {
-          "type": "object"
-        },
-        {
-          "type": "string"
-        }
-      ],
-	  "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.",
-	  "additionalProperties": true,
-	  "properties": {
-         "name": {
-		    "type": "string",
-		    "description": "Name of the namespace."
-          },
-	      "labels": {
-		    "type": "array",
-		    "items": {
-		      "$ref": "#/definitions/NameValue"
-		    }
-	      },
-	      "annotations": {
-		    "type": "array",
-		    "items": {
-		      "$ref": "#/definitions/NameValue"
-		    }
-	      }
-	  }
-    },
-	"NameValue": {
-      "type": "object",
-      "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.",
-      "additionalProperties": true,
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "Name of the namespace."
-        },
-        "value": {
-          "type": "string",
-          "description": "Name of the namespace."
-        }
-	  }
-	},
-    "Applications": {
-      "type": "object",
-      "description": "Description of the applications that will be created in the ArgoCD instances. The Application CRD is the Kubernetes resource object representing a deployed application instance in an environment. Two ways of defining applications: Using a list or using a dictionary.",
-      "additionalProperties": true,
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "Name of the application in ArgoCD."
-        },
-        "repoURL": {
-          "type": "string",
-          "description": "RepoURL is the URL to the repository (Git or Helm) that contains the application manifests."
-        },
-        "targetRevision": {
-          "type": "string",
-          "description": "TargetRevision defines the revision of the source to sync the application to. In case of Git, this can be commit, tag, or branch. If omitted, will equal to HEAD.  In case of Helm, this is a semver tag for the Chart's version."
-        },
-        "chart": {
-          "type": "string",
-          "description": "Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo."
-        },
-        "kustomize": {
-          "type": "boolean",
-          "description": "If set to true it will tell ArgoCD to use kustomize to deploy the application."
-        },
-        "plugin": {
-          "type": "object",
-          "description": "Plugin holds config management plugin specific options"
-        },
-        "extraValueFiles": {
-          "type": "array",
-          "description": "List of extra values files that will be passed to ArgoCD."
-        },
-        "extraHubClusterDomainFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "extraLocalClusterDomainFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "extraRepoURLFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "extraTargetRevisionFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "extraNamespaceFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "extraPatternNameFields": {
-          "type": "array",
-          "description": "List of extra fields that will be passed to ArgoCD."
-        },
-        "overrides": {
-          "type": "object"
-        },
-        "fileParameters": {
-          "type": "array",
-          "description": "FileParameters are file parameters to the helm template"
-        },
-        "ignoreDifferences": {
-          "type": "array",
-          "description": "IgnoreDifferences is a list of resources and their fields which should be ignored during comparison"
-        },
-        "syncPolicy": {
-          "type": "object",
-          "description": "SyncPolicy controls when and how a sync will be performed"
-        },
-        "namespace": {
-          "type": "string",
-          "description": "Namespace specifies the target namespace for the application's resources. The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace"
-        },
-        "project": {
-          "type": "string",
-          "description": "Project is a reference to the project this application belongs to. The empty string means that application belongs to the 'default' project."
-        },
-        "path": {
-          "type": "string",
-          "description": "Path is a directory path within the Git repository, and is only valid for applications sourced from Git."
-        }
-      },
-      "required": [
-        "name",
-        "path",
-        "project"
-      ],
-      "title": "Applications"
-    },
-    "IndexImages": {
-      "type": "object",
-      "description": "Details for overriding default catalog sources",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string",
-          "description": "Name for the custom catalog source."
-        },
-        "image": {
-          "type": "string",
-          "description": "Location of the index image."
-        }
-      }
-    },
-    "HostedSite": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "secretsPath": {
-          "type": "string",
-          "description": "It represents the path in the vault that is supposed to contain two fields: 'bearerToken' representing the token to use to authenticate to the remote cluster and 'caCert' which is the base64-encoded Certificate Authority cert of the remote cluster."
-        }
-      },
-      "required": [
-        "secretsPath"
-      ],
-      "title": "HostedSite"
-    },
-    "Imperative": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "jobs": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/Job"
-          }
-        },
-        "image": {
-          "type": "string",
-          "default": "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest"
-        },
-        "namespace": {
-          "type": "string",
-          "default": "imperative",
-          "enum": [
-            "imperative"
-          ]
-        },
-        "serviceAccountCreate": {
-          "type": "boolean"
-        },
-        "valuesConfigMap": {
-          "type": "string"
-        },
-        "cronJobName": {
-          "type": "string"
-        },
-        "jobName": {
-          "type": "string"
-        },
-        "imagePullPolicy": {
-          "type": "string",
-          "default": "Always",
-          "enum": [
-            "Always",
-            "IfNotPresent",
-            "Never"
-          ]
-        },
-        "activeDeadlineSeconds": {
-          "type": "integer",
-          "default": 3600
-        },
-        "schedule": {
-          "type": "string",
-          "default": "*/10 * * * *"
-        },
-        "insecureUnsealVaultInsideClusterSchedule": {
-          "type": "string",
-          "default": "*/5 * * * *"
-        },
-        "verbosity": {
-          "type": "string",
-          "default": "",
-          "enum": [
-            "",
-            "-v",
-            "-vv",
-            "-vvv",
-            "-vvvv"
-          ]
-        },
-        "serviceAccountName": {
-          "type": "string"
-        },
-        "clusterRoleName": {
-          "type": "string"
-        },
-        "clusterRoleYaml": {
-          "type": ["string", "array"]
-        },
-        "roleName": {
-          "type": "string"
-        },
-        "roleYaml": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "jobs"
-      ],
-      "title": "Imperative"
-    },
-    "Job": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "playbook": {
-          "type": "string"
-        },
-        "timeout": {
-          "type": ["integer", "string"]
-        },
-        "image": {
-          "type": "string",
-          "default": "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest"
-        },
-        "tags": {
-          "type": "string"
-        },
-        "extravars": {
-          "type": "array"
-        },
-        "verbosity": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "name",
-        "playbook"
-      ],
-      "title": "Job"
-    },
-    "ManagedClusterGroup": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "targetRevision": {
-          "type": "string"
-        },
-        "acmlabels": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/ACMLabels"
-          }
-        },
-        "hostedArgoSites": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/HostedArgoSites"
-          }
-        },
-        "clusterPools": {
-          "type": "object",
-          "items": {
-            "$ref": "#/definitions/ClusterPools"
-          }
-        },
-        "clusterSelector": {
-          "type": "object",
-          "additionalProperties": true
-        },
-        "helmOverrides": {
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/HelmOverride"
-          }
-        }
-      },
-      "required": [],
-      "title": "ManagedClusterGroup"
-    },
-    "ClusterPools": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "size": {
-          "type": "integer"
-        },
-        "name": {
-          "type": "string"
-        },
-        "openshiftVersion": {
-          "type": "string"
-        },
-        "baseDomain": {
-          "type": "string"
-        },
-        "platform": {
-          "type": "object",
-          "$ref": "#/definitions/ClusterPoolsPlatform"
-        },
-        "clusters": {
-          "type": "array"
-        }
-      },
-      "required": [
-        "name",
-        "openshiftVersion",
-        "baseDomain",
-        "platform",
-        "clusters"
-      ],
-      "title": "ClusterPools"
-    },
-    "ClusterPoolsPlatform": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "baseDomainResourceGroupName": {
-          "type": "string"
-        },
-        "region": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "region"
-      ],
-      "title": "ClusterPoolsPlatform"
-    },
-    "HelmOverride": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "value": {
-          "anyOf": [
-            {
-              "type": "string"
-            },
-            {
-              "type": "boolean"
-            }
-          ]
-        }
-      },
-      "required": [
-        "name",
-        "value"
-      ],
-      "title": "HelmOverride"
-    },
-    "ACMLabels": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "value": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "name",
-        "value"
-      ],
-      "title": "ACMLabels"
-    },
-    "Subscription": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "namespaces": {
-          "type": "array"
-        },
-        "namespace": {
-          "type": "string"
-        },
-        "sourceNamespace": {
-          "type": "string"
-        },
-        "source": {
-          "type": "string"
-        },
-        "channel": {
-          "type": "string"
-        },
-        "csv": {
-          "type": "string"
-        },
-        "installPlanApproval": {
-          "type": "string",
-          "enum": [
-            "Manual",
-            "Automatic"
-          ]
-        },
-        "config": {
-          "type": "object",
-          "$ref": "#/definitions/SubscriptionsConfigEnv"
-        },
-        "disabled": {
-          "type": "boolean"
-        }
-      },
-      "required": [
-        "name"
-      ],
-      "title": "Subscription"
-    },
-    "SubscriptionsConfigEnv": {
-      "type": "array",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "value": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "name",
-        "value"
-      ],
-      "title": "SubscriptionsConfigEnv"
-    },
-    "HostedArgoSites": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "name": {
-          "type": "string"
-        },
-        "domain": {
-          "type": "string"
-        },
-        "bearerKeyPath": {
-          "type": "string"
-        },
-        "caKeyPath": {
-          "type": "string"
-        }
-      },
-      "required": [
-        "name",
-        "domain"
-      ],
-      "title": "HostedArgoSites"
-    }
-  }
-}
diff --git a/common/clustergroup/values.yaml b/common/clustergroup/values.yaml
deleted file mode 100644
index 117e009e..00000000
--- a/common/clustergroup/values.yaml
+++ /dev/null
@@ -1,88 +0,0 @@
-global:
-  pattern: common
-  targetRevision: main
-  options:
-    useCSV: True
-    syncPolicy: Automatic
-    installPlanApproval: Automatic
-    applicationRetryLimit: 20
-
-enabled: "all"
-
-# Note that sometimes changing helm values might require a hard refresh (https://github.com/helm/helm/issues/3486)
-clusterGroup:
-  name: example
-  isHubCluster: true
-  targetCluster: in-cluster
-
-  imperative:
-    jobs: []
-    # This image contains ansible + kubernetes.core by default and is used to run the jobs
-    image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-    namespace: "imperative"
-    # configmap name in the namespace that will contain all helm values
-    valuesConfigMap: "helm-values-configmap"
-    cronJobName: "imperative-cronjob"
-    jobName: "imperative-job"
-    imagePullPolicy: Always
-    # This is the maximum timeout of all the jobs (1h)
-    activeDeadlineSeconds: 3600
-    # By default we run this every 10minutes
-    schedule: "*/10 * * * *"
-    # Schedule used to trigger the vault unsealing (if explicitely enabled)
-    # Set to run every 5 minutes in order for load-secrets to succeed within
-    # a reasonable amount of time (it waits up to 15 mins)
-    insecureUnsealVaultInsideClusterSchedule: "*/5 * * * *"
-    # Increase ansible verbosity with '-v' or '-vv..'
-    verbosity: ""
-    serviceAccountCreate: true
-    # service account to be used to run the cron pods
-    serviceAccountName: imperative-sa
-    clusterRoleName: imperative-cluster-role
-    clusterRoleYaml: ""
-    roleName: imperative-role
-    roleYaml: ""
-  managedClusterGroups: {}
-  namespaces: []
-#  - name: factory
-#    # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git
-#    # Location of values-global.yaml, values-{name}.yaml, values-{app}.yaml
-#    targetRevision: main
-#    path: applications/factory
-#    helmOverrides:
-#    - name: clusterGroup.isHubCluster
-#      value: false
-#    clusterSelector:
-#      matchExpressions:
-#      - key: vendor
-#        operator: In
-#        values:
-#          - OpenShift
-#
-#  - open-cluster-management
-#
-  subscriptions: {}
-#  - name: advanced-cluster-management
-#    namespace: open-cluster-management
-#    source: redhat-operators
-#    channel: release-2.3
-#    csv: v2.3.2
-#
-  projects: []
-#  - datacenter
-#
-  applications: {}
-#  - name: acm
-#    namespace: default
-#    project: datacenter
-#    path: applications/acm
-
-secretStore:
-  name: vault-backend
-  kind: ClusterSecretStore
-
-# Depends on the value of 'vault_hub' ansible variable used 
-# during the installation
-#secretsBase:
-#  key: secret/data/hub
-
diff --git a/common/common b/common/common
deleted file mode 120000
index 945c9b46..00000000
--- a/common/common
+++ /dev/null
@@ -1 +0,0 @@
-.
\ No newline at end of file
diff --git a/common/examples/blank/Chart.yaml b/common/examples/blank/Chart.yaml
deleted file mode 100644
index c552610d..00000000
--- a/common/examples/blank/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-description: An empty Helm chart
-keywords:
-- pattern
-name: blank
-version: 0.0.1
diff --git a/common/examples/blank/templates/manifest.yaml b/common/examples/blank/templates/manifest.yaml
deleted file mode 100644
index 3f160b02..00000000
--- a/common/examples/blank/templates/manifest.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: example
diff --git a/common/examples/blank/values.yaml b/common/examples/blank/values.yaml
deleted file mode 100644
index 35e4a6f4..00000000
--- a/common/examples/blank/values.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-tree:
-  of: "values"
diff --git a/common/examples/industrial-edge-factory.yaml b/common/examples/industrial-edge-factory.yaml
deleted file mode 100644
index 9ed1e8d3..00000000
--- a/common/examples/industrial-edge-factory.yaml
+++ /dev/null
@@ -1,81 +0,0 @@
-clusterGroup:
-  name: factory
-  isHubCluster: false
-
-  namespaces:
-  - manuela-stormshift-line-dashboard
-  - manuela-stormshift-machine-sensor
-  - manuela-stormshift-messaging
-  - manuela-factory-ml-workspace
-
-  operatorgroupExcludes:
-  - manuela-factory-ml-workspace
-
-  subscriptions:
-  - name: opendatahub-operator
-    channel: stable
-    source: community-operators
-
-  - name: seldon-operator
-    namespace: manuela-stormshift-messaging
-    channel: stable
-    source: community-operators
-
-  - name: amq-streams
-    namespace: manuela-stormshift-messaging
-    channel: stable
-
-  - name: amq-broker-rhel8
-    namespace: manuela-stormshift-messaging
-    channel: 7.x
-
-  - name: red-hat-camel-k
-    namespace: manuela-stormshift-messaging
-    channel: stable
-
-  projects:
-  - factory
-
-  applications:
-  - name: stormshift
-    project: factory
-    path: charts/factory/manuela-stormshift
-    plugin:
-      name: helm-with-kustomize
-
-  - name: odh
-    namespace: manuela-factory-ml-workspace
-    project: factory
-    path: charts/datacenter/opendatahub
-
-#
-#  To have apps in multiple flavors, use namespaces and use helm overrides as appropriate
-#
-#  - name: pipelines
-#    namespace: production
-#    project: datacenter
-#    path: applications/pipeline
-#    repoURL: https://github.com/you/applications.git
-#    targetRevision: stable
-#    overrides:
-#    - name: myparam
-#      value: myparam
-#
-#  - name: pipelines
-#    namespace: staging
-#    project: datacenter
-#    path: applications/pipeline
-#    repoURL: https://github.com/you/applications.git
-#    targetRevision: main
-#
-#   Additional applications
-#   Be sure to include additional resources your apps will require
-#   +X machines
-#   +Y RAM
-#   +Z CPU
-#  - name: vendor-app
-#    namespace: default
-#    project: vendor
-#    path: path/to/myapp
-#    repoURL: https://github.com/vendor/applications.git
-#    targetRevision: main
diff --git a/common/examples/industrial-edge-hub.yaml b/common/examples/industrial-edge-hub.yaml
deleted file mode 100644
index 3dfd2fc8..00000000
--- a/common/examples/industrial-edge-hub.yaml
+++ /dev/null
@@ -1,210 +0,0 @@
-clusterGroup:
-  name: datacenter
-  isHubCluster: true
-
-  namespaces:
-  - golang-external-secrets
-  - external-secrets
-  - open-cluster-management
-  - manuela-ml-workspace
-  - manuela-tst-all
-  - manuela-ci
-  - manuela-data-lake
-  - staging
-  - vault
-
-  operatorgroupExcludes:
-  - manuela-ml-workspace
-
-  subscriptions:
-    acm:
-      name: advanced-cluster-management
-      namespace: open-cluster-management
-      channel: release-2.6
-
-    amqbroker-prod:
-      name: amq-broker-rhel8
-      namespace: manuela-tst-all
-      channel: 7.x
-
-    amqstreams-prod-dev:
-      name: amq-streams
-      namespaces: 
-      - manuela-data-lake
-      - manuela-tst-all
-      channel: stable
-
-    camelk-prod-dev:
-      name: red-hat-camel-k
-      namespaces: 
-      - manuela-data-lake
-      - manuela-tst-all
-      channel: stable
-
-    seldon-prod-dev:
-      name: seldon-operator
-      namespaces: 
-      - manuela-ml-workspace
-      - manuela-tst-all
-      channel: stable
-      source: community-operators
-
-    pipelines:
-      name: openshift-pipelines-operator-rh
-      channel: latest
-      source: redhat-operators
-      
-    odh:
-      name: opendatahub-operator
-      channel: stable
-      source: community-operators
-
-  projects:
-  - datacenter
-  - production-datalake
-  - golang-external-secrets
-  - vault
-
-  applications:
-    acm:
-      name: acm
-      namespace: open-cluster-management
-      project: datacenter
-      path: common/acm
-      ignoreDifferences:
-      - group: internal.open-cluster-management.io
-        kind: ManagedClusterInfo
-        jsonPointers:
-        - /spec/loggingCA
-
-    odh:
-      name: odh
-      namespace: manuela-ml-workspace
-      project: datacenter
-      path: charts/datacenter/opendatahub
-
-    pipelines:
-      name: pipelines
-      namespace: manuela-ci
-      project: datacenter
-      path: charts/datacenter/pipelines
-
-    production-data-lake:
-      name: production-data-lake
-      namespace: manuela-data-lake
-      project: production-datalake
-      path: charts/datacenter/manuela-data-lake
-      ignoreDifferences:
-      - group: apps
-        kind: Deployment
-        jsonPointers:
-        - /spec/replicas
-      - group: route.openshift.io
-        kind: Route
-        jsonPointers:
-        - /status
-      - group: image.openshift.io
-        kind: ImageStream
-        jsonPointers:
-        - /spec/tags
-      - group: apps.openshift.io
-        kind: DeploymentConfig
-        jsonPointers:
-        - /spec/template/spec/containers/0/image
-
-    test:
-      name: manuela-test
-      namespace: manuela-tst-all
-      project: datacenter
-      path: charts/datacenter/manuela-tst
-      plugin:
-        name: helm-with-kustomize
-
-    vault:
-      name: vault
-      namespace: vault
-      project: datacenter
-      chart: vault
-      repoURL: https://helm.releases.hashicorp.com
-      targetRevision: v0.20.1
-      overrides:
-      - name: global.openshift
-        value: "true"
-      - name: injector.enabled
-        value: "false"
-      - name: ui.enabled
-        value: "true"
-      - name: ui.serviceType
-        value: LoadBalancer
-      - name: server.route.enabled
-        value: "true"
-      - name: server.route.host
-        value: null
-      - name: server.route.tls.termination
-        value: edge
-      - name: server.image.repository
-        value: "registry.connect.redhat.com/hashicorp/vault"
-      - name: server.image.tag
-        value: "1.10.3-ubi"
-
-    secrets-operator:
-      name: golang-external-secrets
-      namespace: golang-external-secrets
-      project: golang-external-secrets
-      path: common/golang-external-secrets
-
-    secrets:
-      name: external-secrets
-      namespace: external-secrets
-      project: golang-external-secrets
-      path: charts/datacenter/external-secrets
-
-#  To have apps in multiple flavors, use namespaces and use helm overrides as appropriate
-#
-#  - name: pipelines
-#    namespace: production
-#    project: datacenter
-#    path: applications/pipeline
-#    repoURL: https://github.com/you/applications.git
-#    targetRevision: stable
-#    overrides:
-#    - name: myparam
-#      value: myparam
-#
-#  - name: pipelines
-#    namespace: staging
-#    project: datacenter
-#    path: applications/pipeline
-#    repoURL: https://github.com/you/applications.git
-#    targetRevision: main
-#
-#   Additional applications
-#   Be sure to include additional resources your apps will require
-#   +X machines
-#   +Y RAM
-#   +Z CPU
-#  - name: vendor-app
-#    namespace: default
-#    project: vendor
-#    path: path/to/myapp
-#    repoURL: https://github.com/vendor/applications.git
-#    targetRevision: main
-
-  managedClusterGroups:
-    factory:
-      name: factory
-      # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git
-      # targetRevision: main
-      helmOverrides:
-      # Values must be strings!
-      - name: clusterGroup.isHubCluster
-        value: "false"
-      clusterSelector:
-        matchLabels:
-          clusterGroup: factory
-        matchExpressions:
-        - key: vendor
-          operator: In
-          values:
-            - OpenShift
-
diff --git a/common/examples/kustomize-renderer/Chart.yaml b/common/examples/kustomize-renderer/Chart.yaml
deleted file mode 100644
index 88a786c9..00000000
--- a/common/examples/kustomize-renderer/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-description: A Helm chart to demonstrate how to use with kustomize
-keywords:
-- pattern
-name: example
-version: 0.0.1
diff --git a/common/examples/kustomize-renderer/environment.yaml b/common/examples/kustomize-renderer/environment.yaml
deleted file mode 100644
index de4c48a9..00000000
--- a/common/examples/kustomize-renderer/environment.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: environment
-data:
-  IMAGE_PROVIDER: {{ .Values.global.imageregistry.hostname }}
-  IMAGE_ACCOUNT: {{ .Values.global.imageregistry.account }}
-  GIT_EMAIL: {{ .Values.global.git.email }}
-  GIT_DEV_REPO_URL: https://{{ .Values.global.git.hostname }}/{{ .Values.global.git.account }}/manuela-dev.git
-  GIT_DEV_REPO_REVISION: {{ .Values.global.git.dev_revision }}
-  GIT_OPS_REPO_TEST_URL: {{ .Values.global.repoURL }}
-  GIT_OPS_REPO_TEST_REVISION: {{ .Values.global.targetRevision }}
-  GIT_OPS_REPO_PROD_URL: {{ .Values.global.repoURL }}
-  GIT_OPS_REPO_PROD_REVISION: {{ .Values.global.targetRevision }}
-  IOT_CONSUMER_IMAGE: iot-consumer
-  IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag
-  IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml
-  IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml
-  IOT_FRONTEND_IMAGE: iot-frontend
-  IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag
-  IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml
-  IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml
-  IOT_SWSENSOR_IMAGE: iot-software-sensor
-  IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag
-  IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml
-  IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml
-  IOT_ANOMALY_IMAGE: iot-anomaly-detection
-  IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag
-  IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml
-  IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml
diff --git a/common/examples/kustomize-renderer/kustomization.yaml b/common/examples/kustomize-renderer/kustomization.yaml
deleted file mode 100644
index 8d8bcd10..00000000
--- a/common/examples/kustomize-renderer/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
-resources:
-  - environment.yaml
-
-patches:
-- helm.patch.yaml
diff --git a/common/examples/kustomize-renderer/kustomize b/common/examples/kustomize-renderer/kustomize
deleted file mode 100755
index 3266d453..00000000
--- a/common/examples/kustomize-renderer/kustomize
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash -x
-
-BASE=`dirname $0`
-if [ $BASE = $PWD ]; then 
-    BASE=./
-fi
-
-cat <&0 > "$BASE/helm.yaml"
-
-# Including at least one log to stderr allows us to see the full -x output
-echo $HOME $PWD 1>&2
-ls -al  1>&2
-
-kustomize build "$BASE" && rm "$BASE/helm.yaml"
diff --git a/common/examples/kustomize-renderer/templates/environment.yaml b/common/examples/kustomize-renderer/templates/environment.yaml
deleted file mode 100644
index de4c48a9..00000000
--- a/common/examples/kustomize-renderer/templates/environment.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: environment
-data:
-  IMAGE_PROVIDER: {{ .Values.global.imageregistry.hostname }}
-  IMAGE_ACCOUNT: {{ .Values.global.imageregistry.account }}
-  GIT_EMAIL: {{ .Values.global.git.email }}
-  GIT_DEV_REPO_URL: https://{{ .Values.global.git.hostname }}/{{ .Values.global.git.account }}/manuela-dev.git
-  GIT_DEV_REPO_REVISION: {{ .Values.global.git.dev_revision }}
-  GIT_OPS_REPO_TEST_URL: {{ .Values.global.repoURL }}
-  GIT_OPS_REPO_TEST_REVISION: {{ .Values.global.targetRevision }}
-  GIT_OPS_REPO_PROD_URL: {{ .Values.global.repoURL }}
-  GIT_OPS_REPO_PROD_REVISION: {{ .Values.global.targetRevision }}
-  IOT_CONSUMER_IMAGE: iot-consumer
-  IOT_CONSUMER_YAML_PATH: images.(name==messaging).newTag
-  IOT_CONSUMER_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_CONSUMER_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/messaging/kustomization.yaml
-  IOT_CONSUMER_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/messaging/messaging-is.yaml
-  IOT_FRONTEND_IMAGE: iot-frontend
-  IOT_FRONTEND_YAML_PATH: images.(name==line-dashboard).newTag
-  IOT_FRONTEND_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_FRONTEND_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/line-dashboard/kustomization.yaml
-  IOT_FRONTEND_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/line-dashboard/line-dashboard-is.yaml
-  IOT_SWSENSOR_IMAGE: iot-software-sensor
-  IOT_SWSENSOR_YAML_PATH: images.(name==machine-sensor).newTag
-  IOT_SWSENSOR_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_SWSENSOR_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/machine-sensor/kustomization.yaml
-  IOT_SWSENSOR_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/machine-sensor/machine-sensor-is.yaml
-  IOT_ANOMALY_IMAGE: iot-anomaly-detection
-  IOT_ANOMALY_YAML_PATH: images.(name==anomaly-detection).newTag
-  IOT_ANOMALY_TEST_KUSTOMIZATION_PATH: charts/datacenter/manuela-tst/kustomization.yaml
-  IOT_ANOMALY_PROD_KUSTOMIZATION_PATH: charts/factory/manuela-stormshift/anomaly-detection/kustomization.yaml
-  IOT_ANOMALY_PROD_IMAGESTREAM_PATH: charts/factory/manuela-stormshift/anomaly-detection/anomaly-detection-is.yaml
diff --git a/common/examples/kustomize-renderer/values.yaml b/common/examples/kustomize-renderer/values.yaml
deleted file mode 100644
index cb80a03a..00000000
--- a/common/examples/kustomize-renderer/values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-global:
-  git:
-    provider: github.com
-    account: PLAINTEXT
-    username: PLAINTEXT
-    email: SOMEWHERE@EXAMPLE.COM
-    dev_revision: main
-
-  imageregistry:
-    provider: quay.io
-    account: PLAINTEXT
-
diff --git a/common/examples/medical-diagnosis-hub.yaml b/common/examples/medical-diagnosis-hub.yaml
deleted file mode 100644
index 8bde30d0..00000000
--- a/common/examples/medical-diagnosis-hub.yaml
+++ /dev/null
@@ -1,228 +0,0 @@
-clusterGroup:
-  name: hub
-  isHubCluster: true
-
-  namespaces:
-  - open-cluster-management
-  - openshift-serverless
-  - opendatahub
-  - openshift-storage
-  - xraylab-1
-  - knative-serving
-  - staging
-  - vault
-  - golang-external-secrets
-
-  subscriptions:
-    amq-streams:
-      name: amq-streams
-      namespace: xraylab-1
-      channel: stable
-    
-    grafana:
-      name: grafana-operator
-      namespace: xraylab-1
-      channel: v4
-      source: community-operators
-
-    odf:
-      name: odf-operator
-      namespace: openshift-storage
-      channel: stable-4.11
-
-    severless:
-      name: serverless-operator
-      channel: stable
-
-    opendatahub:
-      name: opendatahub-operator
-      source: community-operators
-  
-  projects:
-  - hub
-  - medical-diagnosis
-
-  applications:
-    vault:
-      name: vault
-      namespace: vault
-      project: hub
-      chart: vault
-      repoURL: https://helm.releases.hashicorp.com
-      targetRevision: v0.20.1
-      overrides:
-      - name: global.openshift
-        value: "true"
-      - name: injector.enabled
-        value: "false"
-      - name: ui.enabled
-        value: "true"
-      - name: ui.serviceType
-        value: LoadBalancer
-      - name: server.route.enabled
-        value: "true"
-      - name: server.route.host
-        value: null
-      - name: server.route.tls.termination
-        value: edge
-      - name: server.image.repository
-        value: "registry.connect.redhat.com/hashicorp/vault"
-      - name: server.image.tag
-        value: "1.10.3-ubi"
-
-    golang-external-secrets:
-      name: golang-external-secrets
-      namespace: golang-external-secrets
-      project: hub
-      path: common/golang-external-secrets
-    
-    opendatahub:
-      name: odh
-      namespace: opendatahub
-      project: medical-diagnosis
-      path: charts/all/opendatahub
-
-    openshift-data-foundations:
-      name: odf
-      namespace: openshift-storage
-      project: medical-diagnosis
-      path: charts/all/openshift-data-foundations
-
-    openshift-serverless:
-      name: serverless
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/openshift-serverless
-
-    kafka:
-      name: kafka
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/kafka
-
-    kafdrop: 
-      name: kafdrop
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/kafdrop
-
-    service-account:
-      name: xraylab-service-account
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/service-account
-
-    xraylab-init:
-      name: xraylab-init
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/xray-init
-
-    xraylab-database:
-      name: xraylab-database
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/database
-
-    xraylab-grafana-dashboards:
-      name: xraylab-grafana-dashboards
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/grafana
-
-    xraylab-image-server:
-      name: xraylab-image-server
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/image-server
-      ignoreDifferences:
-      - group: apps.openshift.io
-        kind: DeploymentConfig
-        jqPathExpressions:
-        - '.spec.template.spec.containers[].image'
-
-    xraylab-image-generator:
-      name: xraylab-image-generator
-      namespace: xraylab-1
-      project: medical-diagnosis
-      path: charts/all/medical-diagnosis/image-generator
-      ignoreDifferences:
-      - group: apps.openshift.io
-        kind: DeploymentConfig
-        jqPathExpressions:
-        - '.spec.template.spec.containers[].image'   
-
-  imperative:
-    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
-    # The default schedule is every 10 minutes: imperative.schedule
-    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
-    # imagePullPolicy is set to always: imperative.imagePullPolicy
-    # For additional overrides that apply to the jobs, please refer to
-    # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations
-    jobs:
-    - name: regional-ca
-      # ansible playbook to be run
-      playbook: ansible/playbooks/on-hub-get-regional-ca.yml
-      # per playbook timeout in seconds
-      timeout: 234
-      # verbosity: "-v"
-
-  managedClusterGroups:
-    region-one:
-      name: region-one
-      helmOverrides:
-      - name: clusterGroup.isHubCluster
-        value: false
-      clusterSelector:
-        matchLabels:
-          clusterGroup: region-one
-
-#  To have apps in multiple flavors, use namespaces and use helm overrides as appropriate
-#
-#    pipelines:
-#      name: pipelines
-#      namespace: production
-#      project: datacenter
-#      path: applications/pipeline
-#      repoURL: https://github.com/you/applications.git
-#      targetRevision: stable
-#      overrides:
-#      - name: myparam
-#        value: myparam
-#
-#    pipelines_staging:
-#    - name: pipelines
-#      namespace: staging
-#      project: datacenter
-#      path: applications/pipeline
-#      repoURL: https://github.com/you/applications.git
-#      targetRevision: main
-#
-#   Additional applications
-#   Be sure to include additional resources your apps will require
-#   +X machines
-#   +Y RAM
-#   +Z CPU
-#    vendor-app:
-#      name: vendor-app
-#      namespace: default
-#      project: vendor
-#      path: path/to/myapp
-#      repoURL: https://github.com/vendor/applications.git
-#      targetRevision: main
-
-#  managedSites:
-#    factory:
-#      name: factory
-#      # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git
-#      targetRevision: main
-#      path: applications/factory
-#      helmOverrides:
-#      - name: site.isHubCluster
-#        value: false
-#      clusterSelector:
-#        matchExpressions:
-#        - key: vendor
-#          operator: In
-#          values:
-#            - OpenShift
diff --git a/common/examples/secrets/values-secret.v1.yaml b/common/examples/secrets/values-secret.v1.yaml
deleted file mode 100644
index c04e8262..00000000
--- a/common/examples/secrets/values-secret.v1.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-# By default when a top-level 'version: "1.0"' is missing it is assumed to be '1.0'
-# NEVER COMMIT THESE VALUES TO GIT
-
-secrets:
-  # These secrets will be pushed in the vault at secret/hub/test The vault will
-  # have secret/hub/test with secret1 and secret2 as keys with their associated
-  # values (secrets)
-  test:
-    secret1: foo
-    secret2: bar
-
-  # This ends up as the s3Secret attribute to the path secret/hub/aws
-  aws:
-    s3Secret: test-secret
-
-# This will create the vault key secret/hub/testfoo which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files:
-  testfoo: ~/ca.crt
-# These secrets will be pushed in the vault at secret/region1/test The vault will
-# have secret/region1/test with secret1 and secret2 as keys with their associated
-# values (secrets)
-secrets.region1:
-  test:
-    secret1: foo1
-    secret2: bar1
-# This will create the vault key secret/region2/testbar which will have two
-# properties 'b64content' and 'content' which will be the base64-encoded
-# content and the normal content respectively
-files.region2:
-  testbar: ~/ca.crt
diff --git a/common/examples/secrets/values-secret.v2.yaml b/common/examples/secrets/values-secret.v2.yaml
deleted file mode 100644
index eab81a38..00000000
--- a/common/examples/secrets/values-secret.v2.yaml
+++ /dev/null
@@ -1,114 +0,0 @@
-# NEVER COMMIT THESE VALUES TO GIT (unless your file only uses generated
-# passwords or only points to files)
-
-# NOTE: If you edit this file, make sure to also reflect the changes in the corresponding
-# schema file
-
-# Needed to specify the new format (missing version means old version: 1.0 by default)
-version: "2.0"
-
-backingStore: vault # 'vault' is the default when omitted
-
-# These are the vault policies to be created in the vault
-# these are used when we let the vault generate the passwords
-# by setting the 'onMissingValue' attribute to 'generate'
-# See https://developer.hashicorp.com/vault/docs/concepts/password-policies
-vaultPolicies:
-  basicPolicy: |
-    length=10
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-
-  advancedPolicy: |
-    length=20
-    rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 }
-    rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 }
-    rule "charset" { charset = "0123456789" min-chars = 1 }
-    rule "charset" { charset = "!@#$%^&*" min-chars = 1 }
-
-# This is the mandatory top-level secrets entry
-secrets:
-  - name: aws
-    fields:
-    - name: aws_access_key_id
-      ini_file: ~/.aws/credentials
-      ini_key: aws_access_key_id
-      # You can actually omit this as it is the default
-      # it is here, because I believe the json schema validator has a bug
-      # (it ignores the default value of onMissingValue in the aallOf if checks)
-      onMissingValue: error
-      # ini_section: default
-    - name: aws_secret_access_key
-      onMissingValue: error
-      ini_file: ~/.aws/credentials
-      ini_key: aws_secret_access_key
-      # ini_section: default
-
-  - name: config-demo
-    vaultMount: secret
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: secret
-      onMissingValue: generate
-      override: true
-      vaultPolicy: basicPolicy
-    - name: secretprompt
-      value: null
-      onMissingValue: prompt
-      prompt: "Please specify the password for application ABC"
-    - name: secretprompt2
-      value: defaultvalue
-      onMissingValue: prompt
-      prompt: "Please specify the API key for XYZ"
-    - name: secretfile
-      path: /tmp/ca.crt
-      onMissingValue: prompt
-      prompt: "Insert path to Certificate Authority"
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error
-    - name: ca_crt_b64
-      path: /tmp/ca.crt
-      base64: true # defaults to false
-      onMissingValue: prompt
-
-  - name: config-demo2
-    vaultPrefixes:
-    - region-one
-    - snowflake.blueprints.rhecoeng.com
-    fields:
-    - name: ca_crt2
-      path: null
-      onMissingValue: prompt
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error
-
-  # This will be uploaded to the 'hub' vaultPrefix as it is the default when
-  # omitted
-  - name: config-demo3
-    fields:
-    - name: ca_crt2
-      path: null
-      onMissingValue: prompt
-    - name: ca_crt
-      path: /tmp/ca.crt
-      onMissingValue: error
-        #
-  # The cluster_xxxx pattern is used for creating externalSecrets that
-  # will be used by ArgoCD to push manifests to other clusters.
-  #
-  # oc extract -n openshift-config cm/kube-root-ca.crt --to=/home/user/ --keys=ca.crt --confirm
-  - name: cluster_foocluster
-    fields:
-    - name: bearerToken
-      value: <remoteusertoken>
-      onMissingValue: error
-    - name: caCert
-      # See command above
-      path: /home/user/ca.crt
-      onMissingValue: error
-      base64: true
diff --git a/common/examples/values-example.yaml b/common/examples/values-example.yaml
deleted file mode 100644
index 4035c431..00000000
--- a/common/examples/values-example.yaml
+++ /dev/null
@@ -1,143 +0,0 @@
-global:
-  options:
-    useCSV: False
-    syncPolicy: Automatic
-    installPlanApproval: Automatic
-  multiClusterTarget: all
-
-#enabled: all
-
-clusterGroup:
-  name: example
-  #insecureUnsealVaultInsideCluster: false
-  isHubCluster: true
-
-  namespaces:
-  - open-cluster-management:
-      labels:
-        openshift.io/node-selector: ""
-        kubernetes.io/os: linux
-      annotations:
-        openshift.io/cluster-monitoring: "true"
-        owner: "namespace owner"
-  - application-ci
-  - excludes-ci
-
-  operatorgroupExcludes:
-  - excludes-ci
-
-
-  subscriptions:
-    acm:
-      name: advanced-cluster-management
-      namespace: open-cluster-management
-      channel: release-2.4
-      csv: advanced-cluster-management.v2.4.1
-
-    odh:
-      name: opendatahub-operator
-      source: community-operators
-      csv: opendatahub-operator.v1.1.0
-      disabled: true
-
-    pipelines:
-      name: openshift-pipelines-operator-rh
-      csv: redhat-openshift-pipelines.v1.5.2
-
-  projects:
-  - datacenter
-
-  applications:
-    acm:
-      name: acm
-      namespace: open-cluster-management
-      project: datacenter
-      path: common/acm
-      ignoreDifferences:
-      - group: internal.open-cluster-management.io
-        kind: ManagedClusterInfo
-        jsonPointers:
-        - /spec/loggingCA
-    pipe:
-      name: pipelines
-      namespace: application-ci
-      project: datacenter
-      path: charts/datacenter/pipelines
-
-  imperative:
-    namespace: imperative
-    # NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
-    # The default schedule is every 10 minutes: imperative.schedule
-    # Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
-    # imagePullPolicy is set to always: imperative.imagePullPolicy
-    # For additional overrides that apply to the jobs, please refer to
-    # https://hybrid-cloud-patterns.io/imperative-actions/#additional-job-customizations
-    jobs:
-    - name: regional-ca
-      # ansible playbook to be run
-      playbook: ansible/playbooks/on-hub-get-regional-ca.yml
-      # per playbook timeout in seconds
-      timeout: 234
-      # verbosity: "-v"
-
-  managedClusterGroups:
-  - name: acm-edge
-    # Optional - Point to a different repo
-    # repoURL: https://github.com/hybrid-cloud-patterns/mySite.git
-    # Must contain values-{clustergroupname}.yaml at the top level
-    targetRevision: main
-    helmOverrides:
-    # Values must be strings!
-    - name: clusterGroup.isHubCluster
-      value: "false"
-    acmlabels:
-    - name: clusterGroup
-      value: acm-region
-  - name: acm-provision-edge
-    targetRevision: main
-    helmOverrides:
-    - name: clusterGroup.isHubCluster
-      value: "false"
-    clusterPools:
-      exampleAWSPool:
-        size: 3
-        name: aws-ap
-        openshiftVersion: 4.10.18
-        baseDomain: blueprints.rhecoeng.com
-        controlPlane:
-          count: 1
-          platform:
-            aws:
-              type: m5.xlarge
-        workers:
-          count: 0
-        platform:
-          aws:
-            region: ap-southeast-2
-      exampleAzurePool:
-        name: azure-us
-        openshiftVersion: 4.10.18
-        baseDomain: blueprints.rhecoeng.com
-        platform:
-          azure:
-            baseDomainResourceGroupName: dojo-dns-zones
-            region: eastus
-        clusters:
-        - Two
-        - three
-    acmlabels:
-    - name: clusterGroup
-      value: region
-  - name: argo-edge
-    hostedArgoSites:
-    - name: perth
-      domain: perth1.beekhof.net
-      # The default is secret/data/hub/cluster_<name>
-      #secretsPath: secret/data/hub/cluster_perth
-    - name: sydney
-      domain: syd.beekhof.net
-      # The default is secret/data/hub/cluster_<name>
-      #secretsPath: secret/data/hub/cluster_sydney
-    helmOverrides:
-    - name: clusterGroup.isHubCluster
-      value: "false"
diff --git a/common/golang-external-secrets/Chart.yaml b/common/golang-external-secrets/Chart.yaml
deleted file mode 100644
index 74b1c051..00000000
--- a/common/golang-external-secrets/Chart.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v2
-description: A Helm chart to configure the golang-based external-secrets
-keywords:
-- pattern
-name: golang-external-secrets
-version: 0.0.1
-dependencies:
-  - name: external-secrets
-    version: "0.8.3"
-    repository: "https://charts.external-secrets.io"
-    #"https://external-secrets.github.io/kubernetes-external-secrets"
diff --git a/common/golang-external-secrets/README.md b/common/golang-external-secrets/README.md
deleted file mode 100644
index e12d58f1..00000000
--- a/common/golang-external-secrets/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Subchart Update
-
-When updating this sub-chart, please remember to tweak the image tag in values.yaml.
-That is because we want to use -ubi images if possible and there is no suffix option, so
-we just override the tag with the version + "-ubi"
-
-## Steps
-
-1. Edit the version in Chart.yaml
-2. Run `helm dependency update .`
-3. Run `./update-helm-dependency.sh`
-4. Tweak `values.yaml` with the new image versions
-5. Run `make test`
-6. Commit to git
diff --git a/common/golang-external-secrets/charts/external-secrets-0.8.3.tgz b/common/golang-external-secrets/charts/external-secrets-0.8.3.tgz
deleted file mode 100644
index d738b9cc42fbb4891d382245ed4ac1fe98a092b8..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 78591
zcmV)3K+C@$iwFP!000001ML0lcH2mjD2(=RKLs{x_OiW?NJ_re@waPcRFccBDZ8vC
zsa(5PpFTE7LKIpczyUzXs_Hs#^}WFNWG60}iNrmV1nC>FX1XjQGZ7h?85#HRKBitA
zy1_8<rm>eM<G*zO?8Ec?=~Mjg!Skp4`hVr~mxCuyo;-T`^x*j;Xm{}B0Gc~bw*X7&
zStY3(JI-Gg{`ATVyxMkc@4wK;E3W_1l^ds{J9iOu_6=O%XHTBguK%;=&vE@9KYsr7
z@$<(Au>Q{u4q*NFJA<I%`Nr4ZUHb35IPs(Kg>&=hp1WLTf9{XIA3eS|^O9-oFH`#M
zrPwYGZx?6bhVI;3cwy>XMzQnrY67pl)JyJNMGNnRbCssc<i&VA_tUG@WHgNy<I;{R
z{&3Hq;-_TS*u5Qb_f_J>@G6C`nT<4FxPCZxlZ0L-(J+YS@IP)m_eRTbe(&15yN%*m
z^5WjmxmKVLO8^ZW`7dmx5On|Fe{c>)2mkNU{&4^PJ^WS*{||3*JP-a3UO3lY5cuI@
z>fS_m|2fCs5cGSF6S{~WesO(||0;bry<5W1uqc5)b#Vpm-N=vg;%vPBC6wK`!OBZI
zB>>Im|MC9g=T8ds|Jmaw&-?SgizoJIZyiOeFn!@1+`IRkGaNeSOK<95`d;FsSDxc8
z@U0VFI#+&@MzKG2&bZq->=@_z`@~7EqE#@1-R>=&2Z`sY)0-Wukspm`(KH#u5uSQW
z*lKY0u7k*((NAd{1p#dC@eGEJ?vSL6zncc08xB{?;WC2H-95Y)dpADr|GyF-cdz}0
zk6`cLyXP-}5WRqd1v82gAK$)k=2z1gzuQi89A~)-f>Zj;3+LqWmnc1ry#%0uSA>%b
zzyy87N!_`VMh=jp5&b&zF5Oj-IzFRoiZ`f}QPL5O01ab6CH())zr2Kh14enc%K&J=
zDoz~t2FQau3A{Zg@UO99f>`kqcooi^)x_taP5~>4=OCJ2`RQL*6PPpq6h?q(qQnYP
z{uAIz#FyfPNBQwi0gg~>ALG6-8<^n?8^bU!oWVeBj+0CHbh_vGAsn3`VAz)P*qwRK
z(b+K~A&yq_D+kWYg0V5WCmQ4X7fu?lynFYiM0o{vVNm>a&w=G|Q!x-ieiXn7_2TU2
zIj0pvu(+vcAm8(A@eR|#xs!7ayT&Vx%rEJk;jpKx<f;TG{#XFc4Pn8Et^-p3_!FB(
zp``Hem*aRL?uVH~8LiAIY*Zcydj0($ba%XkUa>#(XqhgdLFvbPd60_-z`6BdDVJUh
z@Gl(LO*23X?5Zh3=S;lx*7HJMayY#S?td>#Rx$25X91{z@zX0ebfVBx&5&f2J`}-6
zT->HE91<t>7l3j8-b?)43+K`e5-+#c)F4g{+Dkvc#ap=P^vZ|p{JY#bVx#nm3D|NO
zN6Xm9MaoExBd)r8*-u9SFbidL)qEe02b?^(&Vg9XyqU&AKyPhr9XD|RfQ1LJtP%(Q
zizF0Ix);FLacu1VhJJocznUQdiAfX&cLYQ@^<kp`>T$-<4?cL~BUHE(lBGNK?j=*e
z{p=U{w>Hl=u+d?W>A*AE3T;QF&CU&+vmXzS9HJY}D#Sg5_!jT7FMmfw!e8K};imvG
zP#fIX&Qu)0gjWn($)AeT72x9s^XTy<WcX>`U2q0@KgZD&DO$~#Bj+Uy1C%V~=Keec
zFmRm3=$`1?L|&}FPt&ycs!nu@H}mZk?xz@VR-9G_M0S_r>hj6~MdyFK6|HK<$JvCd
z1#D?N#<;;&G2L2uQ~)a=HeXUa>+rWXUGY)JEg%kiHWV=&z|`OPQ}1v(B_2c)*NTZc
zqN(F@Tgi3kQ<Ky-PpJ=AX+%s6Ppddi8eJ1{bMQJtYQStf&KsLAqZtxwIYwb<?VJNq
zbZ0aCPsLY8l?0#00F1`2!$-e;5D!~RI*|>6oCuyc33Yjr#IaCwILrVDQ58CJe58?o
zp^fbFK=Ak63yE684W9ssrGe%3;-nrNXm~kN;tUd$c;ZeQRuO3heH8yO@xvJo3uhlV
zAiP)FmlXaMQxm-tzA9^XjW~StVL-y%zwwGA008a`F@=Y<5`-cU-)Rfyg*Sd2g>=kr
zT)1W?fv2yd+EGO8WA|lvLl?Ig<c+%&7bT1Zvgry3qW(*`jj9GXjOV=cIWTUb0J`Qn
z!p;?4-tkNQyQN+Wxlf3TEqs#)cteM%Jc@Q`^7}V~;7BzQ-Rn=!u_9adG75HBI6F-P
zoWhBPFPFN&Z`#4ZKY@s?Vn4k@=m1Q0pe~bFz{D<JIFCR?MIx1NhG#hlqTAEhzX8%W
z_g*GbH*i@=!j}{57<cJT{J>9PKk^=(0UN^qavXsD^=pz>+}T^W#m}NB{RzqF9qiVH
zA~NwRJWPIxLVT@J9{TxL*v2UR0EBob;Gi#-r*Q;)k;h+Q{lOWm8BpG1=Jw%)%G0K1
z8+-o^oKPy*ae#ce!f_Yk&xN-jaq97-H~zhQ87rfXIjj=!AaqvvPMaWSw1{pbJF!1{
zKHA?Sj!7K7H&KW}8u5yN0U~UY*_8+sO||pg&4)nPi(<g$_xs=Ps|!f9Yam^C5}8uE
zz-i_NmnbFne~P>$FwQ{OPK#_`Ql6*$pkkNsgTN5nMJwml<r67ot^8*bL3lNGPToqh
znU9+hcmn1#al@+L^fMqjI47{NW8jGKYsoZrm!1Z(FJ8hH*iTfS3)ocADn$lJG=(i6
z-cNZ^;0N!9IZ`CKA>ICJBwStkiWmeA+S6?0*Kjdu95bG3VsmiWyxDtr=Uw_A1!=ql
zrjn4YW_lF?M^)gY#mLNMqri->sk=XC(y?3uV~VqP;aY=bpLmzZm%+$zG*FIr{w{i-
zac_9@j|WoGk%6le9obJ~ye5-$%%5AuL?{Y>eaAR_FF<=QKzn%45!lVX$`q7l1eX>Q
z9aQ8XtIa1i29osgh4WzazaFYz=>3A&u75iazw)jXs1m;oGel<`Jikg&b(&K17aDsn
zk$bitR=0!BJRTnsrL96>4h7EN-@k{CxbHJr?mgTR@55;35jOrI5$7#k!9D+9d7S@$
z5$XR{i7*%h$7o!U;(Fc_N9#o;J$y-|1WzDR3#583TzN>W7EB_DX^WzOg>#J@Wyc(^
z>FlUik*D0*Nfc*^n<N{jL|0WmjTkAWG`pFpU6C=qhqyW?{R5&He@TIVi)9mJAkt_V
z1=0NOe2G^m+{_7Z8NOmq+{;TJP;jR)3&0it>F^`G$$>3ICJEOAr7r%F<o{n3E2}zz
zxEimPtO{ApU`1iyAf-pe2i!@(*93`Uul9tUm5j5olQD86$LjAN=~FMNZpMWl9!hN?
zN>PaEh5PZ>(A9tC3BdKQI69&Ei1?SQ2*iGX5+S;WfBeG#R!e{DO|GKox=|<-ZR%vr
zYJp4)G!=3tT@6Uhue|9s3DgL$7n4pEZVMj;F#P)n8=R=yXz+9~s2MT<nA|Ja80uo9
zs~N_?MtF(SxUlFjK&dgUKOfPYcD#g#&rCm#AlGTg8H2|@oTqWRSdQ_pq<&=yJuY3W
zVu>q6BWAiTVb85%PioJ9f<GNV_6aFA;0qP+%io1nms<%=f&3JbG;L?%us|tBbjg?Y
ztK%pu!1{K8En5OIZMuNAsLo}UE~mS7oJy6h1`d;A_=iLxF~<Sy0c5<Qdy+CA>_2*n
z!on7W^wL2uD|R+j?UX*zp?arE!LyEvr%K7QmYSzZ(PORZ*^aVDQ};Md`KE>~Uc9UE
zr^eeF(3ZQe)m&@uY{#j&wY82rySMRtRo>hccX!q8U44H$PF~jTObD(6EXQDW`?Vr(
zSeClCE_XMuwpH?Sy~J!JGgnB>-N?;#lCvf#RIlVVgoSFHnhOkNk-=POs1O^3J`L!5
zk^uY@T~>k-W7O|n(!LRm@Pth~x!U+%kToUJ>Z9=tZ~!C}ftTimo`ZX0mDf`a3yQDQ
z!`V<)Dq=BArX((cRHrBw9doMUhQ4*`;@mL0!nox^WhRJ71OB6=ylv^ODUBVcL2cYJ
z%qejLRmx-fHBSg?70CRNf)bf#R#YRKD3YsG$$4dRrcQ2EDA%ZztCh;tYUMh`vf~t0
z%VJzjz0AMlRLt_HyqcNBJtg-vilDkwr%Ab{5-EYV@=9XmS0?>!TQ=%cvgrksUO@TG
z1(dvUEk~^?6>OC%i(b$Xl(m<1dP%33bj&3k>i&7j8DEN^(Mt+nm!wc2rXOZu@|N$b
z54cV<&6_Apj>sHLAN|y^7oWpZ;`${U)nO#4ef;OMgQt)C_|IKD4eS5Q+l!ayqx56C
z={H*9KM(ew92DX|pFi6_=;Ob3@sz?du3Yrd0cMQJCa`D8iu__x(7O8{_wJp9P883W
zS)F)uVBT05%e#dqd+fi4Y;@>(bYY@^w^|Zwt0HRdWl=cVuNk-d0NGvdBRLQ4Ig>l)
zkMVo1bN>b}ll%H`4@dXzy<z_%3}m6(Q3_*O+!fwQBwcGgIr!izx|LpK=t{(1`S*Zl
zMUM3nSPbG;0W^%fx>`-(9{Ix=am@5zfr)hfgxel|0?yMJz2o>2&6P=Tkj@aANofNi
zymjLc=Jev;zmw>E8Mt%jL%H7v6oNA;g&-~pDjWa;IRBW+urTD5M9kR2pQ8ZH0ytt(
zaGZ;xlO)W+gVF!|^HXoo{@Lo&K>yzZy<2*5GD?@5g#x$G|L4yh7vldP?LR$u+|&PE
zJb(N#{$KZAeq16cNefy#5xV)m#z3w9_yhGLmmqjKgW{eUVW$BRHPMWmU<6r2eU+kx
zx~A9p7fKZ2)Oq%p{^>8ySC{D4I~WceF&5JxB&h)AkyMSyFVL0b{P)TYkn^9Rr;X5=
z{pRu5)IP;8;AHS-o4TaFL0X+<E8uCv7{QFg>H<`pdqVpOME3#QJcyFxU(T^DQBDvz
z;JP`v%%X2`5Fwu?!uf|)m#HGt6k!KftV_TPXxlL?wVWB2;f9e&EvnEZ@@n6kARgpN
z`R{+DNxb;Md}T8j6*_p3(V4iCsIP=G_oF3n%h(UoOK0#uli~kN28FTsqvrdp`k%So
zr!6a<84<0EOG-;C_6fHl1)It8QuAzWi*wS^&Hok-WiTJ%C+rOVUjt|Geqev7q6J+3
zQWw|`DmP?UF~ED2T#X5QVuk#08mwjwQyei64Gj~as(&p$G}3mHnEj#hsKa+~>PLBX
zwn~zbF=twre*wjaQm=rG@+h3!WHy}K@j!BC3B_y~oAp>53b(wiV^4kPYsTVGsAY55
zTpueHFbn;%GY}mI<}jimXqZ`Sx4+`W4}O&^Uznu*4lu$}(@rQ1P}~tfNu`a^oR$`W
z7*@i-rp(68!mL5f9Aq|z{3_@duy*COQm`$+EXUp&>}`wR#T*LX*laEtyHVuHt1an9
zdrfzC_@$1Q%r_eeYh;15e^8H+j8PputQ$1cr>wDZa`=Jx$G~WSW_GPB{Av5&2#?jx
zYw%h7wL#l>_NX)&Xh$e5A4?<D=3On;#c+|H8xC)eaEtNEc;CAG-=O~~-np3_%`!V&
zv;OB`|H<QL1^v&H$4~Zq{m(9*=ChR@COuCiTy4qt=HTA7AI@Ir)^v=Vow=#|;+}NC
zYP>zQyQ1m_&BeACuS^b<*H}?Uuw869rfC^7gMnfK|K)@*DYOwh;X!dA^8Km7P^J3-
zchy}s6i{jOH#j?WUlPY2RZA~22h@b8Uk!lnq{;(T`+zo$P;Sp7Nj{0er#xG)H6+`j
zxy*BCNO;Cyl+;IjQQJ@Qb4`np_r>55i_SC34Wec>zR$X8E5bhnxyg4qeeJ78(-c0M
zS|^hUm8K*&n#os-F1^{XC1>AFa9m~rnyH8p7ctWIf^?!i&$YWi7u=>(Qn<I(F!`yp
zEL*_^NS}3uyU&^!%z2sCPe_ldRedw(W8GhfX?dAGn{L>oZrY7gZ<zkUqw?0z;XrLm
zklgE0KrKd@Gd%Qv(bgJ6e*aa}gy$40gCY#4n$LXO@R@&oell)6Pju7_X*nuaW9STr
z(|9%%VGTp+Q29gC6_AU7$bTBg6T5$iJK+bLOI?cg^~2Fk{zLWsUI7Pwr8_XxXvR>m
zaUcEF6)xjhGOEiMN&-xIZRnFfNT?;yrCIn<ZC}xZTo+n8%F{6{otfAT=brO#*WTTp
z^KX<66U{s|n?!kg<`E*U!Am(nX}*9l`~ti{{8qIRAPRA+u6MaZ@x)jDh+elzo~jHp
zI(Hhyjm(kegdsNVh<tks;E?}%8cn0%g>!LqT6iaNednBs@u><`ln*-Uzw!#?Fc)iB
zc;Tj3FPt$BdG~wn9R@A<ZgA`c?%g>iYn&zMXPRrX^kSc`Cw}|Xg1Adx;yg;c@TNOT
z-UdPz_>=3FxtMkeNxisKa!1a0zR?|(YZy1vfi2)RhFJqwcwg(hp)rJsA)nH=s(Rc`
z)+-myvk9Bj_IVlZqp^-M0BD<^)gqI!PI|b~c0XPd1Eqsf7bdkSVD)>n6#tZUtO$*2
zBIdQ@RO{b9wRUFvkA?mZ<d-ZIjHArV6oGC2zfYb%D(L^7J$m}2*Z=L}5eE-lS(<f#
z^+Ihi8c=z;7Sx6urJN}aPs?4q)gTU+v&rY6MU+~W79v-HNj-j&!OKTfHjp}_(Q<Tn
z4e)Y-oC3f?aHl1R6(i<=+_g$F`}n6msoQxh=s$+!uT>YQh5kQ&^yo=}{y&EHJ^kOs
zvnl<jO(B{L3k09uxvTUFn6BT6dmUYW&kjcN4iE~HGvIGKw;pYQlE<rng`%MY6Qz(%
z@qwW;fM2MV2Tnc_Gi6<1K@f$uQ<!$NkiV0KoMM0z?r`J9ldLfi#)14dru0*P+#>l?
zf322)Jx~3)lrJk`oh|$X0gb&m7XHy!rw-;UA*9fz<r41h3i3MWfJiSRltZfE$bDM}
z>UOP9-FP+M;e)W*M8u}t5jv+)6wmz7Wc`V4YK5zSf@)ZX!{G*$;z!Q+@<k8~0Qbzh
zq<R4Y_YJd!R%No-#oUtB<e$Lj2-4L)o}E$6j=`35%-i3-EvftSc`W!pssFZS0bBUL
zM+XP{MgH&E{<EI{+r=aJzbJMdtgizo1*$&WU^MC4Ew`H*vcO%cn?Vqgj&%o_wZ`~b
zX!9d#QgD_+gsWYM@?{a&<};99>Vt|VoPY)zVe*cu2Fo=KU^$weH{X@C%*7>jyK|MQ
z^qb<GBjOT0L2H~c0<O0XLuXwyRiLMRup+(+BV~&7veB_<YRv0Px>Jrk`Q|j`U*}_g
z|H}-3=4?Ql{{P@nA^*ptrw6_MXE)EL`k!j=`=TbOcvnlN-|ot`kxD+f(q9hM>=&0q
zo|aBiAEEvpthfm+KG)$b++PG=>eEF3<5@RJ!0hvXJwHJCuh0Lr{ikjHU63Cr{S)OV
zUd#N`a{oWte|AvJ|MKYh^FIIAPM(51B<f63CHqp;PuaYosb|TcaVC_;$I76QyW%S^
znEZ`}zO<!_ss1Lax&|FB2mEjjn-;@xCo4agd2uef{bql3a4>qJc#r&EPevl$bQD)R
z*h*=0&RX4;)`BJBd1GFhc@%3YI){a?Yl_mtqq9SLaiLzI^8e?Gm#^V>77T+`jOlm_
zQ=)gt6^N6+xQmvLV|uVv;Ks#4P^iR8>@OU}Oko~WfmLM`V3gh*xWV$umCmXOoS}sZ
z=W(!5d3bnw^6v3@;RWVpO{THG<n*S4{4_Cl@G1^5i_YQin5FGVy7M|`Y|pwAIn~oE
zH+4k%Hp<U}>ExEH<O(J?Mqhi(<U^kK$;kO7!p!ZHyR3|t$lJr8!xE$b2Yli(_L3`y
zLE!>un9E0$kA5)oU{;inUL>CLaj*L6-9s!A<|h&!u4nJeqT5g=x79)s0`JBPM3S}<
zZnY7$A2}x>43LQKoDdG<YiBjkGTIo}k@Novfd%&*%=i65<pQ5mD!b7%T8s&uNc6{(
zAexL9fK*Nnet391e0#V`uSScR9^kNyvDmzxY?dF5a^!w5EbM(;eGxgq^WY5mVmD#-
zLE0G{YwTm8?j;u-5UKr8ba5iGZj4B}z`Xe)H$RYp8>}H1d(&th`oF8u5{YlFBg!eK
zG5<38rtgt7v~cgBBaZ8=LT!W_CRC2fGMK}oq>F&d#R`2zxp;#=Ss`H<&u~%4i9a8@
z@$|}1VRXXx(jOAAArU=5@psDncE5l=)@{KSM+=z#f`~;Uu90HkhH*uAo=b*OnNt7k
z<@rUHfsxS87|xm|8L|;kfCo$ni7hYVXhEY$gDmGm3Vfv3$!fCj(?q5Dg>@J?M?~-G
zgp#pvMtl4S=tppbGTXLMP1zuah(2><7b6q%9T;1=S9+vf%}L0SI80}(PK3xxDa#*l
z*%3b1Oy<1Nd?Z_;VG(D?xz8{|<Q1?kPMi@&u2-0N-ufiqyXXdmN$<9Zu{wG{Gy(dS
ze{JqV$mT>cCxVPtH!7g>O}-CKIT4qIc;%>fMWhi)r?#V-PqjgekEHr1rBhi8^vR{O
zfP2SZ1{F}^!A)R4hn_0Rv5aP%W)*J~*4EPRKsY%&E8TewU$5QY#U>RyT0TOna0+8g
z{UtCRCd+eP=%lZY%ny{k1SX2G;EJ*&-7gk1YQj=q_vB`9q&vSbZ&44LOty-*)-*RA
z3gDuwt*(Rg`3H_2tDB4IeDGnK+r0fs)57$#46^KAO!KkiWeGHfN}IK+a=JPE_*{Fn
z$Gve17%?W`2EgJwnHHC^t1h?um@OX2_y^AYs2v)(-y$kT!8v;p#ei@_y!0lj-m3@4
z5Yqx<g^2|DF!36%IX{-AftnwKqnJI!T(5%{J#R|^7XUC9QG%;Hrro?1uvsZ<3wx%w
z6~H$@E$R->P_Culk@J9+LndR&Ho+nD-lM|bay=D)7?wZF<8_RhRw64OK9sz2Yo6;P
zZHWGC_h-99u=}%J+qCs;8#I$!t{%g~jFDNFos-4Cthnvp3Y~OzPQKeVzn!;k*|2iw
z#hxUsaZ2gR1ZSvJ%Ig0Ssl0{h<Y*;qT$)!AHC=Fa?rH`!ycF2nGR;HLOU;f|EgxXC
z4_I){Ul75sFHm?=o$rm-+I4QdAQ)bUsLje0xHKY3rzdCUhv;VZ>gcp;OI(q%4rLrU
zH<dEmU7|iMlX?QF<g9-{++P^nK-Q<&jbrz&v84(1ZlT=zX54^+8&A%da(~fO+YlY?
zG!`FLZ*NA;TbeY!){4DdV7rR`0&y>#)72#Kr$<4ws?r4Hbx<$!;}$4|lnY^`T)8<F
zdLeX6qC{aBiV}sWgsLKqO!A!{a|-utB+_sY@Zy_?hsWw$BQBH@VMR0?FoOZp_p1oP
zJqLvBh$~;hHfd0J&7&dabb?)+YKkxQlS_@XStp};^xf-&r;l_5?>WDoze3d*H4#4@
zUHPFa{{6~}7j8&@6g6kOuB%1$&KtI@Bep1gyQW<RP)!33%G#Y-bCRT*v3g5tdyOjc
zM2O@Z`9qV1QdQE$aT!GuSW_+mG@^B&g2lFwvC*mxtids7E2WE$EG+U))D^CK3>q4c
z#%N8FFG*n1tT-c?D+q4(8-G?|q(S;c)+Ehdg(aBCq9iOnY?nekpRA;`1gybGO{Swg
z{5AHN%;Gm^Q#YPvCxdK30;|ajy(0ADZm9i*bKIjjHa5Z05@A^)G>D?J*@?q9Blw?d
z^eKa5Cs%olL<SGq)tKfx9@wsI>V<BdqAP#ba>L`SzLQSa_$?Qz!phRRjp9sP3pBNo
z@)Ch35UVbs2GHv-n<0%^@w3F5ncbn{XXM_nhN&v%=#UPQQl;s?ttJ)eb5Mb~;);z$
zM`}ufMFuxC+~wV;v)@I@Rtz}w=64`CXnDCrRH6J@*6GYcOT)XIftj&!BMr-}7ZJ4`
zGjQ{zVezpK3@E1#vyFG+M<i$xM#-9lzdQH;X!HLO>{vciS*Q7bpY1<=^t71&_sQd@
zz5mZH9?k#vL4_00!|c~`n!9|(zfyqC*Y7Y?c{q%mh1T*ADtw22&&7-87lhtto<fyv
zN)AKSQ(~%J;Wq@g1HV(wLX`vDQ$9liihE^;p{xWsUaZjO2(yXh>HR;GC_E)PDqLc+
zM2lzM<)|Q(@gi}V$>N<@xR1+23%=|`uSTv9E4_d!8W?<m?oqridCtk-|Kq`bj<DYk
zKMc+=h2P-eKL7+5x>QUEJ8$88NpWB~Q+VI}IqB>*fwQ}*uUF+hMK+eSBkT<%dGhMr
z>cD4oPOSG)>V1@YAEiQvb$pa6k7mwOiKKcjAyEm*3CZ=9-HM`8lkVHg_57tq#oDM=
zl|wj^MzA@M`I%}pqwHFLxf(7+c?#zhn68`xE{URcg$m30DO8NsW=^Qu9F>q9L&Mw>
zOXXgKj;!ge=dlG=E2t^R_O*A%g_ZI3DJwx@`f$y6TQv7Mu=4oW2uSAvUHS;v=zqiC
z|NgKV>Uu4+ne7IvG^bvRajG!QGufx08|AUYh9+?3?AhZ_ym%n)sj-0YZaf-2#4#?t
zbb8gSHa9otXVUt)6z*HiFG@vy%>OXxprPeg;c_L)3%MEyj)b903(ySiSM=&$V}8E?
zm$2dF<kz<{H6u@q9DF}}cakN;(?cdu;f5j4%O3h|&M+XNQ&{D#CKBq~fh{uYBSEFz
zPuzq%PsSX^$&A5L9{5C7vR_6?;$uF-Xvsn*+8BPq0rqHZM{)<#*)&>hiy6yvYdKfB
zg@j+ID~&l*HK4rU6oq46>jCNmVDXj@_fR#Etd^L6pwW-idQLaheD~T@k_W$XM%$W(
znXM2-F*qZQZ47-xctif&c3KP04Wdu(Zp1?i=anxCaajrt2)m>T5eLyHqE`G|Pr6An
ze^rCowIY;xdAqyuT=sEXv;-z(C4n6h$x75@$6+CX4tF+V-t1(IK?4Tr_Mt)ZeYkKx
zo@Q5~Q_R7if6OmW6*|^B`4R$NX<aq`z|F>VIM-k%Ecs#UCv4pKn&jxZ35a{KIb?2J
z2p(%2RNodv7q}F62A!l18EPa>jJ{yy4p%MfT7pi(aKXJom>y5vB)N^^*<K+6(1BaY
z#DUFvI;L)k4b#zus$HysDSgIgNb6<Pu*LO52h_l$m(6eOWDlPT!Y*~61>Rq;KqFcG
z3K_CRrjd^wIaqV!>ziE%U(u}x`meBY%Efjb=J>D=+M5rb(UJJ2<fogT=%+pi-R^Ir
zh9&?GGvT?hm12@=TNyiN)w}!Qx%mm$1!MIIHbxdo1`6?sbdmW`hl@EBjjPS69&*uP
z==hF3P!Lhhs(ZTYH)~$t^}>tinRJ$Uw!-C+D;uUiEm{~edO+!HrY&I#dF`)c@I}{b
zzA&3HGi*!Oj|HYM%uOgc*hS{0=r)Tyb}kf5f5uvl6u*QNq~d4%qslYOcJlc2I+2F?
z^*WL6VC{7xhI8$8B43?O<g%69tiEEfpE3qbT>KT&b->1VNGKt92DpgOm`HvK;*R+V
z`}G%0f5B`zH8bfU2O#dfq+-(w*}7{%4h{kA|1~6>GMwGZG!_Cjd0yIK`p}6ZblY~(
zu{T0fcFax!L^cqK>~7YMa+??<cW$sQx}TKIYFc5pw4BwX(scS=$%(ipZ(~1gIXIQ4
zTJ)3>!_OoiU8Zm$&b?Inl`Jyf5YbLun{T8nawZ1Kc7e?3B)$A8IOUEbQI^ZVmkAyM
z_s)x@=;b`P1WAVc%>y?{A2!a&D4@;ebeo^;Mr4vNX2oU6;W_XZA`MWB46%&oqYNdh
zbh)DNb60>eI`fu+JM|8sk;1HrCex0lNi&04+vW>`)w0F8%SnxnqQ%n3ysL(vveZ5y
zy#UF+H4T92On5XTd8i@eS**JzYfQ&RM@4ELb6wd`%*~ic8r>?El&vjvbTjLhZuv>1
zf;7{yvr<?Ty_Pq#a1*2|)LB|6*ct332NY`>EheHi5TA6ZV1Xg&QlQ8mF-#=Svl2iw
z<>tuw4I_M$N`Nysi{tw_E?W@Rob5p70TiiqKte+x7^L2mX9YSwy(zEi=}mdPDX%x>
zna`&;<$Wdx;S-qhIxwykLT~DAY~t=YC<n^Q7CATC+^AAj?=C3M1}>t%z~mK|bkL-O
z5bL#(MRMFZ2CFOiP+xDQ9)E{5GI=EQ_vhY&Fd6JQgH<wc9>8WF{6GJ9GI$6-Ea+$Y
zp9TKU)xdef$)ysH<ig**IMR%TaHvFm4Icmwrv)ARL9H`y>kiAuQ5j}%+%nBFp;T@3
z>GPmUMhCo&0(C`q41h7oGu1#@S}8!Y+$xWC?Z@d102+j~%Xxbn)*7;LxWLm}pJ85t
zI<~nXyx@YxW8I0e97&K5D!HHp3_>>)g~1&sW)*U_7dy=nG4e4v2nC!p?ju1po6%N`
z{K<{4ut4>YQ5h(54-4{?=5#*-H~PuBPakhGgVbk2k<YMo2Gk}7v7=c^8ai*#MWUrm
zi#fsQj2HHz$tpE&S8l0$n&duEyG#U!$ujZRH(e)!stvy;YtV`eqgC)1i&cu*DU8YO
ziR_^;>R(E0fC?#7`b{-{E1;7o3cQBhX@4i^<f$niBoiu;SeyO3Ir$|je$;G_3sG?+
z>1Z(0$1dFI-P}Q#)rAvL7$e|9bWlieoe6MonA0@PB8CNRE&$s_R=%ciI{B<;yxB%3
zSudOek_?qSiX7cMGWxy&sN|Mr=CGm>LsCa~2SRm#Z29~3T!GkgZ^Te)@5!<GSS4!z
ziG8OwW|s+dOW877ny+a{v=*){6e#&pd|w{?=CZWdI89EZ@-fV2X{XxZ6j*OuL;Jq1
zmCYFHHJh&k5kH1$r}f9$GN(F<RX((YQKNb9+D#c1-(3%2I~$yQ+FiM-fHNcq`A+Tm
zSF^`lrI(FwfiYWL4S9zfw>DDU;bV!;0Kkarm1<RE8)GFg%1h5rPf&V-QuFi##pL;1
z2#SptO6Gi8p8=!_nC^W7O_x8dNw2&Hj9bnLt+G;{lP7o-8zq<#PX3t#`Q%P{N29!=
zl3FGO{a!H{jbG^))Lz;vonF1n{Kkw-55-QLFA6i=p-O^gBxXZ4X*yP%vRQbgWxtSp
z=J1!}`Z^vq326=+J}#14$v0e>Qaa?Ysc8=y0OjM{UYIg$DeUUhIQA$Ln2ImKMk3Ky
zEp%pATI&Uto8)yC=EAeZ9|%JBniLac$H$~KQN7{ek+`q`RG}}+2*wD$pD;3U?_Bvy
z;Wfq8aAfK<Hsr}6c%Phv7}}EJe_np{F*O*j!Exjz@GJe&$y6Bxi-`(DC2p{gNgB>X
z&z}Yp62%)7QlRxoh*mB!qnyPPhghr<N_ZAV;Sjiv^saIYfe83R$3w$#VklBM@*B>W
zhl-t<Gg}eRu1pb(E?uZ7Lbt@WWJN{{pYeTSazU7dtu`|=Lxs+IP3Yz(bt0Ls8&xZI
z>J$S!mT5Kvz?4vU>ivNPk2cDm9NIYoDvH@e126YZ1k&ll;0Q1jt^qXiICVFi0H8ob
zaAEY~O|j?PUPTGhPo?i3z+Z#C(#{^7go8bm1uVCh72PJI-hkc>*123Zx$hn4<M3Kp
zAcugBq1Xj!wD6~;_QI>;!Z*yGM@|g2Ibt|_CFYzAr+$DQ3HN0NMkb5!>dKp5XKV@U
zK$+j@Fi(0pv0g=^5^q#!Q=bx%6P_2E8ze=femQeYG~v|i9p**M^0`*6XahZL=L-N|
z3Fd^~gaA|{&uWNf_Pcd}HUd3#N;z-yukj0&FO5!aH9fv`;lRu?#=7-1{zM)0ljI5)
zCG98Tz<6k)gTQ_vkLa|ft!&sP?fYEK0%2UmUY^&wEC3DzE`#Wfs58<CA{w0KxSB$?
z?^A=~MKxuM{3MUU90sYJR~p|@Sda}i`7v^`!D$;peMXHD<lC#eDx+(0;fvLhwt0k_
zKeE9=A+I`4v21Z#POExVotRs4&#BGuN@ZB|{O9?n;n=j`w0_Ec6_37($BrMv`XAyg
zh4R=H|M*Kw{g0=QpFe%RU#S1_`1!N_zW&E9o=xh1<Q!wa)#4x8$@qkoKeVNwm!+~F
zT7$ZpANov~z*iOgNNNgxXua=sU+qIVo=Hbn6k}nRE|#TR;qcYV(%p$E`>O}udL@n-
zGQ_y1`P*7n%*chsZCElR?+LE);jlKyo2wl7K{U;(v*MB=o2xSWh+t86TNdRtQ8x$d
z&=S)ifaLl?20Dr2+Bt!~FSpT`+vv+}6gsR^ZbLiI?L{{9U~4-SlDPa@1*`joR8y=H
zjAQ)w%k#Iodhh|PdwBf<R%ni@*OB<|QQ#&CUMLSq!&vA<G3PKJSO#*@rK?^GC)b*i
z`!OELOFzK72Zqwq;lM~TpI4RddZT<ML%CYfA+e!qNpitj(S78+l>r|rIBcPUyDG*u
zh(}-eVOx_ng^7FZ-371`Mt0Ui(Kuf&6Ofz8z^>#joT|()E942XPVcCqubh0%_e>0w
z66ROG9WMP}&t4llgey>9{e~r>oL}Rhm;^ju4Tj>>3=)AG8IiDnCm%|iTJ(olN>sx)
zMQrGn39XPa)kw!W%3_{fII(9I1%$-PGg=FWY5)=)43<C!<jqp3cg|&SX@jZkiFn$r
zJoarSj1O1uJvlaUVks3dRue1Ce+U=CRWuWW4}Ft}bSrNcxa?3>QdbVC5%3Jwp{wsW
zW}%3@0`le5hOb~9Z;c$KtY(my9FI!)-!55rkg+#x%oBDwwjk%C^KyIazka*m?3|bR
z^OO}Pmj?<h-mXALqUFxTR+#TZ_-lNiUHd_*l!ccQ^~MW8W--a<>BTn_fM+H-Pwjq_
zp+pGfHgX_YxGa|Jf@nLHMYTe#(k)JD;e6gtoDawj2?;?^SelS?9?|~7yB-y>l9A_z
z;+7OhL~OwaBKQJa^L{E{OSSaYk}KJG`!!Y`D~4W8Jltm_SH;9ZY;_7PwvmQ;WQx#2
z+LDSHI4ARvDfXq57*o0Jg??a2Dgjvh{NHk&lak3I`z(*QB{W%iJ0>|ovLWH3q40Vj
zqEw<_dI+DZ-OB}Pro3{B1L_28ud+oVgO>5iMWU#a9W&xsJ*;p6)3P@O8W4i!=f8&3
zz;m}k?A+DNM-7It%XEPu<K7CHOyfVms2^Z2yZ%DOb`=r9h^@gA%o@e+TQ3NP*I{%U
zYWhwZk#Yl_oSh${bJeS(Q|GrRz78UH=A5856Qo-lSBN`mjtZ;patY$Lr*4-(YW><D
zOV9Z=e8X*>uRA2hIZmJ_%AY4uwoL|T=-X~V>&+n;D)GUfsm8Onv^Iv-n29cC!(qKH
zd%w#36*;eD=4IjE>>#cSb>@O6K0A@cE)=hID27n=Hi}nS)SM8)9%y`ep1SqvdFpS2
zd|UC<eBdt(;%x9KX6eq8F{LZMk8b`%q$u%nVZZF5H6h6z7!cy2%LlfF$b-PArx(C`
zVzK@ddSYSJ+?rUNy0P1uIRT%ZV)PWl07pH=_!=pOVN;`KQ}@SJII~C_cKY(o7_HLJ
zp1`r2MyQNAI&>y9h$;klgMo%9QDxRjHnuoZBoCJ)ZV78LYsxNjW+!PCb@2avX@&jk
z#l`74(wH=wMgghnNEPRaD9t-q&jr^w(LTd&(j~~S$HnV&6bwT^P)iK}5VjU>`ofvq
zHRgOXTJx!U+F*{aMEZqhgjbrm4DFoe-W>5=m{i*-cO}JEVP{Bpv6i(sU21lSLNTE|
z4n?D-Bhh@oG;B~G!IC}3$IpboHWF6hGerJp=uwuIC)7qWtbjElrIirNkPxkI8ll^-
zi*#QLMw9FU<-k0I0}z^_jrVl2!X&|oTKYXy91o6Uo~J<@)a|Jp@fkV>72mm``gAww
zGE>PJC<7b9x^#dVuLF}Dxkbm7rlz{HNKLy|sDPkN+(~UZyF4SzZS7opM4zJ|TFpA~
z>}hc^se)KK$gqmi)$B<~?BU;J9C52-Ol^R}Cyo=l?0|>5j+7FHC#k|4WAW_l{IE-f
zY2?qQl13fIMs+)^_$?ft>QVgU2i~bsDK*=i_EF$%1M-BUzD*ruEXKC64iwhMutyH#
z27Lq$4O(hg`Lreo?LaHi=UhdBDjk@~>Kr?+XqMR_$H(6C@UwS!a%|+cS2-!XpbxWw
zdJ{yiBiP0idL4mLb1SVP99ZE*-_7Y4JEW%oJq6gp6nY9^)O<_M9(gXordxr;>`;Fh
zdvjR-X3vUB8S#udY6o5E)mmi04782w%^>A$crE9)w&;9o7!vc_xt+)i?FF59L&X;2
zoy*PlNn+Mx$1rXVb+qK_@8Q05<GYfFkCI+t3Vx<O22450?3(=yIml1r$2q>{4#)}I
zAvb;;g_P_i@w_ZhZx&6H5ezeO7w+#-IGRR_F^o6_poVh{66ZiYM8j~t0#uD9#sQ;4
zXgRt{7r}RIxx)-CLk)nYS|z5J=|68<)0r9w{eU*!1C?%}ok}j7yCs+GqBV|^y?<`+
zpIh<t{<+^4Z}sW@bGNOV`t968FNI8jb_Y%(^o`Y&Kp3g4yQadgDjzCe%oOVw#lo7y
z6cjU#X*Wx+>e8QH&~1HsLHFAr#+DImIWn}_=`Yf>o&xj~U<*^|DS%P)ojb&_(#2ez
z1Z>i_RY`12HU{Y|3Osh;rGFis{i5Xt;Z0vu+pqxVCdsOir8R=JBC};9xI#Ko${dDO
zO0FWs)g<%a%j#~|=P{L!Ng-EJ>qDTVr7<~Zdzh9?Wu>crI?@pGZfs~E@U*sy@b^{h
zUEi3g39;?Z@9b2C*vG+Zw7bkXyGucXz>nZ~OE-9ECUz_4_nZ1lH=us4K7OWb0H+T-
zX%#`sA`9VJc9#@d9-<{f8`K2BH@m*tz>kk13-cAQFIE?tDciDrmc<%uV^-yhXHzUt
zW6YlLp*%OLB3N^-kF+8Bv)!NV4#Dovc5Tyc<Ow{CZE?V=f?$!murr5}54~igiNPsY
zKLr}$G~N(5CTNH(45rEf!K{Ypai0ff;5-n3KEy<kqNG)x3;{#*AoW5QxsW}@kL=}$
z;6ogo+3lIMDh=d_;`hwlgjx0GVP;ZVMl<I@;(3ni&W7;E&=)NqHd#r{1Oa2@WAnlc
zT3Smxnn81;jVfo|%q!+L$;qX&fW@P`qJ(CY7t5I5L#sDsP1e$*Vve_rGIt~{nwfd4
z1jnqWmdmcvGKzUX3i2eCM5#&$Ra~zwxO-!p@V9CUHnag-Q}TA3@5Vu3o!NM|918ZO
z-Q2qkqcXbD<^5(Jy~!Pp^O_UM-1A#bK}{v*w3Oi;s2+?ENbJC`abp4X+>}_Gv&-DW
zCfYJNjditQm+p1#X(|*iyY}?ebcGU(t`5vz?oW}+8gry8m4Mtp<5iV_U4IP7rn!)3
zB;r|6U_wFnBffE$1|9)c)j!t)#>!4{Q(Y-y0{~2YR@$r2Tgg047ploYoz+)LZ-rw%
zT_&}>eD0J2&vO38N?rXbim*m2$AX>)Zi+sopW4@TLswV8LI=F7vB!~}i)U}Q{}PpB
z`1E#r+j)FxtoNE|+J?X5Z9y9Ek_ZX(y%y!8I_D3>_*)3rR$~KqgD5o1FKQWW-aFxc
z1Bw^<^iKHw?eVQU;oHPb7VZx79tMdjH1D2_{O-_jwKTa@ibblqhwLk=Q70;9T;#~w
zOcT^DA^K_HPRv9^KYi^^>|{jl^3IKYtRtO#8hNnb%ETZJ7eYj>aAtBP;8INJ!lGd;
zvDwFQP_7tzZX@g4AOQBMOnV7%{VDW!xKZ;iB|ua2j!6cBtzUkbxZqY^gq)C6T!kB(
zZdMjn8_cF!ut60r1#B{Mj<pS>RicGUmEziWV99C7jL^D%{=`f@eDb56av0lxqAY=H
z-T1h?2(z4pXxhcSzfEoM((hHlJtI($qn;7y8G%+tAnA$`5E8hJZ-me^iPYtY=9jWW
zJpM**XjvV@sazZphosDmQf(;D^5=c&W~CgB?q02qt<4pjD}XCD`xkN>=Rh}+!3}Ds
ztETNW)NQbV52lN^axA-YMUDt|^*w_Alp=!v#9P>vsV3-t=W?2z+HvG}H@8vr1yp)w
zqh~h0T4uw^s8UZWT4&tT3Nsw_wBl=|6&5+UbX%Pj??l2uBFKqB)QYtpWBt5~y}w8A
z@1dUF-=n9*9i!>f`+FESO-(G)xizE$RvZn&6r!r&c!#8W;<>RGuW32&`P!bZt;A8!
z*M2e7^poXGTSTe%i^&S9R0rZ8rb^c{`h;G^up$!}#TjmDP)GL7qBLj0o~|i*c_8O-
zHiMU)RBkgV)>;Da=#V=xIp)%>L#=eHRv5HpSi>Ty_!#e7vtp>FN!`yS-}gSk84TTE
zDE7g~kH$CqqbH+-G2UY1?<yM{xWV$uJs2GwN)VbdNZ_-pR5`ejc2Xo2pWSD=>7Zch
zT7a*Y>*gXy#}U#sil<t`o3^BksRfl_+Cm{!e9Vfe;$vJ;l^dHDRmH~wjW({_MuJ6a
zk<|=9gG;!@bqgPLU1s*xQTxrwJv+XnvZ=M=-T(vJwns;?JFUMcbI5s1O|9(EqD!Ya
zEqCAzrh`r8)4jzqz1!pB;a8aylVx+-V`1gi7cHP=zBEpjat8z(glwnoWd*+rS=Ruo
z4Y&!eV;rsKm`oO~(bT`mg-&;w7w-}_g%=~%>=mXzWqqZ;h&G(OGY?Nsa8+(lYXB@l
zFGu%s^!iii<!GbkhPGsJEZ1T9Pr0k`QI!N1P6;0ObAKKpPU&svoW6V`B(S|cuBE36
z-A|#X3P#O44<glWdxO>)wdu^RfeFZ_t*5-4(rl`zmKef$dvtOvVqJ(+%tAgpOM8do
zT7mkj0K^SNWFbRYbiWnW+8yVkGx1X<v6B(p(h702xh~hL{)MQ0A@%`x7CV4*%$jWh
z^DK47kiC<iXKfn%abGOG%%ClI00UYRtGt6?r`945Hx2TB>!LPdtpZ~<a`0c><jVho
z1mJfn?Qu78Q0{Vh)>4|K3_bU$0+GRE)RNG*Tso?)v+$-@Zs;eAy=+1;y$xq_-_l}{
zES~c>FEAEeioQ#?dF3)32u&8?457AVmG7Uzhr}T*;U;5&orycW#ypy^a~DX^85@Mz
zJ@mAB;S2->gEn<PK2|IOj@n+lqck;~hMpaCCi&#HIa2oG#7ik{@oLHUSPeP^4mwv<
z8|!My)6V-FT(g*?91O_u4RDfT8oN9?#AcTjfl4kFQp1J(HM=4Rc|nw?%#>DmbY>p#
zo~rN=3o63fp^7P&!GtaY1)GUaAp_NmV7&;o{uFu<%&2+iA{bs`2F;kh8#FXy>urk2
z*oI?q{8gF7xOja|?}WuaaVB@9E5|*;K@qw`z@Dyi=5Q`oe_#3xUO5Xdy^7kfw4=zb
zqbwMW+#ht<i#JEccTsz0#@3me?fmfRX?*L`)A*jom!9?6&z!li%zi4|3Kmo&kUCAQ
zXFrSdq^Bf3CFynwJtZ+}-fa}XKX2_AvH!ZQ<inUmXv~+=<owrf7b039BOvhG`0dH@
z(bie5%*`ktKeJv;!P_NQUvMf0D@0ipT$1$oDYSEn0wa+l%A)|CW*pH=sSW!;BcE}T
z4`@XF{G!YhPO?BQK}1pCA!E9vYD1f@w^&9oCi-tcRfdzQKr|KLF~g1bp_E+oLq7AD
z>)`$)?UM+M`#`$n4@j!<^eZ)r>GA#i!p*#oOFyQw1f)C)XB)0*Hk_0CbPpnfg5!RE
z%X_eoc|%s{QD``4>HqDA>9Z$R3j#g7w&L3ISu5o@K9yC)6%nB`rtxyAc9pvt-7C;4
zQ{31R5qzu(NokhfV8|*ymUIN4HE2oJ&77X#W5ZqIv)eG%Y*v=Yu;w^RbNf=c&NWeH
z7ut%Cad>M6k)fDuA82cvdfXZ$Yr`RM-kTZ?k+-(D7s7|PV=G+CQpk!-oC%2x^;%3N
zG;F5H+>td<lNFR+23aOLtckgfCKI2GR5Q(zRd3Df^)u^Fq1VqCHUAXWJmW97=e3ki
zU4Baw<xd5t$22VS=aK6(D{X4Ac&5Hh_}I`ax)o1tFY63%o8H;gs5HE~GcZ1r8~m`4
z5ThuP@+zLmn>|TZ3vUFy=$DC)nuLO9S8mscRHKPUfkPrbEeiapZzksN`mz_EJS9{#
z%@J?-$^ZyiyFH6<bNM##^*A+b60K5ZC-$5VbkIIXM^UkXsW%q77lc%G-{S~ocryWD
zlmLsM!+r?7IH%+3`G=l=SbqvV|6tVI*iyV{DMO8Fb);OZ)4%BiYp=3}Ae_u4AVtin
zmfI;~^_ZNLSrNU}av5k4NVzQcDI^7+yA?{;r}MMajedUil|G%{w?&aZeL6oIK~ae|
z25k*u7L1_`X718ToO}%(j08!H07IOP@rT<ep1~VG*7RMkj}K3`?nPj&+C_wHDkoOW
z%s@iKPj@dH?$j+!t+l+*2o)57*%Bhr#m2y=mtoqTUWT!q$2W3gTFEeyyjxS1UqweY
z9%b}_eyb!B1<J598`2iSHYC=%y1q#~Fs@LSKb*O)%~v|?cYH_MF#2SdTHQ_36Mk9L
zclY@XJE6Ec%5L~2QdtYsbeZMWB>QSUyU)uvj+SV3!f99~wY_lze}<G+H{9p}N+aj3
z%IxW9QZO_UrR78n{>8=VIiCGAnnnQzy~3-d8v}+@&V1pEWkdFG835BreN-1@B}14v
zCJ;iU2dREMPRg0w!7465_=$3HVO+wtG!yKB0cP5O4Y)E)Cu_9YW@%(gr&cA&l$>+6
zOd@Tj(LyzR(v&6}(Bn^=D%SYWnUK(Jr-!uy)`)O+pAyy>Mw3*qJ4*v=mIBr|{i}KE
z*NzkKwDN<ksa}ol44^BwZah1ITL6wH(9-4vk@>`s<-Shp1wkSR5oSQ=CNOJvHgqrX
z!o7|C)RT_o>b~V30W`xafmQanJraMh1d;$t72ioK0jV2;C|ZiUWa@^{1(wr={R6~|
z=r$_W#ibMxytwJT(47R{Opr(<M<bP^`}X#BMBxLXBs!+xo<-ASEYn_)NHLDRWgx_h
z@7y4WZr_VJ0(9?heE0no&7pN&CQ$^ltxu|Bbnx@~re8D~#VLc-Aft?rN?61a7Whlg
zO({o>KrFAr%P^&cUzAi8=o?K`E~^*b_;D02JW&z~tuRrX;)#NhoHx+MABucXBca3!
zlY_y?d4q|1+zA@D!wei;K46(I$y`m^veqT>6nx`spe7xe(cx^<3RY<Mgi)S!chq0v
zpHcPmJEh_CM2TIg)?)?SfOCM{Ji?~JWafo)KZM_KgGOPN1!^!xfn~s-NmiGa{zqa9
zsLBAI4ZX-fmR%}R@jRH2rD((PnVk}{9L0kuM+E%PXk)D6(f=E8?7!i;Z)7qG$yfAl
zfRu!`sh>mv-MS@;l6Y|FK~m+60d%V%Qf5AI_<&1qrt0x(N0_SLP`z8nbK&9<WJzpQ
zEg7%aw%!e3Y2^}2$|P@kr!=-3?qqGqjj4xajfne#Zx`D+V~-t|^KL8tQ)e;dR+f{b
z368vvE|6?*G>sN7zJIj8KiGT=iKEaw9igeed1N~2cjADFNvjiEc?`9y23FYfQQ&t5
zHwOb^Pi`K;L6+m`q9na(0H~c?89Fyj<&vpE)08_(0oRb~Tsq^|UV5#J$gMZIilS?y
z9B{vJTg$54b1(E_%%$kT-X!`VzFG506RBtt%^F3b9N0fX<IQEr?a2266}^PN;p*%_
z!f#lrUdGp+UdHcb{9eWv4@;ztXCK%+pT&ezLt0^oirk*~D+99WeAudIOl2j<@TSce
zXeiDkHc5WZsJXaoy<>M~(Yk0`v2EM7ZQHh;RBYR}?WAJcwrx8V+|*jT-FxnC=gXXb
z;2raAWAy&?VLorFot|*!OR8XwcoQf00Fa#&1X*f`5-Q!;v34&CMb^q_beIiA3yUH_
z-daE*M{f^-m_|%hMFyhf%rd5pBw}@_K&zG?XO7t3_}VRaLbPirNGLmNa2@Ek@|zZ>
z6Mc#%+Z41bK|)%C#Dv!zhNZetW3`m}BZx8uw%YXl+#=XrGqllZjp6s|8zl7bGA;IT
z4QGe_q6Ux~6j?Uiwp*tx4lhzEyiyMeQLfqobb;#em1(Wbq#9E7q}?`@ZO@tajv`QP
z!h#=fD@utiytN+F0JMY<ke{i}&}23g+kqH-Kn>ZP7}3+@PT7dnwLx*wUQW#Ay2$ib
z@wcM+R&;7yJ~|G_oTaEpOwsnXJHG+ai^1$1@=gpoN8zlL9=H4b>(_vcYle3?KpvM5
zdB3Q$j?1Y52Eyc$vU7&hNm>;*4Soku4ss9T(AUlOrP+<G%t|Ab99GEnQ3j(TP2sbx
zsfyf<=`!%&)KLmAMz%&Aa!w~_H?DPAY+D{lm$c#rBzN%Q=x5&9;J@jKf_uQ19Ax>4
zhcTZyW#9a)Z(fJqH!>TEZ60-=jA|QAP>d~G_cPJ8V=HG_k;lroSBAU5*=$3Wi8BB&
z0SH5Nzf)`Q+*CYfSOFV;RE|4(7xh_0TizNb!4|UBB8c2PBH+01cDd%u0MMvqx}!ST
z@iH8kEfG}`XJzy5X@z-?(q#@-o{U)&R-=(bZisx|A*8t`@wC?D#ph(G#k>;h9!@|u
z2|B~naYZqL@%bk*fos6d)==`2m5JLcF?aujiOxMMQNzYe=C(+5Xoap>RUzigNlh^G
zLVh6tqpJ(eg?I#q3dP|?=c?Cqwl^rU=wyEY6JKrhJTZX+A8naKm?8o#{GGRh8BcDM
zE$-kXV%~^=CBdENfl12!C{*2ZLM}$ZT=_O%gV|u)ox+YC4zH&MW~9xLB_JmK!pqIi
zPd?m_6L8PZ+ksy^%h#ZA-wgX#YVV8g4sDbz{6{aF#awqlcyQJhtA*#O$AN5eB~4?m
zm5<$TPMf#K`hb-LI%x@K$u0JcCP0kHxH&nUo?g0c3Y3XLAHkwzbCI#xsB4+YUUFTr
z6r%GW)-9=TwDu<!U-6!V8XdPs^9_m}hs}aM^?2ec!4l=^N>e1I6-2q$^S)|V6)7)&
z1~AN~4bN@iYfRlZ;8~Gtt4hY5`m<>A+3kq-;u6`%RGRjQ>Dbh#h@MO4xQS&TV@uK)
z8W4(|iI8eW5&wu?=a1Tr;JWkvSiZoP3Ff--bV+6hn{r|+J7lM`?9r%^DyOBcKMv=S
zoT}e|G53RQr+(J!Lq3*V?XGG@!N?tY91F3&(7IRQ&?T1$WCU(t^WgnDoD?u)>_x6O
zY^|$^tHG-hd9px}8QlzBQ<6*A?>(Rdn<nVBF!Ej?4H)k|hY7)iS=0n95;Y?L%$6V7
z*VP@buY4$rnwW&fOnDf^WPpgBu`fQ;O-qc$kQsyUeKMYA%o1VmX%jJQXt)!xX(}7k
zT)d&qFzHV}@zUKqy*Jv*Ts0w2S#JuW@3Aj0U;(-t8|@<@8kxDuwbe*z^K35>2g{tj
zV7TvM&>Vv1QgNEDh{FDv&&w^*ZZxE953;io=B77kR&ru$fmieC^0Wpe__PRXsRu3v
z-)BE?lAYPEY$rdgDpyMSAK=&3v!#hxx81~c8YLjTdMYFw>6oC*RKH0?b%<lzKINnR
z@rh5tn&{9T>=p~|sCfz$X0<23(N_37QoZdYJ3pTEBzQWg&cI*AHI~?(m+A4kCP%M>
zQ+MGi8c9XO2rYQixm~EiYPlH=QfGq+Hf7etB~=1y<kNRtWv0^Td#x)qAI0**j>@r}
zwLAHoDlmP2&xtpke8Lq!W+q~Jx5ZjzN8(d^YagXf63y(ZN~gEXwL++4<%QFJN0U*i
zWC<cQg+wBM5geC!DIqZgRn=pO?#*gZFLaDE09)?D;V{7rgy)YwrSH%mptg=`Osg^=
zQFW>*+QFiY{K!kEe!$8Dz<a3W3(JzX1__K)q)#B1@`0*|M_Z>)(kFsN?<|M`td%9r
zT16nw6D?qYgU)Vyv<@xb{)Z{7o4J=&A#J}!)`&i{XD2RxXf^r+xD{wLIXhE-BJg6&
zC{L7bXQMoGzZB{i5!I=IAHWC8Dpht|p9K4EWS%qWVzq$R>_1xFa~!3*Q#LnZkaF$_
z{)!RtnIH<~yFOgYT;)YnC<tH?&C614wqY*UeD&G9#2b^s)0!OGO_y%ots=s$fql@U
zm(#O^guus7wZ?KDa?%PQw%;S>pGj<9<|fWnG8?|R9uFkr9dm#HQB1;D!$Lv?V>>Iw
zC$3=W>3%J(4NQkPMgy|rpoWsa9QI%m2+}0NQ#*nX_KG>VTs2wPf1Iq$SwpuOi%H^G
zK{$Zwv$|Xqz2&$!2=;?Earr_E>XRE|&xslRTz4;tM7^Fi_U6BzE}PrPqJfW=><(`q
ztg!32>4ZxwC&$vJGLY>eMK#SAg<GSteWIdfO>XdDcGTu<a(LAaZ4w?XiRHx=<_1tp
zixE$!g25IIos~WFr1}Q33#z;vt*1r^oh=Q6-{3gX1fY2zx#--SKD`6xXnLxQ&ZhNo
z+TUZ4bWLf|;FFZFx&vG~S;jm5su<s?fmO&IezUO0>@JY?HD!;ap2|0XX1oi3rG$St
z4c2?C@}~OcPVD4K{X9H)cfb|C8XVuG?)rpXGwv>RC`6;vPX!+xr>8XNDcmRE9~y3N
z@XKWnZ3*4>8<8|F1@AON4Z&rN8f3G=X=Yy^xm_+69u{{%-~Q~EzxC>&8x!=MFhwo*
zmXe{`$jMP#pUfde-X|hNDoG12D@841ydV!i|Cfb{w#?N(OJI(eC;L1P5~~@RRvQ~h
zN&Oif2vBL_urtbaujj>YL->cLRwldBmQsOkS<>#u!XApSk1H9sT{4DdJwWx0#zh{l
z%x1{Cue_p8TSZ8!W)0NdRbJ9Dd)}m@MHxmw0=5^GU1`cKRv=O0dcwIVg1tt`W>}rH
zxWw@1LXmi!_rQ#kMM8UMw=C52&n%b8Ix(AyTy)^y*<~%~G+>NX0P(`vhWFRj-V9RD
zmqv4CNG!Obu#jpeMy9cFhf5`$_}=`@62|A>q10hqvEs-sDXh+AjTrt!)8yCjhVVF|
zvz-#zo6jl^jF+;gn}cyu8M>i>FeQ^KNjz&W@Xt{<3dO{BW$&BaTpzBoFG*V{x(VQ!
z0zH97>K4{TQ#@jV6dtQ`iYG(Y7B0~J7MBC?fUFCqctq|kdrQ$4y4MbnX#osh%m2gl
zd|dZ6<%6EgxR2qo2-`m2-#qGvVZKpgLHs}5i2wiNMh8D(q)4v#OqH?&jJnTbj(50+
z&(&F$E=P$AlER(4WGA<0sREFtTjU5P{h2{vB@=iy+)WPKgep{VaoTb({4Wtkx~R2Z
zMgE=zDi(pJY{FF41D`O7FZ-akOe#E=Ol0XgOvmgL;iOac)C)N9MqTzq&W{a)gzDk8
zzynd6!GArG4bT4kmoz<?dpY%ni`XN<oKUHgsvsfJvjwFTRyreiji@S8FK{gWGOzeD
z)xO*R!w~2MF|b65#E+GmCyBNxd(=Ip(<{Y#idnk2jn@7WT;t}UcWM{O^!eC5yRm%v
z`P(*sNhn3K1BeXaoxqBcISO)R%WqFDc}ytdQa&Lnm?nyXoRMgKYMu)6sZ<TAiMK0b
z_aAGT3;4gVCMP3E{$(Y`nHt}Zn}@fVkP5E1tir0nEA2mw;-}A{BA|un%}AWSOBFKg
z99~Svos9>20yUl@lEA*tx>$!iu%Ed4xE0KGMXKiWc%!AI%0Ek^{AXz>Rj_1YvLvRr
z+em}qFOCT}!^V-1yI?>*-A)1^3gJ>+9R+JqeN0m^y0HZ`+gO4AWx@y)KL4#aC^giP
zzn$&SMo}f`U<O?y&p;8)K0vwTOIZ6x?8H$DtnFb~69U)Fl_z<!ApDPNi6Fb5c4#F|
zYw+S=l)JI9GQ+!RZb&};rF^cjo1|7*eLivhy-ay|fd6+^r=n%+NLpx@p|&MzBf!+K
z#gHJPya!lOxV(P7b0Io1L1FqeQI$tm<3`9WW$WmO0B$ZJAI7rb5A%rSYHzHZo^{pz
zS!A>~0Cp0HWfTY5|9xZxO92edNNXRGVFr!lx_`PfsK1pMO9ooDFIYGaLG}Q~!6+bP
zR1$zPl5Ns5OhC_FA9NZB;8bYRnwoL_WDK5O7*3JSIUZ_F>0?wk2Ap@WFMTUVV&Q{7
zhTLby`Z*2sH?HaLHxp(jT;iOQ)@y5UUuf^SdxOM^QE7O3QC?QM$-LrbXHj}{+a?7T
zJKTdUm-Y<cuO!3jD7NK^4_8QCoP?{vQ<|+Faa2J`V`2gk#qe4EO*VD@B1$`ar%k?X
ziM)6ZGorco1>!+AIJnrQ7WRP;6J+2y8rZZxzYM9D;U^$hME&wg{JxLFoWT0Vws%Rj
zN{BNmh^Ra6{>~Qu_5^2ch=MV<z4tx!PvL?E^-LGW46&UqUblB~vB#W;i?_<t;mGpv
z*R#`cIGwv2HQi2op?9MN80$aXs|~<PQh%X$Q$p6QS-1A?wb`VE+O|9#&#3hm;MtT3
ziOUcu77}=zV+zeJXpDGDwx---V~`0=xAj#j;(u72ZtJ{1q*5aaGbyr%w##w^ayiu7
z(yGg)mJ0@xGfLyJ%DT<~E9~seB#QNf!Mh%&UHgW*OQR)aKp>M`S>F$gYZn;9yVa_J
z1Vr<#K{Ny#XCVSc9QbRct)<`2OtP$Y-GChw&Z{nKq~m=<tx0Qj-kL;jKWS6_*cFDq
zW_Pmp!9uy+0z;{bvpuko2wTH%^eu|j6{*h3cv)L)&b|z4ZV%OuSgO07M8_-RRe%38
z>QS(R@&S2hzArmmO&)=j@WMatBH4w#mvz+JKAFmY%2f1J^8HjgoB0);;fgy|hIeMW
zXkC&OThN)=z~>c;zQgtAIq#l#&kY$sO0^^@#Fl@&R{|X^o^J|yD7T0Wj&{y3ylxv8
zCci3hTGvq0I;xYDPU{Vyk4FzKlb2COQg`Ylm8g*vqRYu_eiqC|Lvy_;l6ekG`{!aR
zoAI_+chEL%S5e(KcR|^*cV>vU2HZMl2=Q9sgKTbA88)j<nXk)npv{;!UDaNHb+QN9
zIMj78B(ho4Fl`5!D!!$O*#b$pMf_IqrJcoh`3T<L;Eznki{IQjz>Xhr?|W3FPY1^#
zmMBBZe7lr7Dv`u4nR%Jha!njSSnx39)faMGAp-_{tNa<Lw699M`zOO}ep+L&D0KeN
zlqC77&mi0NJbr|Ev`2GFuX;TUTW{N+*Le*<{qe9SH2gn|cPthw(y$cQr!H`3UhUGB
z<-f0!x;Z&{e2qw|dm;#{h$q)xWP#X*sEo1JK&pmbp9T&9pmHmbcShbH4Vy4xJQ&`s
zkPD+Tw^5~?bPx&ryH^m9LZ{z=7`{*yjVtQq(jnL?zm3y(8s#?cVAKtc7Rato?PBeC
z973aQTkKuaUg*VPsz4fz4_h*!mde)V4;9B!uj6=<RKqG6h$*E?$xZ9hQOk4$9~XMF
z)561i-q*8N$HF#`vgMUYbAvTf1+Zy@!ZZz5UH*$RyT;TF8)rTnax7lxFE)&qu1I=y
z0ku6LKXGgqJEb6I7xyg^9+s$axtJuXO@`;+drDOV79Y9}v9qIMW0Lc!9B{Khb0UXK
zB63JKbFgK&?YN(ux|a@a^egzcL$BjtV1>4Ju!$iMZhEVo{Su;Osvp=jY2;$28VkA+
zae~NQTF5p>fJM!@*J~zFin)&drf840+L=a0JN#|G)H?>=CTW`+`ud<mskyfQMe549
zn$-#)d|vX|y#ZYA13tJS=Nlj~`!T8Du6S7<UfOF*px~N9s{rM{Jo)W@JfPco7gwR*
z+xPe*ZAL;V?zU_h*&&M5>0D@R$*c}rliHF%jZM&{jYjj}tD#QEs*~01j%(<b){TvF
zEQ{BoiV?)#!D17#)%(69F%685#r`%$vHlLH#H=2oI=CmCbVMz%SU9KIjLnFi<1n{8
z4=s_29yn}MPejA}gI^kiuZg+l85WGj0UwUwFCk28XiRJBCOrpHGI6T0qtl5jAdziF
zn+jdi3{0@nO@B3AJxpG(dYa|LKOO^YLs^^+LJ9H9`0g*GC9G^i$hs&~1GAvki-h6|
zJs<7o_VcP#&J+7N$&8))J+me0ViW5eb3Zo0IUJGYp^SJZX&d{ygsO!OzVe}|VmJBx
zAL5yvlPNu2Ph5Fc{Eo`jzOc-Jg_*@8ZRdK}E(+(Hu+OIPM&%~o3X(3k!57{;4P~Gf
ze$8k8d8Y(yn=L0^{#3ZEap^ZL#Qe`BlGL88zXO!BjsvT+FgM}6q|P|b=n5AT<i8MS
ztMX3c)LAWvLLt+dCC)APhw@XG@vgZ!RHmxM%QG)Vtv-TB?>S~=to3r$6GBB*$==3M
zp0L>qClMaaj&MIE;zJs!fx|h{76>e3sOp|_6Lz*X+00K|4>*yAOH<o4b9Im3`>$77
z=8Tg!bQFqnRGX$-OHoYO&n<>l#Hpy22ijw^P;Qb)6rCn$J5kCDtCreSZRJ>}$9EbE
z8-f$>H8&O}Iob-5OK~_!Udm-V_@kraCwkvj)1rz=zhc^gdzljmm(`8aD1?6zN-Yxj
zXSmsR+Ky-EcwV%%SYkhIZm>;uVX#DYi6nXSq*cX@Us8P;RA_P+%9(>#Q&tMnhGw2c
zrE4{dM=RcPEGVaQ!!KusrbhdC4p)f%lh~|W)5ieZoJX_MunWIu8_9(59}w<c#6pW^
zggN0}6ej8jePfy0tZXbh?Mko9<rTGL&V6e9GOMPTlXw$+n7h~Tcrb9H?ohFO)z)@<
zVN%qt`%X{g17=m*Y}8!9RtphZlzhC&&*)6;fpwi#TPyr}_zJ3Dhjn~%mH^Yj#82c$
zWQw8aSDY*-(%V>fFBs;~IPRn4a?a!SE$#>6oq(wjgZ(>?${7ic=tv!s&`XHAiQKZw
zz?DuGq_ytLSEl1i051}&0m=B}RQWZwfSJyT76W-U^?;iDKuMX*XSRs(Fi`bZ)&1`@
zCQy<HA-lJeU+4Crqhs5(nKBQ`K68$8aP%zJ7Tf6|>^81QAiIh)iCYx3|Au3SY=>-@
zo7-L8I_7!!2!>ufB`%#R@$KJ(7ZF=X%dWV?X0|V}FH%)=s437VmMlqk%7`<i&;+W^
zH%qNpC~z4L5VnaI#WuxbVykIb^Ob32>)v0J-2D8*No|Wxb;#+-iwL*xk@JegXl705
z6%KM6K9FA|b~K*b5k!<B_Y}>QjQ^6<-4TbmVnV+U{iJ`&h-^u5`b!20hMiSzv?prw
zJ?LcQ25}gp)u$CWS-)}E)07=WwKf}JR?mus*0JDmC7xrJSE4$Zc{*>QvWgQlcBUUY
z8+S^Ra<+vV?mqbyek-m5XA^rfrlr^9mr_4XVnO1qpGaV=L*BA{@X2TjXOy@{|7*~p
zDZ_~4nBG6pJ<-U%!}xZW7;qiI>e<KThu51p`~UFzM%e%G`nYdUpK`N34^-P9@q{`{
z!AXdX<A>MJ-RC%}Aq0~{P-h`>U!Qz&3un!5%yM|YiI#1>yeo6?sGRyh@~F^TZnx=|
zZasrmGg&Sqv!<UH%g_vrwZ;}{8iJo(&5hO5Yao=SnZ#dE2SJWB13sw%gkeP(n?Rc|
zs4KnBUA1m!hYQOr1Bu#8Q4LO&6u4hbX(eDIN8PPzUjtoJ|Nf<B!MXu>jM&Oxd~<k$
zK!5J>1MI5==>7rw#4md=4SjSgn}XZ+1bapopqpiu$Xy<^XtsD06GIRue^t35{vaO6
zV0YX`A_|OAop+mtnHpm0seoO?Orc{P048@LsU8i(rOhBH17`{++kKT=69$ux7rE0Q
zgbN+7pB2r3Wu)9uVlSlMhqou5NYP+gM^|cLKLWXkJk6p8D#)VQG#){6XR%{K&kWC>
z*@S{GY)L_->X3(|_<UU^8vuGEcE8@MY@Vt6Gy9X}F0uVrBZmW^n@{NUM&E2=&sbMb
z0}$uc{0M?2x}O-5xrhEv$X3&cVHRB#gDR3tMpjQ0so6N^I``}YajKfoRhKn9-Sq&(
zO^Eo--E9xO?CcQ}+%YSr$A~<{mL2O0H+XxvQ4wGa6+%fk_Dl4}?lGdYXD(C!#?INN
z`yFd*G=(y_FogBoXG?fgS=q-%U;(Ojb1<`Ze;qIkWW91-3q!B@#!EAnqjhX|v`8E@
zlGc$QpM{>Qb(<ZvCq1x#WOE}26gg+qYAZWeEKS|FPnG8rWCPgKw{PF5qA;asq)fv<
z&zkb?J?P_sn0;JOFUoM7b_?I)zGdb_rRFuF;J)tq<fPWAo()Rflsg_;$1^zV5A$WD
z`5#NzqjCSgAsJ}cy^mV)BUGfqemd--NR+e-GQolyL6^#fTZf{XKIc+iQ{<NBzaF$w
z5iFaOlvl~E({g*-$CAH6+OqDT6IFYh7OXaPXlDo~>PCdFl|TpsQ$>vVmBgA|P;pUf
zUJ{3NS@YAjLzv1j^M(-jbTr+h_c$*TA~o8tEDkWh0#E^`;Vn0`?!U?-%a2rk8N#w@
zR`m^L>w1=XOeACgv4S^xrnwvjGr_|{uNP3>)$aq?Fa9oR{n0aq#~l6?CU4i-#30X*
zEe20pj!9NwI)h_7PrvMDt%T!oOgLRgj=0pEwF=t=5XVCECwB@+a!?hqQQQYk4npOq
zZpNo0$Ap?51MC!CQ=66qXUPu<kAtJJA)NP<<nr~*;Lde$+Rz7YFO8M8<pUMfpX21l
zh$pmq^U*aJm+%dilF9sRYcqbfwTUJBMk+ufHd8$&*L7w9#V)WGKM_<^6I$I|u8c3j
zzJ3pMkU*)Kb_|`+`ckn(dss`h(gSiIP>qe?RNdxfigg9f^Fr!CR*Ptt)kri!(j5g)
z)c609HY8jx780*>oPVT^wsCEI{q#!ZR+Ow_QGAyS^%)h^GYL5f56Sr}WDiNh#m<e*
z#qN!aLP|RpM>G{LbTOnKZG%3l!{6z3g98Tu&Ukh(S1Ex0GN8xkNtUNh^Xrcds`T-I
z6>Ysz_%GnQ;?o#TLFZ}!c!Tvy5NVivvHI4rMPj_lqwkYyo({L^<|-=3P^T;9$;hi<
zbvF;JB(B`&&0ATjsr*BGg~a&v$H}#6K)lMqlcmPjKZtn~BZLU;URAZQU6~q&&Tp%m
znXi|$3LZZH42o{4e+I?P!jC~w!w?^904R(@C<M^U3ca&Ry>5IEL?x5vbC)x;gw!Iq
zR^py%-Iue5$uG|VV@i#Q!@UAB+PkU?cmhaKcKbm#E6*`q5M&HXx=q5t(b~r{rl?>P
zcd))|hc65nB5*S1Ofm0<w6WbVzV~vtN~xxA0V<vX*VxBe>C`nXeOn)=K}B|JGG6^!
z<!#{N2IopVV9T8S_0`Ouegr}Rk;QqOsTB3_;m5OdS}rQb(#=~DPwYqjH)!zn5W~C#
zW6i#qB0QWT=^BlZk9SwwOkoyQgP0#30;=JGF@gcjh4v*+_toH^b9{S9<hu9sxj;tq
zbbK|%&NHROF+xpKqw+nD{#^64iF;vx^z?HlZxLtw5s&>L%wpx_wmi<4m0GF`tTQEn
z5IN!O5|Lc{I09GX19!gpgcPBn1r~7t$1v{2g;3k*uad^0F16ihQ<m{DIognph0Bjq
zCBb@M068b0wEr@FD^lZ5$I4n?(g3kX*k-gZTo@mA3ix{*7uUcwA+TVggae7Hq4Uv4
z?~@>iXYj^PGXT<qzOS`O26h|lH|hye8-aDi&>P=|G}F;mBDEe35<&k}^rxyAO(fZ$
z_lKbKYR^dEF~b$BG!a~qN>SLAQ@D#NC$iO<r)I*fXELEp<R}on4Mv;Z>pn+iVcnL1
z4A;TvfVL)YYksZWkSr~96){SMjD4-$p$+QhZA=-kJ7^&r5z}I`G!c=zZ$EuHC+OCR
zSkPin?~70%k1N<9iz6}oR$R57hdhP+v5PPa@BKx24@mLoqbFFkC97#T+zU$M5;P=%
zGZn^@<8x~bk1*|%35v((3#;^nh4_-9tnltNZ2Yi$L5tF04cy=PN6vs4ncUzg_4F@W
zqIlw6f+O%yMsRT|&Iolt9c{-cG%@{_yUC|u__jxi@fIL}YsewZGOvTIxqnjAgy1=#
zU)ro9e_98xCH?Bm_he9ko!cbU90*wE`*=6U_8=$7(`j3);!pmgAxW+3!sC0kGtlIs
zg`?n@ObJjfy_%~P)`DcLX6AS<IN5omESwK@(k(w)gH6>*hwx>)YYBe>hW3=RV7t5h
z)z^Ey{SD~70{L)s`YS8ENpK|ylzh*)@zxI~y_6+gn1hQbRwR^#!PRSekeSH$#1x_?
z*6SiWXC+tg=FxibLrJ(B!<PdIx~fSkW6`X@xMKG)EyQGu{qTMAXY`0V$HEZN%i0`u
zE28vIs!K?V%*~~xGN$ep272xojF0*#s2Z{a6AHtY-k~;YfbQeOpxBZS0gaUH%Hh&b
zK~|<btZPn7Vc>+Wa967Q9J5&G9+geQtXymopFm%ZEs!4F1*wxUB3J#1S6<+=fX7QX
zjC5DwY~nwgs8IFQR518_XisR?fDc$VO9}GnLuiJtiZ3|Fm)_DA+ovr=w?5|oXA?~x
z$Y=v94rbA|XEUnCV*Da3RR2GHA_L~v4`|MvJln^I#!+YSaIWRRXJmIQ^M)lx%yX_5
zVsgs4;k;^regPx$!1RtLL^3@gFd_j&9Ul17gW{^}F6U461=lWKUhb{-mVjnUG=zro
zEOizpAP5A$tuE`<1#LLX>LYK_GW^=y6lX&nYiKVIjFPJ}6Z9YRnTV|<8JcLUgGJ>{
z#o72kK@{(_MUqe<51Olyz=mKbeNa<v#nlqUB<_D1MS2_swb%-9zkl9;EH2VnEm>WB
zwS$==8$i`}agG0i2fq~xnF)5G{2wxr#<%G727N1%W{Naqh-d+Lfq0&;gM&wm8DDgX
z0{wm+vC0_OMtBA6ATBMCK4y9Bc|eshI1*Tz1dDJ5o}}sp#~4o4K44HTd8&2%#9Ojy
z01v%YA*()6O%d1LA*~JJlxQW7i<}4uz`;_V64eAO`80<XDJ_}BA9<Ku=HfBX$JPW?
zvwJwdn$jp_mI2x^$#}AP`V}Hc<nLjf->So#L5{47GQ8dmqD2SypvqK1e$J3p2whb{
zX%J|Ft`$OJVlXkY2>QJJiIu@1iW%Pdbio%NVdaHoG=Z$!(<P!XHfAEbMqc3=a5rDZ
z!2rbJO#0$r$kvSVnP#(~&1f~6N^u0C!vk2%%DLB|IwdH9nr$Nl-VO^`pk=ewSTnMM
z)Ys<&un<#~1K-Nm7e%`8!~xcQ5fOU^%h%SYy8BOFSbxjOK9`rSCV2p1uMi=9DqIif
zQtE0A%J;b}l=42Yh36DExy4;S;Q!++6~&fuSL_X;pdxg7;9`=NL0opkN8Ge`b>S#T
z2bKY|-xI~0C!o-Z|H3dDOoJEgb_&FA_oh1rpY7_o+j_yyS#GDbd5VfU718B-iWFUE
z56r<dPIAzJfHLma^*w8&NG?POJ92Tu=$E81!m}fK3@Z#DH+kyE;*04Ap=P7OTemJ?
zA3_2l;;_q$<_ntoC1uZsNLfqIfgX0s=^9XSOAkcmYBRev-%gwpV3!5c<Pg2hienf|
zE1z~Nu^{$I@`a(o*Q4~#|N3om7%B-ddfpCTw$kGsBopi(eQ=1qo~Mwe0*oD{(1~$t
zmaueG{2iYbCPkO6`=-1Y4|GL)U{3Js*DE24aZs~b1S(!`Ivv5ALTk9ARxccjs3rQc
z({D3hpsz1B?w4q4iTo=6ZJ4-(S=OgS^1O+5VFg4uSf0`5tfov`6yfnnF!x{f5IRAA
zyXIo(eq`H-$5#f21^7~imG1;hQLAw+)viG5nr(x<jANPG6ra~2TpC!8M(2IN(_Tza
zw0hPjQR&02TKt{`tt#0B$yyq+38d`zyzTrAJW<i!cb|oypMA$#;@H8*XW(65Q$!0A
zJxE~E(wf<;<3?pVEOq@kvF8A0_D=Np&xgkd*v1?=v~Kg6pnmIZ$@xxBv&(rF;~f+r
zBUl9`0#rnf|E)=1|7}zG8@-{4;^maxhUURAD-WGu^gpH&h9%<EWM$hocr;rodrKh<
zeA(#}09MU3>>~h-)Dr{?;H14Fi~a7V0b>HhxWv36rzdsUe1H722Be40J~VHaWv?pB
z?8IwV)C{7<!P?AxWftZ<q>%FA^PnC^oXp7pE58vX6-Nl0O^J|@1F1!swATA81`8UR
z%z6}+665C#F{DfZ(fycMUSfj$o^sWGoW*Z8t!?u?U^UaIPN%-1d_o8iwM7ajP+9@N
zMB_1&BK^o1igcnv^JwnzBT8gM89`Un9ktU6U~OsfK?u%CZ}{8w>0<wx!Zw}7$qzNg
zJPNFmI92DxrWjL$sfJt13U$t=`m@SXl4vWO>FK_a)vgmNdO9sGuQaab%l>LJm|Yre
zk8U@mMv{Oi9dYR{?I><znaEcSjDbw=P6iy=CdM9jy4KH<mrqLADh`;_KrMrF(7tCD
zrpY*F=3nN^DwCUS_DnvDMbZl8+u}+OZ0A+UN?t_cn;T`eZtz{?g+!t8ibJ53*sf<i
z$R6$oBBo)YKjo?n16_vVHCJ4D^kHvwXXc?6BGDc4$9c4$D_Xk0?H9VjB-xGF;TW(8
zu>v*v%B>oO;FJao8_Eiha->t#V_#v})jtf8|Mqw?WqNHCPf%cm*xo%kTEEa*|F}&3
z|8berycp5`;FO6tF}riMEBterR46%0sM}xsX*XxIF(JwH;gJ52wi)%1o!2FT@Zl}(
zc%DBS*Wg~}OfIor1x(tQ3$Ppx1e$yBg!5|B@6@)9aALPyt~;$o+y5Rgfiix{a@knW
z;|Os(tIewY7(e5<$Z5PD)0R8#c4TbPnQp&h*#%WSItS))_QzEfkcW0FK`KqN=`)RV
zASdF1EjoI{<Df&Ec!b^3dtM8oQLQ2z!-CUlmY;&Sp>W>cBsvL{gj`~Tc)TtapwC9I
z?vq-nrM=x21w*?YVZtr3WoWkkj=k{G+-Ur}5R|D(gH`gIiOo9d9fzX|DaBGu=;lEM
z0tY3;8FH2LN13u9%9zdOHsX8cCaHqHx6~{u?{Fsb*<GPAz|j`d?7?=PAeZ=%@Izq7
z4V@uAXDrD%l;f!+o{WYH3Jv{8rrfi>oiXpJ1o~%Iu}PbIF%vE);<o9<D`6IRH*CAD
z$#S8QQ%+-bn;O$OCzA5H2NG1Y6fMC|bq7=fHN}7A`_(_YRL^A1*~ps&*PN-}G2xB;
z++IR8L)i&pZ{YM($Er{@WR>&xJc;GI`Meu}55GFaX{R75w17?px%9w@#s^ya`gp+2
z4$%$*-bH0S{E)>cI$H@y^!{mOb=-AnA#~*l6pG+V1L36sKPN2q9sygtb0QF(eB6Nz
zAAnS*pFnrUQk3+AhX_tEw`+p{uwt<j{qj|R9++vR#5Q+620>qC8&@y!<@oN3@LQid
zJQC{DnocWCM*O0`JfGov^8Gqua*q(lpxUWssCh*9NybDc%*={BnAQP4-dPPjSxY2)
z-3dIAdwKf)X@c{3KR?oe{rr%9K0eM4PGaG{8oo~<KAzCbd_5PYad#EBRvo??ZcEkb
zx|^@ow|(>F_M8)yQGvzGMj);gUC$yHUIAT7TQvkZGYc<nkfN{yo!qZN`AuSe#m?<Z
z%O@ChdYrAdx7;eCfe3JCYSf53wBB7DdgK<;YBISu)EQuY!u-L>TJq%}@Io?)C0n<0
zr~?*3=sdTF?LbkAlU4QkbqU``ZRXs_$H|Uvz(7Wdn(WDgp)eQ&Rm6mmEFOlpB_x4o
zCWHc^$4*lXqOf;XxNV4g=5<<!3GOiw=Hu@CyR4^2{)R#Ac;?AQcS1R1LLUW)OOr{b
zWaHNAT?*8kNx!U055!iRiMWY?Kt7Qr-lAtL{w-fUFcXMPUAHY^lg$1U)mC)HAno?{
z@o?+lp+6E(PCeY;Nu6R^KZ1IXijIbj0E7>PN$75OxG*5sgDO6XyfkB3H;-8wlWN`q
zhug7cmzx-6>dor%^KwdkjmdxFXblO4Y$ysMlqb@>Cw-)r-j7wPj6Skt1wRF34jV_S
zaHt<<f}&cS3dPfD736LUoai`PgrLD0&WfJPtU!igXDP5`eKPb>uD88vHp-&(SUF!K
z>LgNeaz_Gv``{I>_&p5FUYBs;LXH6%5b2|@3Yk4^Xd=I0hBHxjMARy&Qlg|SHj^SU
zMfpD92cJMT%_SvJJ`4LX5`idThX&kWhKDr)$Ie7J5fXv@^8V+~A%Vu0G~q{4r;ISr
zXK44mn7b>?p?D&{H$pZe*rv&w8uV%CthVJ!wnug7gCM`!N;l2sR>cuI9IZO+&xG1?
zcLAOmM-aRi@h`{u!Gxd2pf=th%c(=BSDR#nbF=JYh9`o*om5Zd+&~sHo~*A;JU~_V
z0~P213zU~ggjfqB@A_{Zdm}hbuS*z|5M6=PM~`08elX8D@yd@QD(mNaIELRZM4d0-
z0&qaa#BFV`Rv;9P!Oxk+SbwV0xRxc{4AB(x$q<@npVe<4x}j{Tl5KE*T>bd|GC~p?
zh|nZPq+W`vaa4_3E2@F?3VB+^igv7si-#`P{YeH{ydPRJShi`jo0?0TIk;X2VYAco
z{&pO+k5WuDm#ii8y@#{wMJ%M0zU{tTVwUM9yPXjM=@A=>P2oz`_z+70MOhL-MP3oM
z#6Jl%vXQ}}TlsS}GXSVUvoFB~9qN9YbVm@5?uL{_42}omUUUo_DKp7j7!&w97n-%-
z%zsmj%(iscKZgG-<(yUr!bX;9x>POygbp(1b0@!yRsGg;C$$@w6Vr($VNAWLZywqv
zL&~_~v+PO-L4M2%*faq!8aRb0-U`m0csE_r-)iMKvambi#Yh!l;zG>NW;e|O+Xu5Z
z0LS@?R&lfy6gcW~0*4DqaXA6j$6d^|66tEAasgA28DQ6uVfrI5wWNvi2htao$;VqC
zg(wzlZRh0Y<K?GiuHoZ7!Jg3<kp_#FDtT<~rUiM#k2ooDEN?frgPsSzb{{*}3zpw#
zH*d|wdwSec&p*Na=Ui^e)o;8TKA-uGZ`ZrWXWyx>+>Hy-<*z5{kGGrCVedOpDYR0J
zCnvgz<Btdhs;gItIrH2LbMxwzg{JtodvZwCNbW7wwZ1Hb0-Ge`>lA$ND9CpOT_6vw
z_6^7tGxyVgP-lx(roA`qx!zqUXS^6jwV9spk-%?kgC0B|bp79_9eo47QL6{_hJqk)
zeGxZPvsDsjI8H52Ew~76TSQ7QPGlyF6t-s0p{LbXUCmuBf9z~+?AW6Z(~9uGDYVG-
z-n~4r)ZQsurFOA}3bB7_Za;;mZhPQTk^3x1x+CGVJzpbo3Y6zOqws0oO@U@w0sUqL
zoOb7b0Rm)x-?@G1;j0SyqnTu@1~{}0XzV9yqB*fReF$zD!_murSG$wMvo5WYETMU#
zNN=T#SH}H3@)4Udj1teqjfc;_R*Lg>H9QCXgj!wEg00-25(oL2>72XZ+Mg3x<8<1&
z_EX>2vGz+UJFtB8z%Iv@KKENBHE8(ymF9-ltH--3<fE%BSRNJAkP|8}2XtUD>MhR^
zStGz!zX<2Rw%E-kAI(tt=(M1Fi9ahmm%fe)88eP*1(tOSbC0z7Ald@Xs!Yl?*%Cow
zP-ht{TAXGz%PNwyo2|_WRkhg&t<G~D3H`SMdorhn`WOn_#aWkoCdOHnD+C*!vnz_V
zaP?|&Jwy>p>Fk=ksc+7zXmTTO9F)FU=|E0697f-+xR<M_8wb9TGok|^o)I!0RqQB_
zQnW)qax|LMwQORk8Q$|t5Ccp+fP^Fd6h0-;P;60}a~?=WWjWFnnT($(UwEJk%z$y#
z3AEC9m%CRH_<QC%8(N<T2KABYa|ZDH#B#UOfC*QHEIjL9>kFLrwpBd@7KZefeVEHi
z3`^sDUve`FNo`ks`1lgV(N!|s?%At6Jy8LqW(4PSXLN|F#7MGyLY#Jt%JkvhPc%=R
zt4X=@-T<~9uZa!M65pIhKqh1{<Ktp!w-${50iedk+M2to9IC~sSj=_6#8V*Ku|ZE`
z)Tol(?inK^$w=ip`Mg8ezVB|Op3o?gI9hJwxIhk|sr2X2%c>Sh#AbUtq?u#F(TQ(7
zy3!P<7LfTibiPj)+seR4RFoo1O8b=Sj@P?&dMMuo?mcpdQsg3MPLw;o8fCRW9O(n#
zQK>ae($$9LH<7(e^3kPiShs)12aFq)gXtN@--bFN5Y;*bCT`la6EQ^|=AW9Ee8ZG%
zQK2Lyy3D&EvnrBnHpHf!)Z!wQPAxYB$S=0L(dq@3F*B=XohYxo)+pWR98NYEmA=~Y
zZJiw3Gb1!F^uu|S2@6I2TzOr&20+6F^ZG|1yG!rK5-Nw;CHQo8pi2;o=F<wiF;H@!
zpX=IWd<aC*tCifAXZYk=K$z_Y=`Hcb9p2PUnz4s)l{1?X!P5%r>+{Q>x(7@DQVXX&
z80~}TL3fHyJyx#)7YXoB_kWhjtXkBFw%rOn3?HX2lr-?GarIxF52J$;Yp^y42jCrG
zvVN#9EA)*tfr>vfQ=M1*Vq~{_gT1QP`bbl&ukVk7kqzmDh|<JVR;U-maB}+mQj_cX
z&K&uyc=k;V4#HeeN;hlOoM31f`^#K=QEuJ~=&~1V;@DOa$Z;oBmA+j;_Zq)pQ3F|a
zZ5%4kFgzNoK1ZP~E&OQBi<%jjVrA+4M*-f*;IX@=RzY@C1s85baw`A4QBEPUMLLmT
zIZjM%?al_dQ0pF^=QJeh*;u;U?BM2<Z+d9spoK1LU@fZaTVc3W8zkT_u7xd^XA$Fu
zlj_$c-?B1B)8%07fVJ#Ea0hk-&_DlI({iVDsnT}7bZJ9YlgEU=Yy+;%sj4}-1VHhi
zki5pyS4xkw_`?xN)j9HmXEE|Ap&-~ktm3tOj2Bu>fd8FyE4YsPFXz=4j(lqR<BpAd
z!eR1<N|&G9U5a1wYPPPFVQ8qVm(V%iCH^Jp;~rv{_ED@&J>09=&FOl1;f3Z76#~%z
zbW!=a?&i0B|GeZb={<fmc70o4)ECV>e>LVNep?@Vij0WNk>ZLuDh`Gnal;Nqf(0nY
z6eG>JF?*D0!+W4@+>4bWK+dH+yn)ab!jKa6yvw*lNfEAHs>%aY+@kU02K{Exk-p}}
zXk-Y#K|gXKW>4hdA?Y3sg?ky6WADYS*4s8Ha}n{(J#8+%lX(|bV~^ZRU$~**cC$ZD
z^DBMBBvzg!9`m{py{y?g@tCg$%^HV0ajD?(7M;>WGQ63*DR)}K_0BEa7;KAFO&b1%
z$`!I?5>50F<;>rxaeqvrmrgSJm}U-wxws=Utg6r`B~4OiTkW5mc}rED`J1g{&22i#
zFo;Qa&5m}%%(k^0Ew{oC)m7Q4;M#%UavmP)#JS{VRZCfbMDBM;1gdM^Wj%c!GY1c*
zUuB1&>CqTD!%6u+49>mb1RFceZUI*c5U^3urJFc}JP9q;tTg*s`zPE=NoXl<xu{v8
z(tCXNFp2r~*mUN))46fvgS@sroG%>C?%CSav-WJS1Jvy}vpw^3eZ34W;=L-MV10&O
zyRe?i#vXc%YL!@sy4~af=yYTfm_~;WHBErcmSFH3Fj7_$_WUQfIbA`Lb{M6CMUew6
z=RGv@D&`H_s(XB6^7Zr3PwATcrWyT6jn2|yIUC`1bX9!I!~kvI75yFNPzo(#FOY{5
zJP!x4{*Cl}0pTn6dXe*6mJ1B|y0plU2r|8aY7dl^`O-uRA`e>2mAfZjUqS+As^0x{
z5CL22Qe=?M<v<xUaH<KiYRa4i=F_3l3c_rLa}IGBotj34g@Y;myyPD7x^`o=HWs0h
zBfKE>u*R2kZ4VLH*lfBv!{G`wy<D?NNo^TxtR*+xzX`L05MIfikcl#Acr9n^i1F40
zq_MZ_!H^<_9gf!jqO@1m8OuYRD^r!tej(A~H!W7Ym<BWzEj8`u&vYH35yb#LLi!w~
zP7Qg{CW?O4bf?L#Y?qLE5&c?;Nuz_~$=}(*vG#EL$ji>)xAE|(81@L7>&|&^Z~S_i
zM@I5h8HLQDxY|I^35qn&HaHw19Jy$|-z;%BA}-DCEwy$GKke0U<#m&HZB<#>Ho-hf
zJt9VW{pVn=%XUFMbaj{K#=ZV9BtBy?a?WZ+|6f9gd!j~>*rW+&iVT+?Bu*!6RU*mC
zfLVPS*gG>0l>z9-kBjQi2{<v@)B)g%(13mTPsh3IrEK533z@zi4{~;2XH$Gu0WWLm
zzVF8J-i&3u7>jJF&=IjFM<bBoshEsZQ=LD>${crcs-~-X-nYe=1UdJ;3IdeTIs{7(
zJRmDwIv(h3HuGm&x1GEOTb|h9uBAVK&04WqXE}gv{#L1e-F6MYA4e`Let8!C23Rpz
zWZR{97YngZXCsy+`SY<nmY=3pxOD7=SJNPv^@L9+$GKMvp)M5c&u0Ui5_ro$5)jXZ
zoMTe;c0PzUCXdHT)%!K@C@+%I+Z!VzgMkBcD_aE$w~7(wRQHUns@r=YUGCTJ#Y`#p
zYl-f!^aULkVQ-XQTW>Pn&m6n&Q8qNQ&lnp&Z|~thyhd8N^;bwH))$dWFGJ^l%{=8C
zDx-^cK`)`Qa_@>gucCj%#JWDV=RNo5Lx``J-M0nr&z@KAE#HsR|GiN*|9<=G)64pt
zHeI`|qUY{&_yXkqiD_i~_hQ~sex^_OS%m*=m2<qO8WA<*HmM0Znj@VZ`L9|XKM^=w
z$32hGQJx2@w-#&wNU}M7vb`Lfn6<1(&rn#U3w!!_fgxY%$b#$)LppzU#sW3K*{JS@
zAx?DI1Xx@eZ+(-I5T+c3nV)lgeWznQ5&;giWQC?9v!0ABTih|K6Rd2C3{7b?s&2Vr
z^}}bdXPJ*+g?D6cX1io(Gv}o%w`iZ8(5huOhVpOw?GgKrsh31;0!XbXb3)(29~9}L
zZl4vN02-;8n>4JKe=fNNYdMU@@!c9W-5}O$#HJ<AfzcTPDIAs6({BAmLrHhVf91FC
zc4HB1vw<Nofwo-h5N?)qY2=zU&NQx_tX;CtkmBl%*Od3uh~M;^HI5V1N@UE8I##AR
z_P}#Yt@Z4qe}CS8ROdik0#Mukg!WPlV+6#B?skaa^%0Al;3y^wX2S&q^)ba2XQBLQ
z324@ZtR!_&+@5Ja@rSCPu3xp`5Q6iKr9F~yOB6yXnG!O!%(aAHj;V{+IVl;>rLWx-
zBg|L0Lf21`J=<zi|Gu9zdafV#yfOc#*e4qb%Y7p5Gkv?+MflJY`0{-GSX<Ej+8A1x
z@J;_n-MQ#U0e;Y1G45Au%j*bmPV?1BK!Q@LNJgjP%^8a+PUT7^d}vH66P=ld-_GWQ
z&Jnt;_ae`_H5q1c1^Ixb_Y8B}cAz(=V|Ye1qGPb7Wndlia=X<m{`q($aj`<pz^rwt
zakaKq?VskTMy;BPnQCsr<5}%X4h7QFysvd|*<m#@FF_sERDq6B3_ZT7YHnKR4UP1!
zRRZIaQvA$HPqLIdTA+D7-H=U#ZF1uYrvZ-8?JDmoi<n!GAb3XXQ3YH&41j=9L7rew
z>OkP(`-TD&ArDzuINL%ousyFc+@(|Q6;S9K?bnk*!AGZEr^^bMv`vF<OJ7m}->dPT
zXH5=(f5U9%I$Ot6P?lh?uorpaqB4EAXtTNe4LX{E6ic_AHQ2RTS_kH_3mDDLj>Bx@
zMav(nM?7`Ixg*$`^^}T!k(zjJ!nk0Lfkz=5!Ga@4M&qxh-&_k>#5u<KqkT3)5@HGS
z);GegX~gnyCse&%66_i3Sw7h6_1DX9j`tU-j&Hu8G%#k|0`YG85_emb7X&eUTjKxQ
zze|9N7PnxLot}nch(O0!-5Gp#KKvSV2>z`wB?D5|CbgSsHo1oQmu&6pePp(Lm2<Rk
zORpKILaWWj<Gcgw-0B!{^L*bbsk`P%YJl*{#_mlDNqvCPUF#;m!mG=gaQLmMyTOD&
zBmiCDu(<-+{7M>5W+>O;G$MD2+QZwo_U0zH_RwPCn@;4qR>rGW^P?x{=TxmI@0-sJ
zwAS<U8#YJxJNNASNO!0CSkFgo;Vt)^&t%=_%}HXWmcMrC_JlX#?72DDwPq=`aqj6&
z_A-R2N(X=ED8a!=`}yZ;9KlTVUV>a`K4J{p!w(wG_-nqodq7ZKcDdT;th3}u2#)+N
za)faLR@?D)Rk|}6z%GG2HgM-lK~lLkM<Sr{Ni&0eoi;XJR15t+7mYkHla)eIDWGKy
z?uV3|jWmtPHs`=`<ads|ctLDap!s@0h+ty64-B@b5z_FeibXETr6a_Qx4P|Q%k<6z
zR2C}p^8O{meS~W_<np4_LFbZN4nZCj;J-+|j|*9#dvgol<%B+A(x_;Kzh%X>j!`Vy
z-O`3h+#ZW;hHI$|5Kuu`2D~r_#uYLRU<&n8CpcY&Gd~?=P0G#b$LEg7k}55N`K0%%
ztU3lg5{X?SC6KYp0iX>#?{OfpLcapI2!O(6j`tnoRUh83j7u%!km!Rud~zSyIX82M
zQtTFsjhTz~X?(l)gI80#N{UyStlun>ztzT2dNlQbW~smVJnoIZ9p=7ocGnJczjlU*
zWZ5A>;V6@S!8Pi=-6}12E3G11L;1eKSVAm@(<{POl_HFG=Tm_ouSZ$}JQY--lSdUv
ze4R(<U)F+=#Ob>ugH(#-sD3kr_bV0nYiLTQH=qXI7#Pu{kVtyJo|~NU3i+3N=y&Ie
zYV?Qy&$&bG&$&aE!DsBha|iYt!84_kA#M<qtceoI7+sgyN?4C2f&2l@3Lue{qI<t4
zU)|<+d@Gwm)-tHRic!580A&yjh%s_c!%^)o6~t}PH#<~YPMflx)WFARDU9#zHn<6j
zJy9|t)NCemiCqNv6;H^tx1BQ1%_&~M;0nl9ut+NSBY|E=@ym*WFpax4L^qFZG8ISF
zuuP5ht94-Iw~-1?^nxR^L}>5kThm(<%3rSPRU@6+VHpZWQVW=D4LKb{vXvabpu5hB
zsx8&xJS~>A%DMiFe)-SDGQ#4NJGOBl<ve&kTE(j$(bNmO6PPP?rfR)j!1JG~7T(BD
z0VxGlEE8aKSpa6Wcn4r$?lgOTzKyU;EEN<=w}wh2M!OxCqeMtLm2GiSc<t&^n5W~L
zijC5o4ZtjVS;c?7tfxdW7A>t<#3!$7<dnz8cB_<hubd!7Vkw)4P#WDkj14GSHww8m
zv8QCEq>|eaQ!FgZ5sq<}(7Nb5ZcqJsCM#k!<;M)wOd}MA2T8_+C?uu=+H`B|Gd=~I
zBVm0xY@N2)?j>kikyn5STixD53VV&00aN7pBl=cBQBCDVH6xmcfBMSekNH=j2=J@o
z;;g3JAqt4P1BV@L7J5!`;8JGnz90VjrZ+|mCbZ?5=x+V{M#*TZhU1vd!TZ|Xa(>@F
z{oo^AzmModn&qaS36CUbBS=Dby<HHm4G`S^GrT%3^}mK!X~+HEkc-7#$uJn08JI96
z;2eWV&0zv?KZGV3)a0N;)qjl%k&;IB=eMYrxF#EcFZSYbnqr0^2`S7W_zXmVP=hfz
znNk6+Crf%$%SIHF$nWq}SK+F9Q733>l{m7_WLhh^uMp2Y$me$!mpd35HMYT*``E~z
z8@MLVu*9XoMy@ye;<pvUypUa@;0<!-?Ue-ro67i-sdIXxV*`ZrvjmFb4r%X709uM2
z;)>F3Yk2mWh(IXWsc@M6@`ZVpBr~>0gnd@loY_p5Zvjod#hmTvdtcFJJA%KfpBSBx
zb9xn_8c{qPGIm!{q+@RXXjwtl)H@c(RIkslmlA8Rn-2T|3kscY`4Kk)NAXU&WYd{L
zDa-k7_|b}jL~51zp*!0}*9uxeGE&LC@i8RraNM2Lhw0LFLa4_3q#!0(s8#oLUB~|q
zW$(ZpiMqDk##YDd7#-WTophXzZL?$Bw%M_5+qP}?sa|WZ_3rPy<2z%VA5o*Ko_o$~
zdMr^W*n8ZI^#xh1$XFS{S+H=x@3CTi!ZNBEg-a%FF_L;@b|zqRrO0`erD!y-?RZeu
zCqwpkEzV_BW!|)XIV9#V2Y!ZIHP*J_T7SQn7--5+ZZ}R`c-7&*>cuX{Gin_d^?4i_
z<6GK4Sh-cT7It`C2%2GOQP8BOU2AAbIYWWFpv~0KIj_e%TuioF)vXBM#$5Z+Xb@Oa
zkC`gfVBCla>$@=hb<S6$=+4y$r7a@WsHkrH(ETl<haB)Sq3k;y_;s?;A7)xj-BDC}
zrPh4usG<p-2=;f%O8?Cu;Y4GOlXaOxPm;PYpNJQ%)X?E3UX#nv$8I+3Z`~WF%xxz;
zADoY$*}UGL`*tJ0pKj*JJAPl$X7PTq-JLHyzCLPs7!}ug*v#l;y*!!QNFsD{PD>wC
z`TdN~yQ^M2)4BRcZ`(96E$L4j(_PLK<vr@au@6KlE>}Z21O<%hHZy5eNuLs0K)xn~
zC>K+%EW$a}OR<rmj06jp5bzCS`@KFab5TA;jdtYQclL2cjjp<p$r*hx^9v=sg+!Ad
zbh~xP-@_|Uxvr?+z?G_+i3Ilt-Qv?VBX)`~(M^|2D-birkR`Sj2EHlGF>*qx$h`lm
zlt@RP=y<#YQG+JV-_146aEW~i<d)?EzG&IqwN)L4GR)k}?aN4ehcH)yzAN8CNdBxg
zsg7hRfl2t@#bH~@-Zcn3N7T7ftI-uIk0~+1%DOszIm{7u!StdytN)i`yg9-zH$#^3
zvCrKm|7lzW6wJbrWFhcd-N_0BnX2c9czwG%j2k8gXp#Ig)C6_bqdJ3(b@HpB?EPlO
zV!iz+RA!o*-ltGAQdM3mrsr|fH=>&wMT$P7VDq>}u<Aq~lV1qhUPBD9BKv4Dbj7Tm
z;AgHD$^x6_5S1f!7CXtZfVOeJH%IS4Q08d;0mXUE@7IewPL@V#@G1mU&Yl(!Jaq`*
z&a^xgN<2Qk>8cNc3De&1sdeB1S>xTMt*}jmfF&i@1bDHwEkjAwQFkjJob-vP=-f6_
z=nGvPY?~Lg*59e5DU|~X#U~wXX?_a5E2DsU#ZZ$a;rJQ_82s}3h1*hMt(WsjQkW$3
zx8a4$0}vLRg~ISf=tUi)aN*amoy2fq1#&K9fDx^>gG_$18OA+~_TNj!5p}NLX_wg&
zCNz1`brzo0=16g_%)L2D2JwtOCZ`I>M>q0D*581#7pZsLC?ZTdB7gg%;=`qxb9+cx
zNSQ!;xMT``0q=yd-;o&~>+SL{XkASV-430SHLMxmc$SB&(Sgoz@);~XD%H%+D*j|0
zZbFlrfc(sxIb-ukv*@AFzVV6xCm{mI*`T>h=BXzmX#oWl<aT`NZbWiJdcMC0ah0Q9
z%odcRj!4r)0qE6p8~>+X{m;}ensEd}<3VPpCzELTeI2>&dC?b2gD8YdX!tyHsI4EY
zAPFUm7Nj_u8Q<c9rI4EfSW;Pxk~!+)>%%yoe|OgRem?B(-s74{14^Dg%1#Agcf$6;
zfUV&`6tU*z6%+R7W-zQrz#3bWpB@xc*^OCJG~8Y4df`Q4+v+JoYcc%cvt)s;si<pV
z>ezJFLMx+?CkEL9i$!4>lzl-PJsyp1ph++VD$43!iM<9V@&u%GAH;*6@k(8rVsWoY
z$otfEJ~fTpF-r1U+wcri82Wf_dWJHme+|cC4FtE}zw5%THNrF>Un!#?&m{nm6~b!H
zV{am`5KBe02_5TS7!+P2oMlAEJn$;}b<uJ2EWimz|H}zSst@HV9p?&_%ldNI=v>8<
zH>H47X`Jc$Sl^tYEI^HCs3vk^{zyXdcx}TN)hs~1NpF`ipI3)1t}S*t`DIXfC$h%X
z+1Y!!u$TGPL`fnaVQ;Xt=e9;_7Hm&9hxCk`?|N9f^^C6n?`dI_<`m9h%Ws^u|H};*
zFoo2J<vpT=F%GSlrc%$`gF*wOb@!i_HNSd4Udl#AzCTiu2V&govC7-{9Xo-or3h9N
z11P{kl>ktxjN>+r5B=bK)SO}<%@jd7;D|Jvkrm=8(q%`gm=wHIIs+Sov#oP=g>S@J
z3St*IR2>@Oa4Eixc2SL^w>K*m98C=(N1A;xDO-~l!p5d_$Ne~Ljz>D}4lOUd665aY
zn1d6!QAt`KJnPA{#V{^Zh2K;BvP+|Zm1G&)jQNBRZs(ruqN-a!?Ll0IBk{!ujTWT2
z>0sy60XtRy2;WgfGx~7E2*4#fxc*%n@`y9^8Pz~42BCJ{$4DAcRkI@3nI!|^U1mVa
z10E|m=-EFv7s<3M`fVGg5l#1a<WJC7OZRJAH0?)dHTEc0-i{tWThQdLvfr$3RI@kv
zT-I7kw<c-s6^BtxUA9RCx71{y17b&8Ehvj9;=j$l=ohICQJ^p47UlG4UkYBTXur<E
zwpPl~9ed;SFEjelhy}57eTbwjD*0rASn9#>fYY0IIs~(;wx*QF`^c;|Qiev33=(7t
z82o>X3zz@*xUl+z{7H}4i}XD=IXu4k(`RfJUnswXl!5*9<F6PEgUZH9=74q_9Be4=
z%1WYlFEo!OHe+)^%eOl&E)~MZ-1C7AqsbL*7;G?aup!OX9wDY0O@^ASdEHjv2aAUr
zCL>UGuVsmHC=GOVsHxgEN=-t9zZ`78?R0HjtL-6^%rYxovNwIF+|*i{H52uU9#&(O
zPFL0e5SGDnX#CN;!CJ9IsPV~%SXSYmjc;`ugv%c*RaUE!+`hpzGze<tpczNB=i|Bi
zLUb#p`nE8Oa=xPMk!<~u(AY%f!DXY~^yP%^>qov=?1*4Fhztq^CHAT0LfuF_;vLf>
zw1#pw#2y?(&q$Ca&K_iylAs)U&pb?Qda506C1`=6#*_a2ceqQL@H^4DbQ-*twQ*_C
zAcMn0hk;o2^-0dm{)eJCDwD0L-^Z=u;-yS{ja09zC~~n51{jN;rcY(m;~VZvQub)_
z$MHhLjg2=cdl=424{FQnBNS63+qvDs2gl0-<Od#3{o2?Xp?{V){t&|X#X@S+^kR(*
zwwM~}GM4*8cXgs;jh-?eM|;!ea3+0yhrOC3cATf{0Cj$cI-9W_biw}%NGRSj3qnM3
z|7wQz;aAp~q!F`<a`-mKY703f>sLMjAukr~T(JCd(7NO|rTyAL+!M(Kz*?HC3h9p}
ze9&4m+I_50S9H`A`RR`koAp9pv2JXU4jSK@TBY^*?}r*FKuXz(kCYdxjB;~<=JxV-
zV$~kvM{`DsV`E3M->#{TY%1m#s`H@6Djleg&9;k<m0nA|wAmb;z^NU(+ps-wS6W;j
zo!{sbID+JCnwkJJAA|1Ip+#2DT$|_xH?*NK{96_Zyk!ob{1IJ&K2|KOwrnASb?<pe
zGlv~0pKLj<v2s@dTU%eZT2VS>)(v+q>96!+N(ApNM~1Hu;J-`7OOa+{%Ra_<DRg|5
z%0#l}k0rKXl96u<I4<_(VnF%wao@lN7&vVi<6?WP339wO+wbwCLh)zUg8I_Xn>v!{
zBgK#l8y-~CZ;U@A(4v3d5?Nv6542p&2rzO19^2Lqz++1Ql9}Kl!-8t`elgnh({%e{
zFQ{mTW^LK3uC8W9pKjg*q0)@{m%YjwqZ*1%s}g3h<x5&j$Rv37`hvpra1BscNA&;-
zYb{un)80P{E5_3&YeSDz*LU!z2!5U@chMXZFbyo<0xD5{@om=5FM@L<ipj)jx}(T9
z&p0i)Mow_W_IAR!ag0oo4Y}N7*-wS(iT2E`9u1t0tlw>`fU1_yb%(7oKsSUT*h(_1
z(i)fKn|dI4Q)o9wYtBc}IEa=Po}gZp!k|7;Z1lbtrRBV3j+r@|55)ppPth3+`IFSh
ztd(c;RCw}yNuEm6OglNMaohR1u<BS<wf+5BD<{=<6llm$0&)liszvvRhdbKG&#xU_
z!S3!qqqC4*B8ud$uJqQKS!%?O7Gq%4?3kgHLdyL1@Zv5*j|O$xiw@e4EIc|Jk;Qm)
z-v;F8<dT@Iz7%fKkx>;W;)VQ7q12u_MsY{$3zPnVYSLUPfVaXHKAQpV(OR^B;0rj=
z!Ra_FwoDYLSwMH^3tjf_r${v+G|X0N=uIc-!H4JU8noL?gyklYIq@ZXZoNU7&^!9)
zE<+OYVQ-yBXGI_kx`sz~m0Q|wLyS>9{cv=o5HKAj@SUnsJlGapm55dLbk060^7kvX
z0PfVON)N}y6BA#e$TEkwS&d^XLRa=PgAG)^VW27k%!Uf6SX*i+qv69cuQuD`K%-ZR
zs4@Y;)9#=z(Rj`~rLKGzyI>=KI)9EEEm{oo0EM$$`-(SkS^t?gPIyGa(oicDPMdjH
zzwXPHg20+6_k=!nZyg;TtZSqwoit$<9hmr+tN1d@u0D!~WQkOp*_w>@PHU(QTEV(a
z)*SW6Rb*6e7FGI9hQYaEq|+|7jH(l%R`)&SGvOielW5iUc9NT$r$?nlpc42OR0r<H
z*bHEoG&w&q4QDlOphhcrhwq@OS4;(2jh)nWed@z4guSpS*Wndlq;@~PHYa6KIs(vr
zN=%k3?hxg+3wRBa`68w^2r`27#;jX=$-2_Ke{{tVCqh{U*q3wa3%n=`@Y8A#BsSF8
zKsckB4^=e_myGDie!0|s*}rwg!&a^GSB$*Jz-7pF^>d&}28%}U@w#~|p+{NotOm2|
zA+MTyM*qfjU^r8midzJ~OpS2vb>`u>%J9{Y2AGJI;hvvP@l?NIk$tvG>xVY_1zN@q
z)TPXl81L7MVT2)~6{G~W>`zJ>CwtR%T5_|gA8Vlp?pZTNyrjZKYF#I{+Pl>pzrE6K
z943z05-_X#Fa@k8sdWB?!AB0R4@i#ycP6{M$G$V|ozx}}FtJ23ewv;;{M%le|9Dob
zfnqoJxQUvbx5ajMo=)A5Upo|E2}hwTtRE;R-7;V~Mq)qKQn0Eh|0c(EWn(*`A7xKZ
zFvQj^5oUINdyJH>tqMljqAU)Nal3RLMz9aAkj1E^u``qE*6mT&D@0uaWfM$Uqy>S}
z3WsV*#v2HyOy~DNv<%pU7NO5S%nbkG8j8hi@M=9h9Z?DRgJXabHE{FY2z_t&fujQj
z{da%rdTbT$6BMM#F#@nh>tt$Qi`IwN36tvqb^AS~dEaalQCn2)4`%zH(|UB9xL8{v
z7pYj9Cf1F2eZ|E$m2z@>9@x6>iza*yhrNt%rM6UR@{#<f%r#jb)U)wfarX%YYv1k@
z`b*rJ6o7uWHyHGPo;AiH8X)H~=t{=l>2_&{nEFQebpJ>GF==3A%lCXAcV_^%N!Ie}
zDaEWnGE%XXnB6O$p8N(AAsj^!4dR$)Crnq!dJY=tIVi)M^X1_#oKcB=1f&J*i-=cn
z#7SHkyjAO_KGs0WaTl-(mTVcwjIz%V9NT8FqWuiw%eZcp|66pu91;B`=t&$OLFwRJ
z^*lw<(9<0(+Z`|MN6I8}%q>NRRddmbt?cO>PY4`L)Y}WqRS)kWyn3!!?oLMG?<V}B
zsVp@bsQc^HFpDvh%7ndVWmUBA!U2;hgJXrODwpPt)%@ksb_P<y*EM7$h3ek^gyqj_
zvtK+Hb4b<M9Nhh);ax(ftozjJ)YXal()Oq)E~E}PmxNQbO{sVXcPg=jgY;{?aw@G(
z?JQy{;Dfu}Y|NR3H&-`xpzt@NDs5?`2&owD$VeFHEf^A~f2EQ+h%NHVsLH!z8Kxfp
zB0J<vllEj(oM4tx?O>^1ngR$lI(!BI5lHPWqH8^CNs-s-g+?ZU4=v;C+^_L$v8t(x
z`qF{j)K}IW1EIQORqlq43Z`}|ca!h=v)8AS-Otk2*L{M55qaXH<*sBlk0k0e?O*Qm
zbjf(lkzum5TeOK4BgwvkBZNNJQ(PB!rlxeAjp?}FCj3VS0wplKc%<%}I9Tgm+ME9+
zQ7@UAx$M9@E$~KwCo%w0w5fKigQU3N6-}J7GXdtK07C7D@J4vOn-Nufgzx^T2N0&;
z{S_Pxq;84|;aJKRV(n{We;1)tbc~|=*)k^kpfVI|SQkeu7}zTsi`=V@8RZBN9MrBC
z$Dq1is#0iYPfjVay}qn`e|7ZULKpeGKY6zV6Cqv2tY-;Prw?LGX_2C`yJc~tM<!ta
zfwSWr#JA3Og|K=5*95}w{of{#QWJB-;w>++vOJKnRERJJ4rsPckeP=&)}Zs(t>H*B
z(mwH9YZ(=9G`tnpgc-=!$~bXUioQupaZRYT7`3z0SF)S#W<l*w+rw5?-IHHiH+W`!
z$MM?cPHYl#&qfMc8%J#C0lSwJZ9B>0Ml|wsMoF6S=jAWwymVXa8hH!Q#d?65%0c*d
zEJckC+k8lh$c!e+y5ek!o@w!fBou~c42<F<*T*?iY;eqbnCc{JI80fNyFj`m_?12*
zAZg+U1?`wbIKABzeyGH+1+O>k-%RWw%bS6A$VUeP?V#6YrGG&}q?m!SZjaJuR?L{E
z7sk?LY9x{<*-x%8hSsNw!Y*7(D5Y8QNAp>gsqF#$B*CW4uZu8h#JwwCl4=H+GKxKy
z)bJJRFlu}E)rY0JT(a$Rqlk?~?kufLK2__jH|Jp1!0cK4Qt2qdhbTfxZ=9tVV4(!U
zDZrWO-4z=v(;fY=Pppqha-2!!Z%H0t({R;bsw;bs;_m~<;vm#2p5&Ea1=dh`rr$2(
zN^t}+)MPOp5s{ek)=Jbck`;xocZ;3`U65Uw1c+jBBbB2r*Vfj)1R{pS9jEwt0OZUX
zX%7LS0rtlvUnIK!m#_1kIe5`2Rrt$zBX4QcOwZI=y7!DJYB8Lme*_~hrQR1QwQV{c
zwnAJMkeYS`y1oQtZv{n_92;hZmI@u$y&;9>YhekB`d(qXFmf1C`%QkFpA@$Okpak5
z(g+a5NAP5)cI2k(2u!xNFFr<{Bn~WQV;af*O4pHfzG;qzqQP}CRBE{!D57q&8wx)|
ze~K<lT_prfp^!QkYDA;if=&Y4-$A9r#HV6Rejs`G!D9!iqnGqxf+qq0BvaScdBqQ<
z$)N;wWxXc?Rd+5GAGrG=n3M-UWa2D2Y>$eVhx_GPC_l0$OzgK!cg^phqt4h73KHF!
zHef~M)go_XaL2PG3d!A`Tu6yTCWz@uKk?L;?j2Ctj?}WDay-2<Z=nZkys5x&u^7@C
zl?KCh{WW(spTa~b>TmJwCz-R$*3Iz^glt7$lURr@VLP<}z7CJG)?{1dvs~st!hh*H
z9W%@t?a!YxpPxVOXh@<2?;Hb)J`ZD03bsN)$;c{YEe{yxtFYDdro?==u-0+mLU>x-
zz#!G5io@gXi-2>St&NV?nG>aoAY_y-DZsUa${bE2bUjWQ7>SxT_bJ1wBJI0B2CZny
z?Wa1X!x@tEAU)!bgP)Bj$Yl!hB$zEwL+yY3CG8M45pTgN-y?qpmDhnncj=Y7W9b4u
z!(GWY9$32E)Um8tUO(<U(NSdK%>oH2?LBs@0Zo-Vz49!E#6;Y_bXJ3$T=w{7k{6!*
z!`(cIbUP!-qTi{)xf1O{yc3X)ipZ21VJf(c6PLzgI5ZjCqY<$#w9V|wB)QvRMch5z
zq~br~Dt=|5TFxwxILM$@#)`FQ1q$X#98d1P!DL4JghPk23k0_yg6OQZFkkC4H#w$Z
z-Aj@&7$qjW<gol@<z&}hqx`XQ(g0Qt+MyZ1$}t*R)&p2Mn3`?2DQ&0cy$XM<oD9cK
z*S#A~r)TL5LFo_G2u~durVx$Pru2?R23?tdwHz-g_;yKI(ARC%lvaUXUK4OkB=GP+
zX-;TNF0|_r_ySO^S;F{{^GrYUzgD*dC&mSNaMoI2aJ(gdO65AS=?DhtJE97gW1(@x
zxqBP|2g<Am3y3Lsa_R3!2-11o?2qidA+l|lJ(5EBTt4SQ;mkNK<OUlF(|=c*F`LXZ
zsJ*TCIY)3+e3$$q<J4t$w6SPURdHKkwkBJQiZ?{8wxz1@0L*ffb6uk1>yh<w=bYp5
znVkz$F1zLjiUqx-QQ3XM1lH9zevC^KS(reSUq=}MvT<CG9(kXjEBkk`PaSMla)+lq
z0JFwwj&^w6d5n*(lT5eRfi_Latv=ir#c>n0T!t5t8A=qjZ&kb1dt2p%XANq&_rrCt
zZ(dJ8s`;gP5^5vsM?9IQUlbDm=Na!pEi5*@Mpr@~=eK-kW=9P5#A$`x7fvyWqYRCs
z<$F`X<dq0Kxm%KeS5!ISIU>DXRmHXMwDSIGwI8QY>m(f^+LTgwffQ0p*<dZO*SlZy
zQgrD0n(z<6C28-1s<A>RtY`OW_34El1U2DjEEz5Eaw0+C!6O=~Eo8(*`%5LUl;&!7
zO*Z%GGMH5%AQC?8^nAa9hrZge#InT%S^9eZv0!eL9q&*T<DLOLHmuhgB2#$?lZI<)
z`1vrDm*Bx?pa4dzSM;U#(Vv8)v@QO3#Bra<T8F2n->%o$#ODuvh@kgsZ8+TTLm^GN
zf9|0NW$Pe`TMo&W{fM62zY6uD%XHHaH@Q=1$@Z#e-wvnj`qKTOD}o&LB#XXp_D&?h
z56io{y5C;jxb2AWD2P1qJgOS9soHZs@D^bTV*KjSA#3fXDdrHp45hy44V97-yNGLp
z;pq1!z(X_6H%4bkPArSEZk772-4Ly@Ie}1|<`!BiCGecGQ^{{CFI}5PIRzcx5U`sQ
z89*+(OY(gttgdbS2UhfQy69buG6i?qZtpOA!mNsPGZD)2*Ox$|d_0f++g|`NqC_IE
zMW|DrHqwC)Py1(f4*4Fl2DNH#_GaX_i3C1%V1)P^fDz>PA49_L%rvZO@NYxHY$@`O
zApuX(3bUv<V!=nPFvwl?^O2)!6Kx}KKrUBVG&-w;yKCBhfp9hOPONc;(U3R~2+@%C
zKCqldN=#5j{4-uF2s~u1R}N)k$qQ@<ExsnkwLU}PLlqS!db<Kl%zD=fZy{vHFyxp?
ztg)b2Bw(pdf&dYRNn)DS1v`fjx+hF%6~;w*NVxA_TT5(-LqAoNoTsEEDbM@Rl^4YP
z?``2NvcI;4bI{BK&>*?ulu+Qw6K=$0FnMxR1j0^KP)V~cZ4voEHcMvjr3Bat3pY%9
z)j8b0^?e_+yr3@h+tw<uD>I3@ouiZH=Wv3!?1$a|(O{5TD&gY`=;6MHK=PKZF|u5v
zwK2~0RERgbK@U?qByOLgORLaUwXf6d&$&L2*`=5DQA8^W7^xtJz(IYnxpk6xfmn`T
zfx4;f=7N$xEgP&EqQyE<Q4N+`$IVs?7Fm%%wtL%oU(r@*zAOFKmLNvG5>zGn_kk9-
z%l~yC;7gRp#i%X}JW24~@Y^fislozMd$nvY&rveP!0-0=<2|o{Ge=xE=y%C3M_xCG
zA@|eu$VQ`KKd3-IvnAI&`~Gjt0v65UJNWuhqu*G*2o3MH>Y*b13H6lY3gtk2PBYBW
zXJCeTX1%~OS^I`(99W_;)%1FhJ{;QGQMbEBWr^{#NF!OtGFerQe<f>~wY1miMqn`|
zRoILaoN}ZUF4H9@G-Wc;coWk2(dFquFD@O7af$5mhA(by*7q@@W1eF8eV%J}3p%i!
z7cR=DC+e5+bVwc}F}DQ&MaX*J@c<XB2ywe%EO)K(R|w3%YPir?83CZ3P?9Es8`%Aj
z@W&fJJ}f3pA0n~6aE&==gMG4dm+AhraIM}Y`$pLqDN#cgkEQ3_8zUc;*EV%ExAsiU
z{59Q<-{L|KHC4dk1{gly4qh~QKyN^qqqXxDU88VpNj^PLn<f0v!-DG#U^0iZ@i?aE
zkAS|$N@(2fX(-iBZbNk3`=b^%CLc}qi(C`ME+}5(xv1otMY8L%rtoUs-?{_&LRIuI
zPmI!1MrcbE4!r`nZv~=aN)pSRU@Mu`Wf}}wParD2{Zj`DY)!Y95?P`L7f2mm{r-O{
zsp)Og;($u3XcjNv@HciR=-4{i9=?(#;oE4M87L|fFt)rlH2kXN{5Es#g|=~c;vmvX
z#xW&J6o87xV|k-W>AR_A$4>*uqC>W#a<6|I9VH)H^rRLnCR0uM9g~mQzb({tC&>mF
z5XW4+9pfas{JVs@qjP9~z|YaJL!~yPnIF)mEAr~?l=BMrsp~%k#q0Gb1rYl~vq&s*
zN~gAMQhWHsaLa=);-8-+-r-yCCEhEK?jn&6=%_-wQ1PW5i?OCQ6ZPi-Ma}@4qxW?1
z__!uG20GZ^2yv%ymt_B)<J^8HJp)Tw28ooLQflJmk^8WUv7yRJLwpYuc>UtZ+eZ)Y
z>8?NXc;Daa{FSGMf)A^Pec;@HXW-A<8Ux^MO(~)}R^Jf^-6A{FE<*LhL{2)6+4xUS
zv%bKLn_5jI9fkGr8^#%NEY6p$KnbUbf^c;`4j^6sZ`pzDa-({klndI$C$N<!*DQw`
z!du>tp1W(4Lm^R`%Dpgn&V{;8*?BkVa)6(`mRbbIGBQp}acRz#^1v_Y&GCxE!JfC4
zOic|AV8~wVeL@)C{HiAo&u6olL1<}J#$LVU0%NL6;JMLz1?ZUz{HjKmv91QxS(%ym
z&VaJW`-*a0V_!4FUaRMM`;ML`CBsuZzAG6Ab!C^2k!=&OTW?lv(Iqpw!P+u1%$dP5
zaj=~~FGw&14NHZmhJT=QPTgrBU{Fj6i!sq~Y5)%P?+en}x4$n)4&w=A|G6OjI%a|S
zb3s!0b3yV~R=?)t{9pGY7LtGNN9J6A-;aX-y&utN{dGUO&=<A0wg{hW3Ib;C%3KQ_
zpVpZUWwSn>>}W=5Q4i$I0$#Jp%J@yc6%DUFN0nT!!}yA)%MonSMWP`OFPF;>`Y0_;
zuL5DW*OR$NHe&7@upf5{v8zjR*P8;*kKIhJvA}HVEL1<sxxPhjL1zubr?k+=>kzlX
zVh|M{XF3Zv#JB;>ut>!!C`Knm?MHenN<TiV-P|QcxM+#f7a{~?&JIYRL1w6dvCY_a
z`WYz>&;vXCTe2h_c+L1zvaGckETpx@QDRG`*Q#U$uD^jUbL_cLzFb=eZ#VR>vXi{<
z%JtAa4l8~N{A^^Ole>cLu$tJkIYQUqF)Xd;vPI6tuPqYnE3w^x$MjZ7<t`XOARSR#
z?oII{V#?c~?#Pq>>CPf>HdhYa39oO7MUz4-l%DxXBy;wSUk<pDJ}?UelZCAa$dHHh
z?)-J=H*fZD%aYdkDUMOe^+_Wt{{ZWsYTEQ+3S7B&-z!%G;``VPCb_si(e_)v7YJYf
zmjWjVDrFu>_TlU4F1he{pD+seXcTJHl`1f$maYvt0tseHE1v;{=4mD8$|FwU5-{x7
z%<6n^Zm7R%C-Qe8R$FT{{>2y1AYNciF4C^tj&r(!m7Ly7iRv=A4TBax8^Tnf_(6V~
zCdZiUAlY3=erWzI-v(Od$SVUTse!E|92?x(#&VKzFc%ve=3*cO>Ra4UsoYhqfAu;z
zt{7<b)7!+PvX>X37ICA{eNB6k8SLww`&cv0pJt|NPRgqkfk*;&`2^QSGd9*i1fSW$
zUg869fXRxs&evNc8m!eEG7Bk(iXiy+=X;ew%Iwb3WsGhC^_;;Jhh3o&s;0vh-r1nz
zDd(S!TwrZ{YYj4OU!1P#8%e8>?mQKCY0o_+DI%n5XZp8MwZy^x4P{oK=G40ORRm$)
zC;k)493Ldg_xituGMOh3{|aRqN1OdP(lbuh{a>NX(y;OW3T2vr{dLN^J7n0@E-shY
zmix9i>T1w2{<C;{fpA4OVsrK*+>o$9SQJ^2BoPXJ(90iOxa<~!ap+?&6AZi5g%!Dy
zPe#!5?)qBIE1YRuS5yFLW7h`@uB64$MvKpu95|^J26<fWk^_?~y}a77AuXmet{ZcT
zc-#ZFfJ$O0o**p(qY6K2L5_qovO%3Z-|c?m%)dC=QTU3ZE2}Hax;-T=Bs;3=eH!hz
z_rU-xTLB;IMz`@<IE@s2L;VzxwOPr8@f;rQlv5pZ!dfMH@+1f=yqyrKpdWTDBh8A?
z5qntDBIBaL>PE!Vu{fdrA-rlK_K3UrNgx$o2|bIZfPrA{kcvsAcx-EoZlv~5r%Ez|
z(02w4ox%+k%RQivNv)nn+@jxwH$`ocDs1INMC|N$0oZ?TaX1O@z+DGr1hzLvl!VSX
zT1<ij4DDTm4T*(PO8Q<0v||D($NmS*iwjSac?Y#cQBu&LL+gu@Tj5Y~AI@JVb@O+<
z)^c_ic6hjXPPSo~A8qPq+Cq$o`#v?of()#DAesoM?M@G5UUujDF{t>YD!#pH_f+#o
zkzE?DhvhXBx*-;570-`-nN&xp81sY<;1$xadDZ<1({Zu|DALVDyvAONP8g5APyqHY
z-uhfZZaU(-$TJ}+r}7C*YZWV*9Z}4`T8~bLpqdx)e+p0d+U6n%7hFJuLIvUlAW&I^
zg|CaGp3Fjic?I^L1}h8I04bknVont?J1!LRPttLno86t%t}ngZ)^FQf{|1V9E^;0O
zO&cik$RSe*@ve2g7uJ2KPQCMW;3qP?%t1G_)WaMVTZYtOycsxT(8RlxfU~QZWwTm2
zY0!&I4YHe*R6MJIV>lR{W3}d;i8cZ-hVfc~8zN>U-Zi{9NX1n1aZ|cbryeSxQrs3`
z#1IGO?H9ypash+oqh?w$4d|wFVaEge!X{dG-+xC-1)MhV!Z<Wd`;j!(D+2s3#XR?D
z;qyWkOTJq`N1(0Qf@WBR(`AwZ6-9`90P9ns=*Bxw?8odz={&_u7LOGqnIFlXl;_Xg
zv8m3!mQ(af_GWlpG21G&3pU1TcWXrG@^OFtb=@L)<5eL?Cz`%ff|1`P%COpeV%5XE
zMEV8!*aMHj?l^-FY0rjGqzL;hA=S3-RW9j;=dB-a%Lh%B*K0TG^YM8R#bx=}8P+A(
z4bgwTTZ3Lo)Vr-kJ~E9)hBndj1Yt$UEU+0{D6iHrOdlfM%y*Skm=AtEG&SV7xOyWr
zGh$eK6I#URRz1ZDtA9r@qy#NU`#T8jKmhG}dITx!+dAD@sxx9;r;O@`4#+uacf<dj
zGikEOICLj=YnbBaHH@h%e|u=43G-}8P0oxwAFE-tA|LgbZMUdt6&;)PUX0B2-wi79
z9cl7>A{4>wdmSUJY}3zwObEmw-5{(>LQ<?O&vQoSFWl}gb5osC%?N}jx_I<@N&g5K
z%)e;WQfO7`v>6GEcrzYc#%!t{`!tf>){eu`KA);q+&M*n{9#Y-KM@M6P-4A$)g}{j
z8qDwcaZjECHZg^pNIsC2<_dF;j_hP|g4}>)I`N)u!h1e|gIEd!fh%3ze$voP0PelU
z^9aa@tu<sVYy?=18}F*t#<aitg|07y+8gb>hdAxRRAqoW!=y)K7)0Ki+o9fKUUd`N
zqr4UKF)&qRyqlV+_B>{n<jrWbGt$!aQkxK_u~u#Ze)z6nX8IQud7G}zvrA`%v$);p
z!P-kg<rT(u1gp8mg2rNgNfF*B5<S!p8bZzd(HfEUurVO@C1Jkh(0*iFLkh|M0(S0l
z-8_OQEOL?qvfx~Nx=3+VJtq!`AH9n%|8SecqQr`sSc<sbDVxLz{%&vf$||~JUp+cs
z=k`5_R4(6GP{sm9hIsr--Y0#Y=w?8_MO=7(wqfETxS)tN*+DpwmDKIK*XH{{!x69%
zXl+{<PDC>Y_lLChqzJ~@bh_YE)UsSTx0J|RvBvBhzvmT7wg`(YY=IFX2@m<m%p%Vb
zD1g!`9Z%>Y{jw^jZvQgY!dC%8!xjO*ah-K+Ah;wD{H38Y0)zl~0wxS0)F__SzQjj8
zy`YLr2iM)~V`nm6X<<Dqp|vHdeNZ=qIvaGO|M4M|)Xmh;DXv;eVak_j6j$J<>g7x}
zsu{(YU`&cX2VUM`Gl=HzZ!a4YUjEMBY*kEpp6;pT4<|-dbmvjpC^D)o8)z!0W+G=1
z9vXT<`B|!-k@dZTEER9V>Nm3LL@Z6`y_&I{qZ*kO2akq(74I}$l$z|{svCGFGUB-;
z?N)P@?6XhnVds}ITi`OHBS+NCcdt@3p`?kw=|_qLr3!)()C%JvmjDjZXGQBLElpV-
z<%0@S9bSFw=?Znr|HN*`I{~rVvH?KsHfXx6mU7>|Idw9nMJ0Tm0z8{ZCUFE*ufxrC
z<+#bD!rc)t@>S=YoQmrs7Q7xh!tjd7<G~2Vh)<~N;wb(qU2tcM-vCE-`@|mKwpcXy
z=6sq3L)x%VaCrpNJhCb+bV7V0wg-@l;%9m=ZE9{@65$cnf4Cidjfg@Zg|bRqb5?Qj
z;i0tSI#>#h`_zXJ+ZHhiEQfi1BVG-&SwA>Zr|}65aYS%hS8fGz;3;m*NVNd%{EFfg
zOS}bjQi|{`i;NGKL+lrk0_L!07A1<}r#`Y+s2=Aom)}xo7`+qkL_KM?`vsgC<uBe9
zO558zL-2$J8Tx!)L7wHl4;FbG%O8yXkLxnGv3kHkk!YCN4O#-<^0v>kL-A=Qr=Ls4
zSn4>UR<G1AS8fuMWGZ3fuNyaX@}@OgCG2qq8nTD=j;)R}!yXqA=pf6E$Q_$?_|zkL
zABbtA`6c59_Z>5jewAuQ3U$n;IRIKCW*QUyYXQs#D~zV3+HH=R=ncfI)Nud;QXHqW
z$1ZW;(LZhBg!D@1RtNA6w{JDy{&o+pB3ytIwX3vWGSKqQA~{aX8ePlV!d3o>o);o{
zBZX~M2A8w{5IH~1>reP|8BwXa#TCGi{mirN?n&iDx1N8L<7Nv==D%!4YiAk8ZIk(w
zS{rGOgRgW&x2UrN<bao=_T3=N%?H{;X){#=Hw02L5FVl6LpSwPH!osShR(C0qLm+}
zAD^?@A4FhHvCg#ORA(Vsu>=<b?JamV=?os}S+Nj6`EkX{Ig$(zP}o!1I3Sv&AP{AV
za`0-5uf9JiEq)ipFzp-RI=j9H`+flNVzZs>j$UQ50{|wcda+p89OF@j?D1%>zPX?&
zgv53Ce(TxuzMK;3|JDJYIhSk`u<BJUmpG>scv(EH1W2%C!aA>7*-Ufhvuc~gm+Gv}
zGiF4*iI<TE*=~N##D$GVvkOy4Z<!P<vDKoI|B2?)oGY$6D39*X5{SPMb+(ZzK5xkL
z1FWfDaNUwJZD_NdbVQ&BGkW5HcY9JF(l*h!j^+ogFV3Hn{a4`ps;7b3G3<MLNctR>
z6GWF7@SvJSGMH*AXmTaCYisQ~s7;3%R}^(sGF5sE(+6cZ;pKe!lp_YNxH#YS!Y#75
zbIIO$YAD(o4#Q0}`gpe5`*c#(37KXj(PYLWG97STbfrd*-vP3iHJbxXu=AL845AGd
zFl=Dx?_Z*rQ;7hP5&JX<mkNHF9W4hV0_A*>@(MNN>_=?~AyD9Y2~A+Zf}~n~G)PWD
zqpPS>64PsMl4^MAz{ZmSnz`}R<o%B9gH)95H>QA31m{Lv*+bF<(rMpl)hzir3h6xl
zJ6IIH{UR20&`7<+np)S{{d*&31*yZ6&(uk}nRQD0Bcu2fH#Qv~HsQGJV2mi=G}&rj
zf}xXVt|0y6pt_wag<~sjDzq5OSbCBBW1IU=(Q4OMoDS&6Ptl{J@~)Xk%Th&lbJP6G
zC7A$ek%J|4=8o%8nf4dTDjFZPoQ|@N#2b~j$>N6;|8%%0=`h1z$3&1|ilBA=XORXs
z=^PZE;~f`f{5zrTiyJR)0ih2VmJ4&bzhr(rVNmlHahglGN2H-ajTRwS%MJ6%`Q=mJ
z4^R}H&%(!%{e1J(IS8w!phP_L_WtC=@Tl`K8bleHZumZICe_y&VqAVGUxnLjQ{vVG
zEZv3X)~+uIwjAidp1aGqp-fRPGc3!pDr4P$QQX<T6p<GMLEq(sl`G065*XPV^zu@k
zuJxiDGln%qZ}z~&)-kwoa7$ea=fS<tt3tr&sxAz{?4+z|vZJ@-&ZmBEgc5dQ#U5V<
ztU>){voLT7wW^P{C8cmJi#5xRz?AS${kenmD!VmBLkFDT&^CVnTYCMZA-JrGx|HLG
zKYd%Ux|j|-C~!{>O&Kyi)mI=fE0ZuOr9QI^ToW#h6L<iiapNhdeO!@L(O)JI+%0hA
zi8$$&`5arv-BjhMb(9t*HBTmfI}D^ef>V%CC+Hqe#5XM6zHK&umnyO2Y6|E+%bZT?
z8*2<ht4J3_*xI4w(rVql+`XND=_sFrP&(Gmj7Y=b<i{@Gyg3OW30-@-Ba$+H74meS
zoqxP97y<mPHKXKJWwBjfeAhfg@IaT>IEpzem@!f~+<j=tKcPdWt_W73Z@#ZcpK-$U
zaA$@-%5iq!jM_DcY0!2(QL)I(!z;|^9c46)UsMb3a3wUn#cMFhwaIK*nMBOaas<3L
zom@(|oTz7)kAs6GwMYhP_NbeKDHex5Xc@(30ho<qk`3A1ViEwqHX(D-R>@Izt4i#m
zFc56V>^tZQ-Per69^92V_vM-&Lgt-=6snK*nM?I*9<=<xX3e<AkhlF1nJW>BA4xat
zvV>T82^;83QHMtNJd!(Vc)GOAZH>m~&&}1k@FT6URw5VnCE0=YWu1_~;wFKXJF_YH
ztNK}7NdycQtWue&j0@`P8c9zbK$@5exYd&yId^R6^>n%|l~go2dZHtA>Jqu|$iyfV
z?yRkzxry$9R~yCX5F6zMlZ=0!kP#KgvhO-_B2R`@ws|(-1mj9wi^q;C!78n31pPd<
z5*RFT?#E!>Opk-M4_w3rsV!}cAI#KG5ctGBYDw|KAG_Ld@%}hk@ziK65FAzTpAdot
zKQJA$q?3sv*=jCm%5lBrqAKmdlZ<@~U+8fx>o}Lr#=-DmQyc6-bc@!*rdBajgP&~0
z7|%uLPOfxe6V!EL;<`%>IynZ|rx2HwBD2izmG{o_u_Zu4YURWu<g$E?(_-Pjr^ltF
z2%dNo-tB=-I-!GK#E5_d#Qq}SqRYp0P&l$jJPpJ*o?*rUmgBX@xV%yjx2qu!wiyIA
zKb&PS_H}ExHQ8Lw?pT6wix%pFObNCRC;8KwO0j)>zMroww&rnKqa1B4WhThIyJqFE
z!^mKAg=cyG_{~Hz(2XR#K^T)k7|m=L3p*!U+TJ~xc%*LzpBEd?r6-$U?p^8#<Vly)
zr#02UcSkp{yYqhBKe);0lYd-P%GDt&I*Ef?Vxn{U%8#RvuMo@r!!hs%bdEv?*|*>X
z<ph@)$RH;>vz+-Dhm7})w4c%W*BO)$gpJzUZY`&;rYv{wFFLg5yfAKcB3itZ>)zt>
zZz~RmcJ&%$${mJS;Gd{yQz@Lgi=-2bdtbPe4jEI4CBbxEcW^JutrZORG7Dms6Klr0
zgW@#90r_%APWSK3&ZXBO03$>2_>9Sd<DJ#p!``#rDPL9fo}@Zlr~2#eS|NJ}nm<|v
zW+2G7Rxc2BqDQ*G39?F`s_rix34~<$ru$6Rx4?7FmVJfut8ww<?l9j{3x$7S6>4F<
zyilrE0e{C*ETiTbg%M@G7aD1PB+Oob7zVcF4?96hDn@k7;3Z)4f6BQ9AM_quMp6G>
z@~mKYK9ie9J8ML6RFsid2yA*0KD&Os=cV<^kjcLtmS@{|B0D_jp!k!}Z`*8p%1FsD
zT<W|E3@RLb(@=mvx!e&ALy;Koye|{C>Q_YEiQgEun|BJYhkirA1vqeRG0xnrTddlQ
z!Xj>gVq~;4%d19CXvawl8_!db2}h;Q_?y1Wl=C#)nBntWYLm!3o$YhFMqg}j6XIha
zq7C`9OC`N-6he2ZIF+M}sSmO&D=gx2teZx>L_!_Yt(v16io?*6v^3MLi*?fW>u}TN
zi5mdRk)0Bq;1k(Tze#55>6UCOknkdtEP|1ZHd9NA5c-EIA|vY=3NoIlbT#)-H*sCN
zpR5us+*!!<y-8i)4i2=m6^Uh5`ZD(+GHFD7EYc<Ismy~qTf6TpqoYkd+5&xGd*sH&
z*?cZC?*WY_<Is=OIZFonaWDRYf_i=esFl}RGm4Sbpm<C|a+=~7xMVMP&vU`>NQkRE
z@t6nNkSUkw;PQguJqm3Pa1_c<@!h}o0ob?~$o#{>on(t+w6hXbvC#p}k965zkCd9j
z+?)M>V&x}!Yky+pzyyq8Xfv8L$-WT231jxz$fEvJQ#p6=r=om(;nKkg%?3QCa<NUm
zWSTVjxt$JDetF1NaI4rPxXk|tRW!2zYR9QFy1F8@6wTtbbhg(wSLs2eR_^?TFnu&s
zg^4K!>1J+YEQo93A!kuz(<A`q_SH;+eDVKBv0O1jqQc3^t5{V5;-xS3Y}K={&wI$F
z06t&tF_HLn^vlDKr$l0N0ETInZ>;pEYf?vH;RAjt&=@VB!p8~7R%$A&;jmqsh?_a}
zMP@zN?6<@FbLAS16#OtH2_pytd;K4th!{aiG12o^X2~i4`3@scQS568?XYAJy`4|0
zvQWWmu3<w~{6C@c5%iV}T{E&}&^lIg081p<iXwYCOEzm+zpC`4tc*mjgU8)ad+xKF
zQD?MkA7}h8R77QFNA?@&*nL!7f$2Q10@aNO-hn4i_{L`4$i!$|hQfq+VSkR?LYR}*
zhQC1&O1!umduB{BB-NJCv6$1*aef;L5BQLnyG28dpl}7_Rk3+8I)yWAmC<zX!qR+x
z+F2EhcQCo+<@!=i6_Y=X9W=<1zlRL8!41Mn-eaeX1su!Xl)GI(=;6eA+DL<;B+&zR
z7K5!r&j)4$04|aA?^f}i$4s|#zRUe5iav~9QG)r^_+m2Xl2m7^sV3Wf)<%0{a-Dd4
znl^X4*q!ZDANmbDiLx`E6?}C{0F`E7!ryTSQIA7=nUDW9WHcXJM@#QZPx(=<o?lvb
zCr;^e)gNGKfH_3chnR1-gjRjW4=jd3Gy+<0pNkDDZ|zAx3TWdEXUl79$E@;fR&{DP
zL}$N2smrt=lIgfqKon~!@fSbY`9pG6x*`X*ubNJ9GGWC$<KqphU^IJLiIyr|`^_GO
zR=54!ZSDkFm=d=FecT<y>a)-?+%GT};@n$63f(uP%7NSz29e3uehFfOrc!G6+w<TG
zKhDyz)f}PfF-RbEHnZ2i0d&NG-@2mSB?&$iRXDcJAL(Mt%9zXSvXi-g5G9fB9?XIC
ze-Wk7=KI-`L^%<_k@1o-3LON<hfYyIRL!H%^yVh@1vw5sFrA_a{9WFlAV`nL#O0A~
z`|4+(!`5&d>L~W{2GBQXD<!^Akk$$*RMMO6X@9LTiMA6}fr4?*7)YSxX%Q%>DCYoR
z*IgRD&99=gFtsF&W%!JJA@FYhp_SmM|Du(y{-Kqmx5wG)wr>ZVCsWKK+Q93{!!#GL
z6k8GxNX-0*ukv9@*7}y0F}C<tx9}}H1N#+Bv!bTYwzwHH@44){`wJFAE4hPKRY0lE
zUrN5({vR!LKk|QD=#W<MX+`bnini^9=GgWBfJ$eb*_sVo&6O%WY)h#gxfr1E0|XpJ
z_`B&W+03!IWHaOKX>ZZft`4CNT&qC7VLJG~{$$Ycr++DD%M*9Qk*k72PU4Xfr{-jk
z&=l1T`BBo~nq?Q}ERjua&y_=1s(^MxY>hqt0hvCiJ4Q<hE9r$rtmWPlfma-PEkT)!
zYU2!C=Zra-QBC54M(YcsvlSfdW(p>n8A<1UOXp3Ka1v#Ef^mL>Mw1<&L`XGusXK^7
zm$fw-9OlB%!ljIpw-w2({jrTqLNAe|B?{AcoD#>u7`8Z^uT>>TI78xSa^n?PCD}a?
zAe@oYw+;zheW8W@%$>F-GBN&>6f~_?55`PHOy<lKeUTcrIxnnH2q(SMU1PR+apxS@
zGh)M|6XdS8p)a__V2XC#eGzE0x9}*OjYX4acsa0ter#Y^Xt6#dJCUJ%We8_(N0{m^
z{mF05#(k@Lw>$0s-bj}jMNK@7WM=u9KdHenz?L`O5qTN}ITOyvX^;6$#WJVY?hntD
z%%)=)WcnA+bcm*u<^|xH^#0+Q?j!$;X9_O~U<$fJsw1prNI}bJW#zi3XQ3twr{vrj
zF${eOx$^NJpcAe6-Nsfo(xly*QLA^1u1h!MeATP^a8GL~^Xq4*=K#5b-kPrlvsipn
zKF+|-V!m==oWW?G2mW#I$9Q3`EyyFip2c4v69Sj|^_{{;N3r#PgG@o_%0j%{Aw^5^
z$NAuQA88&HeRgA2JjokSCTv=b{LWMAO*|io1|i9xqc5Y?8GvnJz`*eMgW)9=xx?B)
z1&%JL^$(RQ*=Zq+V?8vm0Ur}iyRa2>%SOy##@Ri74cXtZclI^XSJNLx*)q%e1C(*?
zH@{S17c#E11j#3P?0HKH<Z0shuXM1%=CFFu+Z{hnL9VPEZFju6_w-KDmBt=_H%}Hf
z@U-#CG@C8d>Y1}S^bMA5#rARPl{z!u^XdYiDLwIGpGpVw%y`y3=#3GkM}sM)-cf?;
zB9XLKDVJSH?+xU|9;bqbF@dItxc+P~Oy51bXX!jzgHwsm`8vto^=5uo*J0gK<VlF%
z5sz)0w(<8w&V2!cV#NA9C$Vp69EF6d<Y$q|7xfOldAonQ?T><NX1DQdn0f9}8t^mc
zRLh+FI3xHlm=?NAuj5!75Gtz2X;El=cXpmT1vR%7y_!H6tWRs^dFG_Xcc{%SpU-!j
z_&?!dm!mdw(-j%h25r^5tCDA+7-KG`_^xKmhDF4Ito4K@uMz~(ylL21Ofo0iakkpf
zW?-?IHTHX$uYDzc&`H2+$;K2_qcGS{;{W`?t@A6*ZL<3<MV~U_2SvSf{+J5Vk2+r_
zkn3P0zW0doUSClY9Uot>{0O7h<h!kMs1iIG9bVM-g9tZ`Z##&6RiE!lzmIe~1B*j$
zYV6@~_E>l6Ggt6(R<iBmXENKMDmrTrr|QV%uDc+ovM<km2OhoTi%n&J9&C@q4@GD5
zdA+~i^yog~^LTq-pVLi#CLLyY_<%bb486dPU%{}-S+zAj=^iT);E~*d_sp!=`H6LF
zzwVZF@efd2C&eIq9>2bU_04Wi>%I}j{37l)sAoqpJjJ|nYDKxCX`dJQhJxsw6rw1P
z@Xq=2a3r3*DE(E_GDY;Ke<ozWwyrGHmT=Eu=%Yr424F~um^;H`2kI{U&%kgy`u_|J
z7g7`nA9Q3zP@oTk=Ve4l_K!qg<{|(W3pOD9H89+=+mbJ8`1J($@)rn*JK*UerOv>+
zl%w3>b0XUUyFICeBe{nX;<M2_%oA2i#11eptOZJ6^7Ln5m<5xWKu<AVJ@%z*L>ogW
z^b+*XzVPj;__im_`nk7{UN4~J=@LB!OLvOJWYxxMH}Yh+O#LZqmjfbg7;_RYdGW=A
zXg`tVA%&R@mF-2mpPe+M7tLg4fD8OpI^RuP((bFw$buF@Dk(Qy1L@H&Pgt|ag2cH3
z{Rri}X!FioEO?r6qUez~CE{Ngn(g@|;H3RN0^>roM1)8F>3KXjN44!zjM>ivVF(Ys
z93#7G%J3#@hc!SjuE84NY)o8bXAwqVe@g3FiY94<UR{@bgrPA3B-{p7t{@Ztci5go
z|BWal^+CJ$TIiOZfoPbQ1~AfF2PKaTryQEoYY~e35<!{uwPz46D#myDe@1#U6Oy=;
zB_jMdPvr8Yi;s=Vg<W(<KQj{4kMaMr3sn{F>f^p(f!cS3iN}rnn+Ig)n*ifYOoBt8
ztT)kobm`QWlssFX`4w{+iOS&Oqgh17b=<3{sm##uYZ0RGnv{EO6<fRf5Cwc5MFn;Y
znrL+qJ>@7q*N0nu&)3Iyed*H~N(+O%BNa8nwh*tfwA~?wTHxPfK6c}8pz}My3hZDx
zU>Oo<!uY}Jg4cw2JnRmAD&ivr!37|)_P3!3HVrKGAnK^vAV{Jp(kPN|Vp^nS#~`@o
z76B}n9A!Q+hw$7}L|(nvqh(~owktptD@)aRnha~Xwn>$eE#Kh^tLM7XQkRmg3Ulv}
z9Nu1~ebm2-nx2+4{^}|EZhcH1-eHMcrdp%6Q{gV1n<XmCwiUQCOtM!!3IoK>I9#-z
za?TbE+ZNEZdsfNuGm_<;eO02I{AX#@8lYySq!Lus=%(<sG~i*#woWmd6E(!m1>Gs^
zuAT)Z>p;eDz;ZBQO4N{1_7)20zMh2c(2~aT8)^^}Qe4czaBb1H9*_iCo{&gG*@`}S
zM65~@B}~Ck6&#W!2Jd%o8;^6VX!svbjYF$N5Wot9xsiCW7<PbNSrSnSAP>g5_*9Kw
z9*jzB^@-ytMSi9eRMzNrW{2z$Vk>GI-9W!66@cT<O?&i0b&!Qk&6xRWcnAnT;T1W#
z55>ERtZ7{=Z<snIs$2{ZnOJojq}#Zi79tz8Iolsv&PqRCTh2TbH6QK^8lfMv=5Oo1
ziZzM8;0SCxrWq^W7}HP&%gLdYWo7+80LVZ$zbZ7r-ctqRX1?2)Pb`Pl6L(R?58V{&
zq6y1}8#sr*ol8rVllb#c+CK32lfyT9Rvh))wpbx)!#+8-^Rx%BUW%@$C!_4qp(qwT
zBZyI)Y|H9nyuAOswPV%JNjAQtyw>^JnS^O7jVXMlI;6Cl*LN*NFw_*C>}#FUG3aZZ
z=AXXS=@)$0t%0UbU+dJkshN4M$=(K6jxalt{aq{HP_nPxCLP+=ym?Em@e=5K!Oz<x
zVyz5cmO;CIA~Ts2I1$J5A;lAy^u)WQsBbs8CV3=co~0|0*A%|Q#jW!|y7XnVDQ#{(
zxM#d1`PsWWIW`VDEJ2Or^DrAoY1geoq-~+cr>|t%`t+4dzm5CQ;^LA7N*&wHPXBp+
zu$}_+6kr=u=qZ3vb7KmSpf~u1RWV(B@{B5<|7@tblg~_<G~dg*e1Kz}bwFEKk(gj*
z3k=$cV$2<*vqp*MWzNf3KxhQK@5o)azegcf+!>!7z8SMO`WOo^zgqb-Z|u+BYlFPU
zq2B|{L**Pkx=I&;Nk#geQnfujrLvtzPpQ^!N&?*BZF1r+IE=zlt$Y9f3`vk4g2*@o
z(lO*whAh&!p;i|{RFPm>H@Oq0Evc&3oa7hKVXo)6n)#Pvp(sLv>kljgI9_g=y3=bJ
z1T*te*9RJh8UT&RVf+OWozaz>T=~-|UJ{|BsdEiA1Yitwurn0^jos!`T|y>f1iMk-
z$qj2LTo%Q-<-{Yb`chFTLm;>oBTRDP)3uW9arjw6l~I;a;7?J(dKaynTbDGbj63X%
zrRL=pmYLkRc3C&*F!f+jNZZsH)1v#&SGBmUbWV9!G{z`5_5b?qLg=3}t1SFBetU9!
zv^Aqk7JQM{vl91Uwa4DdVvZF96*Tdh_kB^vj;sp%4Z=o}mMK@@g<eYc{tq<r88`WW
z;V@mg3R+np@`OtvBGd4T>mMC3rLtf8T55AtY*hn(GDK8aD3ry9=-`Kv5$MCnIo9qP
zm%=N_zg}2OKG0G5fJ_DzI+K2#*l!toRB`GB7fLFQJvvm=6-9DQxHb#J#afq|nZd&Q
zxb!&-$T?@f*<jVPv8XP9mQv?)*#Ox>63Zz8ioHd2lLcQ~t}vP~zhMsc;SLQ~09Rw>
zO!;U@bDljhUb3bHI{LG@iSxWjeCU{J&NQjU$GRG=EYP^#1lpTGE1up2`fZ6(pWXy&
z4#BWYK6h(g7158tQEy_2MV{F{=n+2JZNQ^-xFdUQBlOZ5TH~^<1c3G3wzq61)%bqp
ztcrXN9k#^WaWxZvjQmxbC8IuSsCQbe2fKG#t!=uis3D`TWem5m)<u(?Oq4Gb+!fQH
zELnhDgIQ^_iUl%BmVl2b&7oV%tca?(L^C{Xa+g-4&hSdjK=_0=>tP{1c2She)Sz_7
zkn_<9deJWv%#Kq`4UyX!d6lTh=^+%Lo#hqS@Di5UOp4QQnit-@m3Bhtr$_&upb$*d
z8|!qakY8*Ptx~?`_nZ%OfIdi%FR@9fcNBV(2&(RT)C%8B02n3sX&HBPg-L&}_xE}|
z*!{g;+tesT%~GFMM}az0s@3VBbmFsD*+LLOzR8ig<#ev?RIYkV%sdvwih!+_%Rqxb
z%09VI2}StlVVL;Fbb_CUWuYT#+M)ihr>b3`#zxa-py%sY_);Q7OS_iDV@6N~Gk0k$
zp1p>~MuHi-4j|sf_`_`!&)|(8Yx<wp$A_m|vx-}(FcATp$X!)4F_5_Mv)##BJBv?O
z>nZOVnm&1ow4@)}bn)@&<%6oHmk*j?|H^MNWBEXmWGf2stLVfAkL;||Z<PnWaLTuC
z_vkPUlEl!aS88hP1)e`-xo*wZY?cmNI9GL{xip}dUpTciK3CQUrE>~t1*#Ec{GzF%
zAvz4sXKRzG`y&;tG)mHZ`tl8I{Aq*&ZdUG6QbtwmQa3W>s$4p6!$4HQ^)qP^8vT0q
znnS;EHU4^Wae9vDIE|)JFyinJmG7JKpNl0zwrm+-l5Fgwx*!V|!h`{4Qjw4f#N$lt
z$sMfN0)&Yumsl;KV3E>Hum@&n(*~@;lXM@O+@*CSwRKh7E0Jzkg|v2IYCdN|OIzq@
zB@NBw2>@452ZwdcfWlppc0EsAVSZdV>5aQ=IzL8dr;Xw@Qae$6A&AH^(Q$cWsg*zg
zIsvei&Q(Im1P38H)gj`t0aV?=iSQI^p;VNbTIc}bialbg)=>S<dOFRe%qnI=Afqq8
zngj3VWQET9i8Em62ISa3P#a^=1gRIU8q*UYSEN;ssc)n{w;5VYYH~JmXbmOW3@ATP
zj9WLJod7)#6CYN*zN~z1d44MQb5bt|5<y;IrNq!MLw7cGFY$`xLJL}<5zWXMa7c_$
zK;yC}{$d$m!53h%q|Tf6W)MY7aU&qD@WUzA>hmz>gD5bnjK$Rw5xjc73nqLC?5B~6
zi@CkM9g!b7>@=!c<3}6~BQv}c6F<gC8^O?j=LSJ^`(DfupnHGgyYD%yr*SPNQ3Nxs
z4rFdU?|H4vFB&=Gj9F@cQO4~gqPh&*fG<5arP2xlnT-3FSZik)`*>5JClpOiE~OXV
z_;D02u)+*gG+8Z|QJmr_!IGwLpp8F-4FG7r8wpiUm>dj5B$7KpQ)`%klOykR2edAO
zr{EiB1J!AgS`S^5uB<}uCCtL4)#9=o0_TjLpWi9nm#nTM6<(~O8gLfsn@8AG7<xFS
zNLEzJ%C-!~C^8KAGs)`m(*H=8`lXjnukZ}Wpd_m3!vJ6<AQixYH3o`S2%niBAwiLQ
zzcPj6hiX0J4XR7Jv%dik{TrU^TK1rj@>}l$h)8HV`biYfMOva3iMPNiH&afEOE&=`
zV&((C4fumDf&q85<H;plDf@|skzIo1Xl09#QNxD3Jw2>Fv~r1QWO6pWQ~JvdcdRz#
z+LVEbmf5Bi+_c!X8PkgKhgeuhafv!3D7UPf7)@&AeRP2Ydl)15;`>MY`-Anj%1w3Q
zv1|%LH+@rAt2iGXC=QO8q&kU}$4k2^U==+dMQLYnb1)#b;pPz>P_5jV65i-d4KU4I
zgjVdc@?~>5=2|2+vkDERyN6<tD_%A-2(ViK85cEdn_9ACAX$~~bH_d*wg5RgSyPUq
z=8)hyR74IgCS*iau`*RHaOC`WCqIWO5V7h5rj?1<-Z`p_wWa|4C7eCD41c>)F^Xi`
z<tSIuB8`!E5JFyIKx7)IqWEOR-2DK%W$$y92?VetI-+vQIi*UgEbU89hi_>l5SZeM
z83(C~pf`vMSpOB(MYF8r+*nJyN)>2ZV!N-<+gIrQ)}Ds?zcXMrqB~@Z?MwdVp62?$
z2L}g_pA_o<9z1%q-`D@$#Zw|ocv-w%^1W0p0lZAIlE24lf8>h%TGNbswlpGeCtjdc
z5U&3aw;bea2J;}L(!<$yKP=WCuB=;JRgO3tT2Lrifm5*V3C~Y_QT%vBf*19Sfp#OR
z|LWr{bNAX`_-Ua_xdC^T-f#>cF#pr5*BYMMFeSUcuE5wc{(__o;tPdhq$PYVqge@&
z_>_>@fY9%=ZiN!h`CYKt{Jz((o~n6pr~C!g4si))y&P-lGyVdYic>fk=RyKj;}qX)
zgtfd&=`ZbPwcJ6ST3XFj8j<FpDp`fTbMxbjRKGl|Ma+{9#!v5nS4jaheIB_N8{y<C
zO447v^frpGb0BNKXN?6@oGZyX%!uCT=*o>#qFm+ulAB#pH?_v;HB9l~QTdCxd8*9>
za<Dc{`U#0ql=w(gpu>yO>(rgYr=*M`W_h?=O2P8aKL^FH;FdkbV2ryQR(ZUodRYb<
z?jyK+9>@-?IDLud_hI%cTO-vCp}hg7e@gX*S;3F0{o1!OO+6nitr;vctN@xZwI5+6
zV)rnfClB*LyYSPC@+2xIkncBihC^okhumgJR0{C<L!rEG<ysa#Q@}|1Q|gxeK|hyG
zy_!CYs<^sA^1q+`cz9Ghab;b`bsA#L^Kj}1Ui`zQ8zf$Hp8~OJ>P<6&pYm|1$)NtQ
zVgGCneGM)R0LX9AR!A&x(y+d5do2qFqB7oPsImqC8MM&1Tw`aGuj3q1^ZUk2V}Dw8
zJ8OuMjfV?rJ!HN?ho^lwLzD=LQHc%lu7HQi9<^VK-Ei(X|3*Pw|8|3eI4^#1O4O-l
zi-{g3-~b{V5?&y1RjuldPrmmCJFD~~8ej_g_F;DQp2FMQodPEY9nid$;xk5M!YKgd
zDCdb6&c)Gb;T_-Myi1Y-fVrES5dAW|$q(;^H{D&+rEe<rQodb<)~Sn6=g(T~zKep@
z!h3`KS^<C??M?9tln~U8WCd9jTt|u-D|WB^xYk_b4C@*8(nn`u!dkPeh5D&w_E}dm
zrnG(;w7D|&b0S_n(i4j>=k{J0&Af9NY^9p%ziz~Sm%is-Uiu-%AZ1d9_@&$Lq*36-
zMe$VovFoobqad2!oiEV@2zvqbx_<6J)i&7}5^X0fV?QF%0`K0uoKkvKAhNX`d-d#>
z`ZVZ&LHwTiNxUKp*JL%Dduu9!oAtl@2agV(7WBW54<0}5^}oA#io_wB9ji6}k=I-^
zPU*^E%Cm5nse@0;T{qJU50|sar_c>cHJt%!7Jhhm<N5(2h`+D@lBb?V-E+j-1OWHr
zuc2E2A@^H55EVn@z}U8CIs4eBJ`CUB(?I{@i96lU^2bk${qO1HgZ(`HKY0H9$@8B6
z@8T)Y7+Q1TF)}O=e0ql-BESXyP8{;+`uhYu!r%^ATPetw2c-hnl??o|P=RG{nI>&^
ztz_z_jK;2`%q(0?HNA7UQ;x27a8<>tfTh2o11t54vcU6z!-`@2h;{S@rNK}-a*`4=
z8OR@nMzQjp99z6B_NjZlTqRez-)_8kl7Ru&k!p%LCDb3cc<Br_pJyFhh2O{Qxl{WZ
zgi$x}e+S$Q8ZoH<SR6C=u42F@>{q-i4qw%z{wsFNS@SIeES1(j|66fj{Z(<a{LWb|
zG4v<v*tB1i+Z}6u4Y!Uvjky{ixxZ<91Af<OV&V0rd#x?pyk-y?f}j0Do^-Q2pfUcm
z^Al4~21s`*(#T}MWIpNJhk+v!7VdH<^W6Zk3@u%i>d(S9oB_jNx+@LWgq=F8AkILs
z8J--&D=|=*S|jkAlHkTK*C2H`9DbGT33_jS@r((reeHs{^EtW)r`|A)XudC;0UEpq
zHvPOA`bOFJb7vrStB&;?l-0(r-`X|YLGvBo$}Ht+RFN>{sMc3~1sdbwYo!)=3ce+3
z(Vu$#b}Vrj+7D9{amkrTAH8rmvb*)`Clgyi+^*@$kMJ)HjcFt=xkkOpB(E|7{D>4j
za>F;Q+Gf+$u7jcrP5DYFOm(A0N>&uaBuJdWP>o)`wh=r$x4c8J-9gb1x7o&Jw@T?%
zS>A!$w<a~J=uCxR*@D2VmAbSY&?eH_=u6g<)SJc8X%t~_puX;PpP>b6mC>7JMlruN
z_n;)FU;I|IC4D*iwegJeM5&TUNNTeyYE@<Z5Q9&6(Pc;!wq9fV=mdVV?Nb1&up{zs
z5rm8u<k;m;Y-ljh{<LY{dS9b1p9cG{^rYR`1l;ET^X%E<g8$F{)BR_?{dX5n7H?DG
zOD#Qr<SXGDt$eI&JcAVV6V!b}%9nX$f1)taobzM}Ie%70h-wXi7;`lHU@WFGsA!Ua
zz>DbzG+JF4!_?`$EIuizqvVuYTv4~X(AUa1SWdAZZp9Pyz}Gze4RMW^fiW^fk7E2n
z#Rx@Il)CFawN-Hh#rT1|-_-g}Qct#d)wR=qVR_o%8fc;a`_G>|D$xH&`_KCL|D8O=
z7{Yv%ZjC2Uk-$s#-IC5Xu<@UO(pQG)=CDDr6#4M5W@=bL51YpCkoX#ti}v%sh(Zht
z-rD&;IN0AWo&N*)sXzZac&g9;8?okJ3xn5sy&CZ+l4<yU|NH$<#Rn915Cd^MQR<&Y
zu@_-j>0*3yFvu^FSkc@{bwD<ow~srU`JA{hqnhQ=ytYpNa%vc%PWM_hFrl{dRPuwy
zZ7Fxs_VckQ*v`wJ$|;Hsj*`smDRex%&-GAPAM-ulxIq)LWE*+;u}E{_FT7}#Hg(K3
zl)bN_P)@(8uhy*X9+zEsUVstog~~M9vGk%Uu(G@mCHbHYfVlkWc%zRZRVW-qk%&!G
zUv80ti;r!ek{7?!9>w#CDY^vsGo|bbyswACx9-Kyi_#nI=$_*D6yK>6@G6KuR+~6d
z2B6*C0r*Wl?aTJ>f|@UW{&zwF@Xz&bD1!O*+!4lm^)tIGY<7HqXY_YQ?VZtE&ijX+
z2L1017u15yCWVAGRlqIwpC|iIi}^nuJ$=&W|Jcc6r8Ph&`UL+Odvl-C(pULBy;J)}
z<f}i@iwsq8nVKj3P;5G{z^GKX7>$ABSw<libdt&N?}`6HC+YP%kOPjiuhe<7S9&?Y
z*Z*GW;`9%KEW-~p{rlkNU;^_y5HF*p$|Z%P9G$&9ym&d-a|XYj9*ch+zkK}?{`C(*
z-=)J8eKi*%@DFiYM##JJGf?;R48bp_^)ICKw@<~tw)ibMXHMfU7onJ)G8y{OP@rt6
z%@%E6a<3KY84!*UaXO~4+SSX;OY$yset}JaOg=LT=a~O;20uT&SFtI|u^3;<-l&Qq
zsoEk!%J~ZRM|sBE*(OC{YfDrw?+Up^!k7Qhm$JW$o}ynp`O8muJ6qdvE?qxZ#a=~T
zZh7_RTJ)mASN=5c|57o%aUGZz|BwCWk4pX@&z|=FzdL#C`2Vfcf6-{>maT?X^<ZS5
z-PeVYUtXg=OxATfbz+Rnnd{Yykt2Urbz_X?+gv|Jo7XPt$jHy_sGdw+?Gy=y_Fna|
ztwEzLLN~Q&s>d^`Nu#ai`7UbHG?kkv*V?NEH~CzO&E&RcebJeGv+jz|<j1WmLQ|~g
zGOR!~);>T3$PX2xmunAT>sgpk36>w$xEn{+*WsUkj*^>c;X7m`n)z`RWccpbkITRT
zb2GgjO503b*CT9oQZV3Tg9ua55DW4CP_>*!bsBJ_E6)wmtKWH~%KOcoVU5+~G>#_T
zNLK!>-b97Q<uBGSK>_@aizUzNXRMkuqON72%Cmz%HrM-*qko}wKP*dpSZyI1e~nTf
zh9Io@y)qHW@60?huu}CauRx8Ra@>;fE~nnCkifQgzvtdzeFfhQj=jLWQyPOu`?)qt
zFZSu)%k&BIsl9nVMX{6&CA%t`Qdb5gyR4CXCWX}?X5*BW#FSPu{O;^+7~JJb5KGW1
z=vYe$7k%EXJuUE3C{9w33cmXCXyf17dBbM?TRTEDT$tfu?J6pAtX)@Ak>A}_RTcTY
z-Bwr0zWRAoS;?-eHLI-{4A6x?hk^cY<2oR1@&8XA73)7gdHVcuum9V{Bet!c-KwAi
ztdM*^pAsQzk8ZP6h>7~J#Zu>F++R(3ktXz7lo_!brWBrP3Xomd5!<11VC_m_nSJzA
zpUGW52J~Opjkg#7|LjSj{>P((=g$s$`oD{3-Ka6LQGW$yA7c-TX5}h$?9e*2LzBDF
z`QI=PRLl8)^yG2L|MTEUpZ{Yg&u0)d`b80dN)fM^r>Oe)e<3NM<g`Ac)KD_i1ZV_(
z2u>`pjz;>~vR1aJixsP?Wk9Q6*j6Ov5>*-R7j9mWlgd!(-G+~*-ud0o07FxLtQG+3
zyB5?ab*q(W>KjCZj^ePtEq^!j`+xmBU~T%J{U@dRuTKwp{(mQrz5ZvHDZ)%VKRzk%
z&>$0RH+5K@3(FTNg!IoRdrI_w1XOO}&%-G0jMla4fA*gj>c2jFe9-Ivck+DaoVqD)
zfdr_6!|U$cUU{K2S@{7b6L)}!Ub}OkIrqMEF0TB<Nmff@&7A}=5;*f9ny_9LTJKSe
za_ZlB<ZGb)4p$5e5Mo6h^x1l_jJ-?$BQU>2*Z#-Dk%KmE2c$0Si6EiBffM+lH@Y`E
zK7W5sAwS<aN6}&d1H3yrcV>Q^+#AjPbWH!t;NKffevilWzw(Ex`56C4{+Zl_<7}V_
z%x|@HF8#nu?)|S(a=V28ow(QVzv%-19l<#F{@4Exdc1REKUyWu$?;40E^w=u(Ei@Y
zpLy<>o5N4{MmNbcnt9`U_>Hq;=j`R-@tc>U#q3_jTutLyGR|Invh^>We+5%_-)KJn
zkDnhrE!Ka23V-$Ie;3bp&P%Zagi<%Tckh2M9XEip^1~qTF4Muk|8IXWcanJe!vKAf
zk{9D~?B3#eyIM_Fz<{8~6h?<&3X;-(D*do<{c!9i3B63BVGzyXe^7uNEyMW$$iXbV
z`eAUezyERIjQ{<AkC*>`@7~|X<A1zxzH=U^?dgc(R6sx`cg{S5vlon<<G0Q)Z!ese
z$0rw~hxhLNkH24#R>578Cp{9Le>{+rfLV=_E8h!dq)eH(v$;3M_Cu}t&<`)8c;Rv`
zlK)83yTJS563*~2`R|n*dk>xe@pr}a?vK77J#P7cXgs90t)t(&r<RBD2Lv?)VvOMk
z4s>;XUQOV&2P6fk4bbP;|JU)^y$>HgOx)z^9$w`bVh}m*Y*x~9ITFq(`qNgH_~H@#
z5Y7k?`qBWci;a*FTqisPUMK05=a2{Qy^BZ<jXx3?d>i1OF*EYS-#Z_QBY$|2pXKH-
z0<8vG5G|ZD=^l3P$2;kCyqALzzEk@>AovNkhI?}A!sX&QDqoAZ>OP3R*z$uzZkHoM
z(yyUkgQiueBdUxHCks+3;3ex>IqwUc6<mWT|Ha-Sy73Z6ekR*mj#7uh+a!smKAk(Y
zRE!rKgDa>d`U3LYSZuj>?_bW(-W|vtc+TKI$HJ!@|CLN*pDe@9zwZ5Oh!6j-{7>#*
z^cRe#yqf;yL{we|{_)|DKR>{Ka2ThM3Cps%5N`kFOrj{jrl^U<#^+0K>R<XWQ{a_g
zva#b*U-)f`J+d4<+S1Twpb=-Is;^Z?8kHf{-==)F;Xhe8R@K;<ld##$mD}dO94x|u
zjsO0S#>NFVL91S79i;i-?Tr`5z;i*fB*h$9*ljSV>!yXEXe)V%k+#_7Y!&h*&h-L5
zlzzp|z_g0q<-tpV1UZ;aE`N#A)7VR3RchfYg+k<pm|sm}yggd!Sj+evLt%oiQsj`y
z+B8`UDt55S?j?hPoLq<Y@ulXxVnJWhE7WS;MJopw6c{_AGn!>hg98&Gl>-WWs<h*H
zirD5tOD{fY0*x@T_#w>^GshtyZ^Qs{iqtCmM#Z>m?CzX9soB{sMA(@UnA2!hGg{H9
zCqLvstkvKJEz#aU_d^=IIG|7B;F*`9!)}Joka(O0%A_+dg)WFpPcbgn>W0D-GK;1O
zmc5#KOE?~QV1vj7DGLBh#@X1(xMmhA(VQU;i}7EE9ZUY4<#k46$ac;Y8xj{(d1+Kw
zlPb;xTrIIT<(r52mx(9tdvT5LkDibA_vp0b(~uFT<GIyKUu$kGoP_Osp6ahzT+vwn
zj<^*3hbWbn1p_$ARkR9bZI^T|C|6DNpl-Qi@4r{x%2R<qxy63Es6EyhSZ3R*GT=7@
zZ$FO_ByTQ<I!2ey74`9_!1>bL&XMR}f3Gld?RiV*f&IbDm>@WRiaQy9HwC^h9Ilo_
z_78nnHJ?IE;s}`1==L=BZ~VZUdoPoz8?YX!VzZl!H+7fp#1G&Wf;r6MX!-a3f8-bE
z@b&B3)hUi9BQnmSDE$fbNO!Pl7Zsb*Xs}gynEVojIM^mb{0b*Y-vaylrrqIh<oMxc
zM5Wj$WnNvw4e(5uTtsm14QQ%0PMBUgxKkC2AjUEIlnUi7Bk)kZOR7e9sNghUjpU##
z{1y)iHeXiXg4I?rGr^$<ff*rcurQU8`x4(e;`PSZ4Xdv$6ej7FKvfyDNZ?1#$)y8J
z4X;^d6u1I`8IiOH2%$mX?@YzBN~BCIg#eXapb6lHY_bh3X&~CP4%=|yme(0(FJ|f%
z((|f2h`1eDejMhjv8D~oXkC8Q+yXt`X8}Q7L>V7yK6E|<Yi|5UPkDU#61Z<U?$izM
zr+nkX4<6q6aJuIH4IDG1B2ETz83H|u$V3jQkN>Ie4Y$@Rj=j=dp1&)@)nbA&;icX|
zYUWr>g3A-%A@MJ&THtRWu&5SsVaL;)NAl|eZsG<jjuae~ga*hd0TX7TfH<cp)d&-d
zP~bXbCrL8xjJpIr4cN(oUgCxg$qYz5OIpZt)(*zFVI^k80m$D{)SNcG@arnztlSSK
z%v3;}6;zVZu@D0k)zzb#5Aj<<#X4WnQCa%L=_<Lhp8)nM0F4daQkpc9-3;!Eu(%aO
znzg7=&(x`6X%;4&W36I<4B`*a>@CY%A8?Raeh{2RIP+#KA}gX?BBKJEH3tC21&}ME
z#exQNGPX3QPH+>=Z&HvYLF7jgnr7t~H8{$6fl6A^tTHpyk+mzuOtoO9YOi*c*E%|`
z&XrnCS}bHd=)HsQC7Xf2%A6s7qARLZ<`8NG6v9OXgMWGH5n<<{E(7-lZe`d$QdhAD
z%W;hj6T}$in?UwuHStHzDcdSgMtbF^e_c&7^F@T)5ea~TkpBdD67iK7_F-mgAV{^3
za6gy<%t{<+GZmd?XQ(DraJB3yO9stlIgj0$AX@2F9IfV84%rb1bNq2G>;5v}V^Viy
z_sXUbI<r8o(BvgXab$IPpjqjyM~pXs6QbY?>*$5aDn=Z#4v6%1=pY~);f-AS3{%AN
zZQHqu@)PSMJ5xfMP!kh1<A!?0FI17(syQ@Q6>h8>gli5?PGZVz`SPgZ)>4cFA5$L5
z5lMH87x2h=i7Vjv(j3Z;Lom*w3X(cL%mM&T&TR16ooGW#U)#3+lRvl{jVFCYfFU|1
zmZnf%H2OT8aFq3&!hn>;1XTmL$aR3U=vrHqq+h&Nl=2<VbYEsu2@zSE2p#HTDVLJi
zO)9K7y77@;*6P@(Z=L;kcvN*}-oT3D0wEK^d$s`Es3iJu1BXT=UdCC4c;}ODh~H%p
z;4bwSh-p6ssDaGVjhQ?C%y89^B)$|k)*ElADBesnypAf^R`=VPvUi)>-JPp*cc8!B
zs>1g3*U)yQlKnh%unqO4Dj<0ch}2XNxR|8ML2kjDy?59bn!t;~OQ3=D>H0};q~mR^
zb5#^3S%i?qrwBxU&bxBC1X_)sabc+e(G%|y88R5gOQ=kO^LNoZ`#|O(nU7|r3p4v^
zOpem&c&gV?DE##u1OHxt_FjPYuxg%R!zG%%yCr=93Td}49|$QQ=l4q`D&qzuo~?(y
z?Vv4>uS#_7Lf7A_+_%)`mr|Y8u!Z$0O{>iFf{aWBhe*@FlZqWlf)UPRNDryfL+Kls
z#V<GVI9)8qlm>552Fm8@5uKWpzs-5f*Hi+RbC0&5x>-5elyA_ic}vS&QH%Uq`~<HC
z)%eXSpvi$ML=|R+3w1ScPz)(QVF5J<ilP3tB7=7GB?ntkZU^LQ1fVEV>O%lfu)g`N
zv5tbbHj(qDir%W!&mAg!OP^>}qt<8fEdy4d73D6(U1*NNw8e;2X<zDGQ`wfTU`HCu
z#(V(lXf9PwO^fqnqRFhOMPRGZY{+}&d;yxxa^-?{bQx+obE!HsIrY)geR;llx#1s@
zsFC6f&nNN{QGS?B6{iikIkx9b*_NMUTW*vpJ@QVpi7hGH%L{cV-dvJYCOV<`H1V1S
zETQax*>1fNZz>!Z&qd&+g#nw@jpek`ExY@RS3lNgI5Q=M()N%aY%>*I-9VPAy1HTP
zRCcwa7^v<V`!=ZX>iVs%$}`9&v9U_8wdl&WRC~>dOFC8Y8D#(1T-8_ek<U=&SAcY5
z)nCncpGXB*1I<RdxtcL|p^T}@+ukS-St(~eb)0+uR6q6kA4VKg-@!N9@_#;h^t71&
z<@w|1eg21CJecL_-$+YxhIs;B{NN1Q(*g`A-4}I@;yHCH>2s*b*PUJBk3ZCX=M30E
z4q2`rG0y|1C#z^7T&J~0l>^PPaCq6OCA|X{WWv?>^H2I`wx-axIYmO&b6f#Qmaw(E
zYz~c|sY~t9*vWblUr@S-W^9?{erU(YZW2LMod*g-IA<?V0nn!=ir>&vBA`=$-1Rr`
zl7Ig6X>I;Dc<}yz^62T)gXh2t>>oUN3a_1~T?10}eB<|j)%xQdIuzkS>sNiqp0@md
z`;Q(M_`m1Rp7!})ck*zFR!qO`&R;mV@;&wamY$0I&k6i*r{A!r|4$zuJn!lME}ok8
zfB!xS-DPqWrSIQwycz7*|M~N$kNWlB#bdJm=&$fTvm3p~Cd3$wuu=OrTJHZR2c`V)
z&-R}@>hJ$uJi?GcG31V1bF>vmM;hh>kwZ9m;rxqIi0gUY-Q_aD0)O~BCw$L5#kgRb
zmhc@PJpnrpwjAXxmom8Tg>&}u^~=Nam&0EU-@I(-z$r0j!^zzX=dU36HZ<jw^QBzx
zR5Cr=;SB@as08<vz*DtEfqRr(vC^#K3wmn?LZ95w5F#ztJ$5@kJv?H>$RaBE2s3u_
z!Z}dCl<m;)Ru*^8m(id_D_7ZDYpph30;w&~Kr8I0sy($PtQ~9^eH~~(X~E2wLAXH6
zWvP5~X2L9%kapvF;Wz#r!Ki>DYcL#6<JnLop~`C1KV4L|6;`JqPWp%D{aLPMUOf!$
z)*telwcH-Z-2AI*l;)4J$m1BhCcY>fb#0VW<udug(cL5qZL_l1ReOdXRqUuZvqC+3
z^aU!lYN}{2hHt1&-&BPjpPEYaG;D1>`D|7M^Fit5|G&MjZEo8}7v0bMD>&|lq%)Qj
zCuz5nna;VYlcwG#smFGcyL0AD3`w-bHAU)>lpXin^WX3D0+8T~M1ZDbI{{{Pwy^*Z
zcmO=_FD3=&X^Qnl=do3MAnJ=;=U(#4BP(&OzwSlSv}JTGY5F^!)%e}J+Aq!SB(=vc
zJ8NDeo4TNL2x9POb$FGXK$=#{mA1;hAX+!gTeuFRdLb4A?0DZyj%#b15&z$v^{3Xt
z|Gzjm__4zO|M2X&<NtTk9RH6->GcD4#P5Ig{Qbk`=kJSu9}J3oaz9sDr2FDi*8+#z
zJu<3}*Q>PM^Lm@H*nLwo*KC^+|Ch|tZk!*tjr`vaKfZkN<3Y9l=Z^=j{`XGW-TA+O
zayjC^(&5!l%rxozAiG&9FDpPnB>2ZsBX?LUSBb5VKL(e6L<F6R)A>o2LpwMazAQ0a
z@>Wywn8pG}gy%G(UnDmzzK?#*nSTki^HW9tB=u1`;+=*85LV8RSw_ebomR25i8i=d
z@3od&ESl8M@UC>kU+nV)m`DFc9%zkoxmH}sWfHHJb>=|9P_9NhGz3|kR0!)JpP<TI
zsA{o!+SdFR^d<kj`s+LRW8PyKt`ZTJPrEq1Ij|!i%8SE=q*|9Cx?F`KDb1jmXG~NC
z09LS`$-iIM05<T7zy{z!P}h2hvFUZ7{yUAMV>+3kdH@`b0%OsSA5hX_*?3LHZ>uNF
z1RkdF*M9`&%T|=Qm)Dp6=YKr?Kjf?W^Ur%2A$Pm?{eNNHQ!1Zj^|PlmLF1P>6hZr`
z2vV#uH9Xn%fe4p#p|iUw;MRpGg9*SMjgOB$zBq085kHeV$d)b!ibu@crWCg`#RQUh
zs;DsLvThXOk;*7$dFcDz%^Z-t^5aZ=N(TxjP6=euu@TVXIo*vD|Ki-c;L2{*7nfij
zyJm(`L!3>_roN*mxOMJ}s2J6=<Vz{99W07r#$i1{T5Oy57h_Fl8CEl-Ko^XRlGt9N
z14<2c83ljkv!yEVh?9tLfC$2kr~uXQ1X6)H#VA~76=^f5eA4eZg~>(yDvwOO3^GL;
z(8qLzxj9&?6iil_Ol36lul;b82A2boOy@xcv%|TK0AK@JY(&>~xR`yH2VXu}%k9>#
zBsan^t#C(7gJDiW1=-NP3h*jt-IF(`XGO#i9f1sDDlT9Fcmx{2gp!{@&x<5p&@6s5
zTgDjTN8YnUI=pl>0r?$I^uJfgjKP@<y+fjmlz?qH<AAfH2>!b8!$b6~-8R?}vgrUp
zXb<=%5x+c;Ay*e~D$;o4iD_>iqrFP61v&-^-tG)Nj^RycovRNQ+os2ht>8qOf3IGq
zKQUPzMtYG3M&?@vX&?Uk&FLR{?&YU&FCvh^0Dc(!Je2>R2ef}rfqa!gaFbXGl4*X}
zg20CPCG@W3caP7Plg6hol{XQ%Jj(hUq-yWCO~+fD)S4rfz{9kHW}s1!QHhCsJu_jV
z*8-M*q9-)L_{I7?;kFQ8j*Ij2>J}&2Er?9IwOs{l;>y3p6wT{<RCYa<1Bz{@41A(0
zbW?7lX`axK11$4FABiDX0NL<OleO#XfBR{?4E{WMx4HMay}bS80kQJ_OhU$MOhq}?
zl=lJqf|I-OLB@bn$4*U;Pj9W4E#JZ_lezeTCfltaM(XD<k8jFpXmM)9fKy5)O>ax>
zxo!ET2Y{{6PvVN&`&YK11!rtnFh(&g0hK7~RaR%pNNT!-d6rPb7&8^WuLxb+#%(u`
zjdQ>ry*BGz**>l`-(&?A1B}{@Rg&33Ff;ss@#Rwuh%5?xq#^6FiDKOYq2Eeo<v8#<
z%C|Xq3+H<yZnw3Y)bu$u?uCm!6!j^HOIEsJynaGIrpi71=chAHFndvcf0Ti%^Z+ql
zy@*Md6i<>s41*RP^xXH(>1Lm+bWl>ML8B>;e9A%ZYPd{94ZloaJ$V?uMn_fJ70ShL
z2p`)Afelt~-nnuF$SJ^h74Z)+Om5YyuDs_bSg8Y8GbznTOwEM`PUA(9X+O;c4eltZ
zu>>eW4n9Enp;FAwEq_K978x*8NMW<Suh=4sr`HHCJw-wVMz9f1bOY>rLR`yEw!@m8
zu6rs{M$1iY*p19mH^bZkQtHjr(~!xQ2b`~YSoya)|6Fd2>YwHLwhXe3VnkCb+ctVY
zcIB)ZHLRCucTDJoYRVXplV~@j>Clnfeq#@bZ<&-MBGplq8A5HIR;Ef*xN@~zhT0+|
zttfv@C9U5gf)uM+fZ7?0AvFe&XUGA|G~yg)KF0)M!9vw(S(ABY4a5KfDW&EN!@*S)
z-$a^Ln`ZQfmjLdQ(=jGve0zB8eUjOkyrUVOPj-v*O0g{8XAWVpTynW1rK{0Zq3sQ%
z{Dl?JI^r-jOeBdhuhKgrFL4(Rp+6pkt~dvCcnxT++o2bBs~O}XjbV39elQqewRS6J
zzI5SEl>VD?QYoe=n~O}*HN{hN)=BK837~cYGq#<|jb}NZH<r_=3R^W&S+j}swE=97
z&v$&jBMaN(^BGB;;jk`fVqBO384c#T^(XN1o)D751ccSQw2#)AwDhp{y>l3H&bB4>
zVEC0eMS?>x+uM#qFuOr8$0896hh?mH@34$Lyd0MKmavRPcjK;8@yjZjH9L*#t#nMs
zZ{Cm4Yv9M1@Jy#MDxnU?-h?J%;RygMtEOmnIcc!c3tvbJKWhswN@hG|jrQ<=fwF@C
zc6N4rnnwqe@)eU3j+1mJm~C784A()dtqez;y*ougHsZ{4Z3m7ui$(Uzo7`q?GP?17
zn2O^Tmx;zhIMW;@at&p144lx}{2=-?Wt&lfM(j_{ZRBbNI2_A(s4U)Ur<Bc{H@DA~
zEsIi=dyE73sFU%7GJLY8$a*7^mcC)+e~2E1S$%URILCV7#%Q^5^^6;FrN^aXAjhNL
z*P9tiX|<)&ngGxRIQb2vtLYq_H`VpnM}_+y`)0ov%RQ4F_|eLcsT)X2Y}h$pM!#S*
zS5+D+Oa~^9%8=}sEpAYAOls?{I{|IzYqUy0niDZ;bXHWY%)E1dJC`mw<}i#`vtB*A
z3|xqsR<E3)Sgk8GyB_7jha*F6s0e%Yd`gmZBbb{Ptm~M?C9XHi;mOcFIXN9~L*X0;
zv#G*^<D}7tyQx|8hxi?eFvSo;a^c_Bm#~n}Hg}T38-`P}ag4J3hOK3$a)uV8N+)7C
zPQur)w+5|;V+PU?M2=#;c^uAC<#CYfF1Tb<jt|X|2DWb2pWpr4qu0j%pN$(t24Y-H
z=FC7&f8z8fUzh$w!xl0Cq(6)yZ;!(o4r@59@l|1sZcaaCj>L9o1wGx9ZaDET;eNDx
z)-=k&Cp1_?61k4jK+Y|e*?O|Zx`b5=yFSSGduP?bjYTNfr&BwX0rZzR=RM`SO72x}
z@Psr5daNbJo}!MNLRNgd&jKh))hjHQ*kL<?R&wwLc0apP#da`IR+Aq%uIv_26VR#a
zAc-R?M4$S85$uZfPKPkfP%Ok>aYW^!V8#I~YH*1uDLB{_!7;d80oX<g`T*Sl^c>E!
zMfe?CUT^Vl+5*<aMB0KG+rMubGih#wcC*q0K*)Ea(LH%9Qdd82^EG?-8b@8{Kkod;
zo&UJnmgDsvt^fG0bakIjE%bEAfM_&!5~IJirU=7q0lJGc{MB2)VM~!Nh&Wa_PNc<+
zv2b`>BKS`A*Vdd6?}T`V*tZ$!SwdlV#~4+d=&**v8V+lGRaj$tN;Nx`8n9@)Qm3&q
zfYtI&U;sOs(|?UmK4`gr_>ojqRV;*xG+ni_+Q#c%lUH-&(xqgVE3kOoN)nf8@+O7n
zDCI8Fa~idL%*<;{d5onJOa=oe$iRmeR?d;x+<Mle@(ph3Bw=`GRq9`>#J{>WSEpkC
z-#^-^RB?=lB)tF3TDwh4g&P?Hs!-t`&`sWOOhh^jmLjBaMt-I?><FhUJTelq>!KII
zUrnJXf_j8YUU|4CfknH^w(VZ9S+G@K2}@;7Ol?@H-LO%ewqV6ReHE;eC77&OCVs?x
zqIbXrhuSm_A2@vA@WG?R2gY6T0h`3;%e}v<aW(cPYl;<7Y(Ftq6$`ZlFTCDs;tD1H
z83L0S1}e=phLybnZg;P`pgr%YT<rIl<dzd2R!|r)V^1?b63F%J=lsup35kA>le1Vb
zQ&zn_HKY7{VeZ4so|jQ!(p$ze?`i7$o)EJE{9_Qvp5M1wvdsk-tAoHHmE9POP<Bnj
zA;uS4L8F~-EnT3a3vU4jOEjo<1SkjBPhlUu7AT{<mI4~{OBPtZXEE5^G~Xl;7o)YD
znvE80%mY-BlW)-I+>~UldX9ZcAXaw#Z`potVYlx@8O-eTy#!PCYM0+pNabVX67DbT
z(3pczbkr__ng_iuYm1Z+!oPCb{%BS%!_bq8#Tc-}g8Z3;R@-B3)_vq-H`OGnZQWH%
zcp<JfzQht(eud8Zi3_P5Boc)cB7!M$eIt%SUy2~vq~$fGQR@m{=*<u{+X=76qN^pg
zC-7`<=J#Sv#l>pVi!IsOPpu_HOZ!o+gjjEjvGHpf;2mh~XD!#Y5qeW3fG^{&2;g$M
zOgG9aB@6((*6DjI6T#a!z6^aCr+plX41Js*k{|XR-LT)*YOHo$IW{ZLHG9`%=g0B2
zC>gOiKMv=|@qqj|JnyEWrPu}%lVE)(%MfmjUy<M0V&aAT8^C=bc+K-LcgP~)f=<3s
zrIl(f=)_T{hfkdzR?vxU{Bngh*^M$xTBCW073ln)jE_rG!c|UzsYa>sX!b~yZVfN2
z%<<QcM$JqL4zf^8%*Eg!dnYD#axf41D3U--LO;EKnYZF1$IBfoq)6W2Bq!7+l&I6E
z70OB)?H2Du`KP*ZKE?PALas{>?WEl8ZO8Eu4?@bdG1Hl5A=w$hEkqvCNPIcjvn0R0
znc!BI);G*rU9l@x2oH7{dat$1rd4bQLQc6Wc5IPr$&zAp#=*o~6@T=LogyClKY(nh
zoj4D?0=Ry)BiXf2{$m%K_hsPJ?v5ep1~12uIEJLL*)Sw&-wcV=MA-V*NDZAVPl3nq
zCYmkd0FD*^My`=Xz22!hJQ?ekn~jwUR^fohNAQa>#>RACtNm_6{!2yU<s*57oIq(C
zrh15l_@a5Zcn59WgUF`4RkR;;w03-)3z=Jn-P;dg4oWS<|3nTzs1!BCUvRnUt=Qhw
z_xrIQxguST>DdS`$Mk$lOpjM!G>2cTckl3vJ-i%#`IhjDWe!2z#%j&8kuZ}=G-MF@
z)k$}Ax7@SN2gvyVwKnGiRNIxq>e~g`!}0;L>YkZ;7?jSJ3N3Q<6l0fatN}8vTObD$
zUnG8V2d@anZ##b53SN%ie$<%xLF9m3#F_uW^yKoiC-OgR6x1j5DZPqsLl#4d{q4(9
z0@+E+Qq~ne2~9c9lX>IW41Vmj>Zobq^V(t$$2^eHJeNTqXl2l~qS^*iTND(>W_91q
z3yaq_`J_}-#s32DI1=GN-j`tzkFK8$Uk(pONG(U-HFh`<;c_kxhKFOdjJB*Z*mj+o
z3oqQx3XWsDzsy=a6(8@siSD_z&PwzGSKYA?d8f5!2C1pmE}Pc3rK056%nOravno!`
z18fSEW3vRWZFqvQkYrS_9GewGVBiLbEhpK9ZG31(y?OK&h-0x;qq8xD$}as3;zUe0
z6YLV;{-Eww{snT#R`LMv$iq<I!Vpz_{$iQk?i0@8!~oL!G|xh}&%)SEAbUX1a@n;a
z1sDi!xUze5S*-ZqsQNZobw;FkzDc~g#01_z%Cq3Qlm=lNc|kAW()bBNvYR6M*J8Z#
zA=0K)bbEY!gr{|lS`=VeoG!uX61KM;r%TwTZ-9KpU4@oo9xnZ*6|#ocgec-PxQr0S
z^lRiDzj-gE%Y7H?<uHlEBwrIIv6Y%MuEKCcfvI}8FJWTEsS$Rlr)!+%m`_gQ{c(8o
zTE>47=URkb_n!6>=eJ(=pK?(mk`cVT;;LJ?w7%bCK2B4=dJ?S}_y#=@X8q~St!pRA
zx=HfR@C5R<a9(fo>tdI!(`uC;)lyg+3IBK^uZgODpl%B<dQGl@9R~{<6#}|$(Rmmh
zek(*9plKub|0dFT@JI#zk9m6feq#y6a(QA<3aq{p9@n&7UMho}1l#4(%lmo@e>xXY
zkS_L%%_a0}G*fq-4w3W_r5K6|!?O)he<|8ew19`y{s9be2VGeGC&%zX`Os^yDp+`L
zBBocEpBQfV0tpC1hakO=o?5TGJ-LcK6Y~o;YxV_aH!J>B+a_*F&%iuWe16-0Da(B7
zXOv!kwPYH)1~d{LTQd+?>9Fb`DEpsWvG|rdoRFg>z$e30on_F-N1>|I)!c2A77*nF
zc1@A8k1XF@DE9D)&3xdO^CEaGbV=`*CZR$F><V5KTrz&GyeKDHI?-}_+i{}h!x1f!
zFdBAcI$_w^TpY12Qr0DWk>eHXEX~=wQ~FJMe5BswmTVDtk2nxWcL>?n_4pkADD>ZJ
zpFuLV@UwYr0<|4SLLL@@oa73l@1shM3Z9SpGb7k_pI!Ef&Cv}<HyqvAo^j)DY;eh(
zTW5oFSW8w|L$EqdUC#zragf744*NLl^R-|ftM324v1b7PdDF=MF>2A6zFcGV&rfGE
z5~e^r@VC()N3Rce#^M$3XXRM3?(s5zEV<f_*Dzrv60zc{rpFkfEm{_&ial9c3vfNd
zi+)rZz;l}Ugu9%hq5EM+W#;fH0v{zJMm>&-fmA9RZR`GG87EkzWdqm>_%sD>=7CHz
zypZR$1k2~;Y=gqXdr2BL8Ay6gdiHZf_lPNS^^na|f7s!f{+DHt(3=C25J$5f&bgS<
z%L1aW$Oz%w5AVnio?%{~6?&su>|4bs1X1?mOX~xIQT}DC4X|jP%RFFfO3+mx9eRfv
z|CniPg3xef1-IG2steM=)(P>{cKnTogk$S~cd&KDJ;hKv{DaMwv&FXiFmY_1fzyfG
z#rD;3yx2N|&pvb<n^pLDu{sO!zFSaxmog8Xme<KZ3z9$|##!X`?d`Jg@$K4VJ6mK~
zp^LjBab~?XHy3E`uF>7G)m4*Ya=jC>YxLMta~)J6<{7D;HcNocYU=b)+uM%QKRr6D
zsnsgX^6;v*E+4OnlB<F1WE@!dXQ{KB)h@q0SR21JY_>R$sP1tWrl5dhAG|>`Xbo9}
zVkr-hQy5p0+*CztKH(F^L8R$w;SXUH{bdrMhNR-fSGrL$RdVW6Ae@ZJjKg3Wn5!@D
zi>Z*FSv9b1+Anevje$BaPWR?ILS+R}mq3rr#4hnFW42}AJEsSEuAGYH<)+bb<SS&H
z58vku0r1NN7LyC&xOBK5p`VoWSdLF|e9HE=<M@>ATIu^JqpM-Mo|LTXbdNfc+i&b4
zku7r|h(${(_jYXBJSQih&k^NnxeT=xD4DVJDMT5**eZ5(X+vGwP|u|e{aUg4!%7=!
zE7ay9mtlXy*chu-hcmIX7JuKtAS1ySqZtw2BmBcnoXp^tAkp-D?_Q6Ocjn#EN#%_I
z>O-z=+Nps=i=W?~EW2|T#QYv8nn_@xK;)LNoW3p%HYaB}Im=Pzt%A&2&QheJ6DImo
z4rW7Kfm7&jjfka!O?GaN+hW*|f@I&U0*NzLl}yWzx-@(<`v7kPe<KYbeRdlf@4Kc#
zeSFyb{&K1IhQW87N%gT}ZA&n1BWt&5#^`d!t~c*JEjjdrQ%5Tdel5aahS*y-hUtNH
zL+_6~<8V+&_s~g}9hLbj&d!cc5np8SG!8M~8-7}f1fZUA_L)E)C9<i@5SUjQlMg|b
zHUa=(QZQ8Tkjl&F1i|Sooa_RGwYU_^$Ys`RJHZhc6sb+v0xydc*v7ZOJoR<$mFJ0i
z6-Qqjn@rtnbZ{-7wZZL%c>Vs<TU$L+Q&hZ*l-AY@H%7qQNn>rbUeol|J560}p0?U5
zWwl+p>MbSGGU8Q@(o-ALCcsrUBAFclrGaM-__{qIZ8;HbeY}_XVVFt;hgBoE3qV55
z2I2yV{Y?^Nz6xl_X+4h!p&ODOHi_UhN`u7`&<h-8a;vN`q+SW*cqwVtR75ZYj$6Pz
z0|ZI50gV-s_{Fqdd?<b-CZRu*s25S&Ft1l|b8|DKP!_nk2s$iBFpH<@NTrz}acGqI
z%TS6&--$4cZ$8UC!s<R>2jcUb_F!~IlQ@PQZ%&3~j5x}Aw+|Y=<MdzoM8krgOIcKu
z-VztS$S9AL1Tvq=n<%3sfRyMNa3yV89kCx>2T2?)d|C1jEnabw;p>B$y!X&27|6VD
zL#fP*(u2LB_Z|~#i3vI%M8$IOD1oKFAa?@N8nzyfpRaFJOw^_;G=9V;+R_G%r*xno
zeJ0JJ&Vs@A`^Q}C>C5u(O4Z5A$UV-#bNw8<N>imDT?P^S4KHpS71`bPMkrkE@n_Q2
z#YOOi*bu7Nf^SAI*ivMTi}RQ>OpH{umj%quNg0&llX9mK{LrvB2qS9v7f2JI5HGYc
zHkBku`cME+O4m0?<B%wO4eO*nAO?`OIpYRVC<M?f00{)(>d*4}@Y*w{3T0Gt-SY(y
zF^Rh571ol4%j@i41H@K>*keYE)7xC5ea9QFP1zfU=}>#;iIgYgH80q9PjFp<oDbGn
zU3JCPhH0}y|BC<=?+>T(;?+;jpFP{_?`p}X(!Mom<+y%s1B8$AAxa?RFT3%%YNQHI
z-w#lU;q6@?>=7Gu{Tv>=nok#l>6ey8nQ=t}@A|-`QyU0+P6ydi;z0$2Y$T{g49|@}
znaA;!aX!dT+}|oAr0_2N$WJgos}FaYaFG1&hR>Qxb(473D$<p<@Cyv+Pd4739z%l2
zX)+$4CS$|VIbB9ebGi(t%V_WCbQwmv43@fEaS5=e0gFAy7Wl^kOr<;Y8!xJ_J+dX%
z3ZpA7=Dmp#*Ft1VZIhLs&=5)NvUWJykcWS#aby~^Q%=tV19RydUf3#$m{#=rbc_#J
za+6koJ(V0ND%((qM-!}MK2t<uX;H9M3Hj)LRJg>--pEH?tRgAJr9?ZKZlbdqa9R-|
zKp1ctfPicA#tpq^?JU;j#@Lz(Gq*0Q9QYcjjApd7CtCWIH5@BiJoS^+3alATY474?
z<>2*|I0STZ?Xh$1+LdEh$BkGzb$u1i0bOglnmP*E_%<2)W7}jnwsvP|k3PU$Rq@J>
z@}KdTzIYFVTB?m45RAjCGZkUDTMZX8OMSg#a3;~ewj0}-*b`1{+qP{#6Wg{X$;1=e
zcAnU_ZQFSB-}~L?RPCyBzI0cAT~%GZ)_q-l|LC#|UEI{{H{f!n4Fpj-()$gf7j(b!
zl&;*9lIx-*JgqIWT@?TJ;8|hRa$D=qTz_XwEY!b?ZD}@D;7C2e(2<Lu&*B5vqTkOK
z#!?vmd2cOUoU8Xj+UuZ<#8YqlLwV7Bg>~vwBj6Yy$8;U04x1)bh%tyt+-C55Z1?km
zb{lG~mJ@sLNv{ipV&PdDY&z7%13cYmwx&SuthSJnJHb}lY0O2>xemGR{cJ26PcE~)
zR{+W8{gtUfUH$!uiR@?yrhhcMAh?~PvKY75-$qh%-3k;*7T<UiP3BwaMeJH!4S7G7
zZv|P^o>xSq&TCGOg4(YZMmNF);oO2p4gTcbsDu5f9nL_>yFmeC1sh^u>!{2qLoDmh
zDLjNr%#y)xWACM%)AjNUok3O{!;-HvTZU?inBK3Fv@dTZDzzR?DXM63zOO2-#9DNc
z+(<x8QAfctwh9hVLd;00RxDW2`k9y172+8>!63UqY)TDPGP+!G#wdaZpEOOc(`8$s
zjAE71{%1$^j3Mkn_2N(^KSH)<Td>N@BqhdN#DuI>ex=bUkWJtQ-1ERpYQ#Rc4ZQ=~
zpQx|lzRx<3%HqI(KiA{y4)~G{O`b?@+_=w(q!D#Ghx<dF(XQp1C7@yv#V2oJ&3^<-
zEraofb@TZmV=!x%N9zk!|GdWi?CXU{;cE&-;`9BE(9?YL(&x)Sq-!=Nn-9Q!+Ne=_
zvu6B@LI|5U&+@&0=M~A7XtiTxP-cuKhu=K=5OfI|os(}vjUj9DBZP{GBWK9c+xz}z
zz^X6q3>KuVu}*@a-6t`z>5IHiaV0)WQgxT0qbvRHx~rmtgaEq{4J=T%ayZ~U^FBmV
z$Y1M8d$3c^U5_>>?(BnY?6SD!p;w2Q(tLIatrRDK9E<E0aQDers!B$5tLT|jsLvgz
zkr{G|E5k?r$=Vey2^gq9!2gAVz+%h<^V^hSgHpiyhd5fcuA_PaJGhG!Tgr|`>)MrB
zJYu!4^vs$YE(2yc)$nhLBw>cs3Xp#%mWKv!J5-4D&_B~A1Dxe&<oqB&@TQGP+tT_5
z&fD>;SzD)n_s?nw&4;Ir*?;kE^AZTllhXBbxvR0hjAYEQ(790(1~{w!KO}5?EWlaC
z!b-W!Ze%ER%oX%j7ecFSC=OvK&19AejWUI$%qkY_fuy7OTCw1Bu_rcO4jM+-tD8o5
z1LA$+d}}sao5^n)c(0v9`U}Hx((X)mi@OI*kn}n;#BI1PC$?_-HD{hm%zp@l(dO6y
z9$SpxYr34j3GYs;R6{H4UJ;<;nyCm??|p}@6_52ReR7ZU;Q<8enY0^q;dK))!YvtE
zqC3196-Jt)PXCb2B<(Iab5zwO1E-ytiaKK?>z@eIjR@P$;LG@ea(9WskzE&Yog{}|
zDVt3tl0`wt%GPz>Tws)~&mR^&Ms@Ctw?bfi_SJKr4f?_#hpv{$Rr`-XRsX;5g}O@_
zrK4S=n~@MOC%FEa`&sDOdI5DFN&@Q2`OpOt1r<`I1ywNct{cgh6)%sF2P(47rKBp;
zXALp<_vHNWF2G+z5Ss%YHA$;RNbM>eJreV7M=IByJdux`$PS@jPlq!8_efJ$F6YJ9
z8n0uEAU$KJ5Kx5D8XU$#QNmnoe@P~sEDwo;HU%4Y1onNMhAvd)bK#~X99XZh#?G4@
zkYFjE!;lIQ=SE7Y%>Dh0LYaOHZ%nGgl5!O&eRFP6%N@#;V+?5Q!5`0mJ;-=0aG58F
ztTNo7f7ci(xcvB_)&@LElzb8VL`7$Dqx3TzLoZXI&?nq`4AI;@dnOXyaTfYY;iG3d
zX{~51{-TJXd1d7UhvMi<6Q+#pjlDSlT_i&TtJgRoiFA@2N1dokhNM^y^1HZL(x2Z{
zY8dJ-d<=Dz7Uf+g{AhCHK(qFyiRSUe`SB724N@M^A*0m+Q$*3BJQlM&Or}&|Rqm96
z>dV;WL}7O@>B+1hbN9RdN<axgK*b4%Go9>t%TE4lx_(eVjO7G_`i9}A7wO=ODD<b?
z4BP|XM$IU3B!Lh;7d+>+ygHa-UC?53g@b!8Lm;CF?EOUPHy!QJG)MdEJ$2EhIKNo0
z*_1k{V@vCa5{D4j$NJW~p^M8m*Qi7Se<Rjsx!E>7C5Dpb%whx%X&8qhKeGH_OAD>(
zk#!JcY86J<Ik`V>ClHg;lTCSbzTPrlx9R(Hs$L*5{sCM0M<$m3v+YySws*s^NHKeX
z<$;g+d8eYA$lRn6;a1X#phzBf<B>k;hodYX`*lG%z{E)`{XO23TDl$)R9aSv!~VVv
zeJh4$f<r4{z&}519~!D>k-9?fBgq(MHLU6qZJ-TW7??auu590^+c?pq!?}gGS8!sW
zW|i^|+IC8R7Po!lNoC}u6{fdnq_JV9v7jdn)99hCu|0s{?f|Jz-R=nE(@yNQ4ym6c
zX;NlGzaQ3>Jgh$MP3|K!Qf<I2W@dwbH-Eilw5r?Fr)oIZq|$mrdvrJGh&x$1&!$*D
z235nwzjgBxOKTf9WkKd(o{9v!299Xgdx#P(!idyki(%>}$T*bhGh>8vw!uSdg3J(R
z)<sTRpQZTtdj%kI%yzvelStMa5|WCjPG|Ld2*c+7Fu0lCtkQ!$AO?D-_}3eflucA%
zX$=Oz=ivOttPaF$O2zLt`GHOGhWACQHPd5o=T>SS6t<6Z5S&fvo8A49+ppha6NN1o
z3=x7M_6;sedZFz1Y}({G%Mq#HJ+P(f<`1pFEbvtPz7@mQ`>#6rjR6{^DwPTd%ybNt
zk%Ygs^$NRx$WFu=IT%`g1*Ha3iahP_J9i*HIOC5O!TH1{E=J;)tw`8)yOs2xRtp_x
z970^)lhcX-C$b98O96Z0W-o|3Jn{z!bmGbK{q~u`)kb!R+Q>te1tj5lyH~tO79LQ$
zx^q2{PLAG|v8**N^%x(QTZElWqu&)9#LOsr#>^J1j;ol(fS0xgI^3rCTNyuWkxjxd
zHvC0<&Aswo+zs8}QT&LDX*ka|N;$_}gWeCzr#`EsAO*{sP%_7uqJT^tTBnqOmwDf-
z3htI#82mS9>tbgAPqd>Btb~^PMEwUS511R+a9Y;^oxy`z+mg&lNGnveCb;(zylijD
zMnmRJc^8gzj0|II{6B=fItt%s=K#r*z|)IepyXs2mky@&F|Lgsbnyn{qBi>7eyrB~
zO&~-FEaYWg%48LGdS<F*;xK2`6=r;={s%VHtC%AR?HYHmRj4t^XC!F_fIAQex~8PZ
zjJJ({dtcbS2P%bzv#n#8RnP&1FYL}1)pzKxU4<9lH0HEA;X;}7tej2c2W~^gf+UEr
zFCgY}M<>DL4OXY*1+T&($@TMX(r@eKsvN*|`7-l*btV1waxyP`7eSjPZbHfQI%ZQQ
zHolnCUeaf9hrmC29*O4o6ObAmk^nkelB`nH#8!;yV2%18^kk*;ztEG5W>CeNsW=dC
z)V-H8KlL|3)3$dw8`4=`@-GoAm5MSv$`Xeek2ZD0k(uX@a3`C%PYAAix?kdfD;9u1
zQ=AVLns>wsE^=jm*t5c|k=nV=4{O%cg&slHU)03FbyyH!a;bkcLm$W7-ia%R@ZW*(
zC1@z?oB&KxYcKjeBiifGYU45%ZiiKc#1YII7#p-0qu;cfRgJaj^vaeTX~3#=N=3{7
z;ZmslLa^`m{l0WWEKZ^7vD2jxi9H~Z4R<p@Z;?^21y6RA|KVHkJO9nMn$iA?Z)w4O
z^DSH1uM={&j0{wcKsGehaZ=|*4*YT$xghc!PU&h3G#4W^p~O>Xe4G>RvsZ>dV7f3W
z{R2!&$F02_X7OVS`C6x;Q!<lIMtSs$Bp0s?qn3l~d-#j!l|MXEqZK~C{d4zDkVFJ>
zbo(wiyObj7(`VV>!txuU5=?>dTSRMF3#`<2?^!2BmEtauS}l2XI0z5EVYjJ=kk_V4
z>+%)TTzdtDvba%qG~dL#B=J&x_MN~RIoT_p{G@S@Y^(ZtDbB$bd^WtSoevI%FUFYr
zA)lPj7P>LJzaIkF%H13LLR#y#u?q@kK^<NY>S$}fefUktB5!NO@2wkaG$@rwv4%Ex
zyV0$3_X{d^Y*Ks|A{I3i1~sL&A4XJtk2m^8pe02eMYM?Tj^&uK^Es&zm(T!FUngGQ
zEWfC758Zwv?5*wK0bIp7nkq4rNU87x<h~y^JkNxKRVk<E6B_8VSF_CGDNKhCP)RA~
z`BK;l;_#@V`R@v3hcOL$#eHMX?QYNlyh{O{S05g)>|KxOr$4`(Igx*oe7#j>(~63I
z9iIheWV1b1RZbbo)`A92t|Gm8Lc&ot$k-LGc{}gWZ7ZWvs*8x0AeQar`8ekk*g|Qu
zp~$l7Uvu-(1dVq>WXuZ>SkiTR=CcqK1y@)`Q4t7!FR5`o|A9SCO0V5Y@^o)V4Z5G{
zA@j0KV2r*Vgj<sN9@FjUQ;JG&2lwB7ii<xd*EvgOS*5!Y&l*+R5YghLV0H?T;wIf_
zq@NaO+JHEhwkM_ZA=T`vCKnC87g~LKj`@Q;dTvvFCqEiJE-?9+_9a$)oB2IITgA9D
z8zLg22T9k;cQb&C!mZ|rLw<eWK_mMJlp7Q6)J4h$+x}5R%G8HjE#adZ#uh4D#y<4*
z=xA@-KFJ@47yvLh$)eCqFG*&m#WrTL)8soSz9c}VMAMW2|0p8{aMt2SJq^S%`PAjv
zn5CcdP24R>@0XNS(+oj^tvvZKX)+JwPXziElK4X?5s{6N_$P&d;aB~j5tM-v&cSy_
z4eokMN||l4Rl%45s(=evbeL-GTY&d%`Z@!q&(vvURsRV}R=+w;3z6CX4W}B|s~gWO
zEhP@Pk_F>sYq5<YpSFKj=$%VT=QW!cbf(Xf8DL~V+RYi!vL~6r*~<Kf<lNYgvhvG&
z2%@FvqxTsK)rPDp+VNQr0fhf>sqCW*JDcJ9dk8r94kDLpb9jF7IGDKm16b^oX739I
z_nC5Fd>vv0_%G_*qT!L4;nY6J7B3X@_#GP_UXhPP0vnt0d2L4!h<_Io@A|Ze`Ip>_
zfU6oto4-f6oKE1tNu;P+qarAGXze$x4Ewc)v?3S~gF!vi?gQtv-vvL(5w0JvpYJ=9
zL-zpq2BBT!te)S5Q)-Q!CBj+R$63J(6vcx!9T|&bsR6dwvnD7-h0j~247&W114HGU
zJw6rUtUVQVZ1EZ6C5x^IX%gr#E*$Ey(Szg>ulFb0Zl1Y1UFLSLWUjAR9+_q&u5z<e
zIOAL#r$}!pum{e0lYxZevW=Bo_u!9$wQ7~#o;07;zY$H$<`anwa|%dkEh>sbWBd3{
zbaWoB)G+TP>D~KJv(3oX>=YhN$%KxcZHE6Qo8?)_tgCcDRky^i7Hr_i>Q#X*<-u<N
zPi&k!igHy9<T`6ylZSk0@A~qJZ0W>Jnml4$=t;JlJ1e($79O+8)rrF~JguqvgYoX?
ze*gYkzLjDm8@3Ph8dMz<3OG9);{7vxe5k26%F`@X(xbU2P<D6W_P9}x;-uLz{s*Gn
zQ=wOWFw%sShF5Fej~Usmk%5FE%)u9k>NdkK35I)y;R6;}`lB=i@PHxaRyA14aQM-l
z%}4f2hEit~P+{ac10$6N1D<O_H3^%aoHhQEv>k=SwxmLO{UGCDE#*u6#^eaoX_Fr(
z$z;7~hvxc4-+>=ZXBr!jMn~sdnzgRQn~yAUEra7~bT$FYCRbfIiRPT(Kd6>1scL|<
z^ayBjw8?L~+0(zi?ea}&Tj9ScZJB4*v)BJn+KXVU-6(T`N2Jv@=ma^p@&+7T!D)p-
zD3CsNo>LLFK9DFhCt_l7XmqSB^5OIG>(cza1@@nN;I;0gLEz0ri2Ap;JW|4^v8sZ#
zY}KGYT5VlE3L(pT8g6B!?BP{2yKfJ+QXIT$42ubtt>ga=Zm;WuoyM9Um~GpR%CBBR
zF;D_{tloa>6-uwOr^}^B#$zF+LaWcGJexQ!Av$uIm4VRRjU9Z-jAE8-p6%^LRC^QE
zkmcN}%^J5b^jx{&x>AQ}g>|WgK8-W$9EF#!Hs6`}fx&#h-UO&dbp_@<3e`Q#qIGRP
zO&Sez6+4Xkgu!||m9laas2G6y)FBmIk|1?JbMNm0-#}uRFj~Sz1c@#pGw6u7+3Bu`
z4c4=i9;|mM6S4u~C}yl#$hE>Vd93kQy`=LtNlix9?cRdgh{u*OsE5LfUpwa-VT{l;
z@+a9pgepd15|%?>Om-iiGwDA)Pv1VCGdJMnF55h8<^MX@6(o{3Yb=otSt0>7uQqqE
zyxh6oZ|QchWZ2p-Q>-THF-FM5HXb@i$n`0cTN=+YEBij0FKz8kEVo|ZGI*AsQl;B0
zhCEZ0J@E|d*tl`Ir*(3B$LE)toCQ;3H4ahZwW_I=nulWnpd)hL3G3wKse3;Ou&kgN
zhQ#<0=2uZok-K-(o})PL1XBO${sZWJhQ+Kt1oIbywwF3%wYELxyIIJuGGnL=q$sJp
z+?sB>vj-9Be27-6*6*gMv9dT7Qqw)!kAve(<X5l6F+dCQ8}D-=4;9>ry@Ik%8Cs`V
zjAyLlx-_?4sW{MLd@g2qD^shNox&m|0e}C0;%S6L>caLaiN4KF_lr>riIEj1Jo@Xg
zdN?VF*8TXZbFW(OXEjr7l3&GU3Z|njS!c-U`{Z476m2XY7UawU<@}2pF$|31p_?R`
zs`w$1V>!~DNlyPn0mhq1X_z-JO1a&Y04|o2>{{3620G5>UFVi*u{N-1I^~M0K%Vb;
z);ujK2EBZ98>t6bDsmw`nh3)w_a*zJ(oWDcCpt;Y_UA)?(Vu(yd0F!xcs=0@8kViI
z%|G?p#0C<8Kdd~_De(j}0yl{g{Ah<Xc|-~JNr@y;gr52}xv`O2JCJ_GYoojUrZZS<
zQ^7q`6Z?-^mSoj|a;7p%jX9K`tg<DJ?O!1=FH-AC1{1bwi-%vP<>F9tIG_30V@32I
zl<nirdD4fMpa9gJ@Hs*q`uM;sc2$}W8)!k((^WX38rAwFk9t#%RSZZ}KVPM5r(yUR
z&J66d_w1yXP45c<FLoK$JyM{25CancgFDc_E;nMo(z^*=rRkpgeKNw+&QhKheqt`C
zoaUE%sg6*DUzc2V&I6~g(99^hR|C{EZ+;`&WR9X1Nx4hUd6O-+16u+2q~LxkO3n*{
zkDxhI5n9d?pu<)k=KzU=QP1u#ALGJ|mEJKkNWs1ZFy>zW*`Y%Dv*FF*M>kl0j0=z!
zV;LHfaMxa<;sGH#T9zF$|82(;JF#9wQ}j*i8&8IKb;UoZO%bbMmHMshaY&+1mWFwJ
z@AT989`(5C!=&&jUeXyOD!a=ZFhWV;WEYy7{#l30^8}mSa)!L@vu+ZFNmLhlBycYM
z<T1b63F8Dl)O{sIp(V)H4bxOX$;tpHyei<o4+q3FNZ?yJl)V)UjiS2-xMW<VoaWmo
zE*9=!9y(R6qMbJ`wR8NMmACoYaP)sd1rnA-jdS0duJe`(f;JqAeuWlA9Q$dE2xLW0
z15po^o{Aj>iR#*=8;mKt&rY<$Yx)zM*SZmYx7t$v4Tz9!wu#WLKZP+K817(LQuy~c
zikzt_li+An2pC>=d*Jo(mfin&sktBI<ZgZd_>V+RFjwWO=Zb2k%5$4xL;`Wvx2!NX
z>m0ekb-OXn6)&)>BaQu{NiJzxL5Wq??%9bsZAt;^QYED3k8sxV*Dye246R<)I3Fft
z>PB;#F?ClmT1T7FN(h$q5xNdAw!+Z`IKO;ws5IiImW)9q+^}?pymt|+C{nH&nBRg>
zZ<1^Hh%p=+0kvL^d3TNtQ=#j*1EJ=hjYK~Wq{h5%^HB|tPB4g{$?$xJXmG+U*`H}*
z-#1-TDbZ?VyT~NC=y#EHdJbE{7Y|!thQ#JqIflfr*M^e)mu4A?k9=U}xG-Al1urC=
z5?)ivO-**T;q<45G;tOh?KXgNdL9NK55X2GB$1VE7GSpvf7eN+4tVh|G6~q*VSc1*
zdTzKCtszs2&Y?av9fr4G@Z&pFv*WG#3+oN)(F~U`zzXC9amn@d{R|%Gthy5pw$eG5
z;@a}*TXKX0bKASW*ZcJs0IC6Mz*0S1!JQ%18Y9N5(-@}s_wVPwP}NLC7wK^)b@Za{
z%Ff^=I#_puUb~cDyldU@((B)IkS17A1~Qb(PkK0w>N?6n1S6qbZ*m29+n+0S@>Q`N
z-;Je@y`hCDV+T^}B&HtYd+C42Wa#ozbIMbm9xy+@cZS4z=U5ps$4iz)^W@Iq%;U=N
z9OdzQ0DBD?BX#QF9TEq+ZWOoa5M==_Oig7nWNi8#>8OG4cQZMTdOS}PQt&^X#!8I7
zhnFLU7X|9fa)k$4=0<dGH2}TY`M#~?rIo%30Q{b=t5&mVJp$LwmXmP3jH?j(c7^Na
zqWqWL@ngHRh$!j7dY0J`#5PiU!EuXf%3@zf3nsz4rC=h29gJvc9Qq%9aU3m(Bv*07
zidurv&t&T*a^PII**}LWXPxy}r^2-&m8#@Ya2*9pS>?yDkkN6M>ScUxr{nS5`pQ7t
zv41_o8+fj4ZYYhqF2(O3nKeLq>#R<m2UZ`sNHJ3;ZiH&6vm)oLi7rB|ftN2asbZB6
zgt{eofegHbzBPwm{(X6WK&>_(d{kj&NurefFcsS`>&NtKxs<mh14to}lk4dqmlwI#
z@E8BIFQ8P!sw_D*sp0R}#Qn$I@TOZHD)S<azCB2;bTXdl|8fY99=w;5fI{`$Qz*XI
z^^VV;+x~-wy^HeBqh7t3NLT{Ah<s3K<y(`fX9ELIc@vipcvW()4m<#ZQHNiqxP%yZ
zV^92Ny|}cu#j&Bes4{D`&OYz7oxZD?-5u9YX3JJwwitqzG^VUMJ+|s=EzfF04Yu5|
zK+n@_u9uqUA+e<&0JlI3uU4`cfqx=00k2VFE|XDv(G(wI{U4FyyDrPxlD#Q*yM7L?
z)I4EX%^)kpf0jHXG?~jYQ4dG5h!sdGH<Xy1RP<Y-ORCvYgdNV;Y8{P*wKBHPO)E2(
zR1{!k5uR)|4@ZX{15f)(Rb;wr5N{F*Q!R-UtrHY-)sV~s*Y`(h#zRyOx2f%3kIM7X
z-uHf$d&>&I5q>!|5R9k%@6unPHmMJf<Idg8!Pf0(B;VWz;en%V?B*79=apbMM&S62
zuz==a18->`E7BaN>>i_BI@oj@x!sVu`8m$i50xspEqU2e$804w*=+=8br?XmT0scv
zK^jnV5ccqn;Xr%={&{@YiW@@9hzfJJnltbDHvi^LDSUOrHaIP3vnnu60M0zSQHp<W
zKHF#l+{J8mhgT=K2o0J&43$8<f-MY{2v)p-P&n}RnSu`uelmY^#`b#u3rTW@2?W&#
zq{O<r9#NC5Kgq=-*4ge7o;F#u#l?|Eu4Pm-FNw+?3Le|Obcrhs66;pbA^SU2^~33{
z$IzlE(m0v+ii`A5%Z>oCr?$4lMRP+q!Y*fyNhBvx2LsJrN2ND}aCftz#(n*3B`b+I
zjPMJezh801W|0<FJ;Ht}LSY&y$v7jLD6o<fi_q2=6~#m5sdJ1>pH8Jrw(;96iG=fz
zJ#i$J+?!+^=t)9UI*3aY67Y3~Wwqlmtb5=c3s`MtnwiE_<IeZnWaUouslY|QtI729
z<xYHz>5T&YWPjZ|e%P6e4izIQuj}ga%Gwn8d)vq%t62-87O8*IL}1#vjEqBHP}c$n
z%kZic!j&~QPPu-7KgR@^duT}%tB7WF0>Qwf9GRTIT}gWSS09JBtqxK$V*FPJ6ZY%h
zQuN=W16ehH{%vDr{Dg+>thq!Ui6Yn&>q~*yy}uC*EEGy49jEJk4qbZvCxURcEpter
z4Lqm@JmBeHW;kT`$^qa}`C3HH`Kfbbfg!TgLWu%NQOfw7wX4=bnygQ4Fyif+X5|Hc
zz%I6Nrk^cC4(@E}1Il`EMZdR<m2vYG+tM?yEGOCO33z;N6DM?Y&+fT9`*27u6n+-B
z20Zg=?|A9xBDFr>&u__yr^oL`Em*^rZt<M2*OG#1z5K%j{9PL$Pm?<r_#uJq%8OrY
zBvh^2&QFX<1nrQPx5}5aaqk3tkMrveT_}_>?*|+*>GYm+ToZP7Jd;+RGh%kym3b(J
z6^)kZ{nmN1Hrw1d(3m5?=T|1IQw#_z<j{!!f7~KwQFXC1VITR1giPo##>h`*Sj9qR
zsR-3JB{Q`)+KXQpM>=CsbLc80ETZ$>bymP(Db`h>QRY9jU6^DHQ9ZEE{^HRA8QZZg
zH+ke+T@T06F}eJ`VU1x<qArEb>l9d83aoyI6MF$+fnUG6@UwTnZK7{W_tzRC-DQb^
zUf7AJa$VIN->KwpU~O2Lj37RY@ywstE`kj9DI74tJu-=;@&o31^&Hc|+2VqL10%fN
zE+vASz9!R$=z-=OWY=YHtmTfV&;{YEcC%b|tX70KJPO=KZ5K{-8Jn9Y0t99>?-@4e
z9ll<H_5KkAUsyCb;M3*9v%7^pS(fT1Ob-A4YEc%hWW)2z#Yi2`RK}kza4{BG+Wnq|
zKZG^aGC>m~TJn>QNgn0I^?&PslpY61d?p30plEFWc-0{_E;UTdTH9+%?NSt~vr{Lj
zk2U@!a5{TEaSq;r_#VURf3Kw>H>5Uq(gpc_FKI_5WW40Y09NFsnQ^7;aa`>P$(g9?
z;>UKvPQ;sB+n_?R^l!E?$xeN8-G7Gn>XhnH7kC|$MQx256I)me6^Ap_x#Nb3Af=4a
z6dDO=t%NSmo576J#EgUy%iw{67)}(RktSo2_dIsqW6HaN_G;@&caI)u|Hmpy9Z}1u
zfz%)Ebau>W%yr+>VZ<1!V~$*~+M&@PS96T*;$)})Zms(ty{Hql80!|-Rz!h@#)elv
zzOgv^+-NIIb$z!}^HFzf1|Qt6zw2FFt<q58T5LiA39BJF1aEI+aDfG^Kbi21rtk=M
z>JmksY;dV6q(ylIrBnxMaVNgEqGBeb>2b4JDy#iGzA2DN;brr=v494_TDp@@|A7!v
z@Ztc=cFGjmw}DxjC4Bv--(ZbXSF~@BrAqEZcs;@N(p#SC_wV+i%si1bn(iPR)YdWW
z)C5n}4>$UUVMf$5B$*xW5dUp4X$57F4SQoSBsf9w{@h0qvl7h3HSRHnwF8a)&MnyS
zJi(3d8OTFK@G(X0*TF7va#ZrjELY<Tn2R1xUvjaPitPo$JTiADCMM!{ZA=H2j8L4M
z^UAJ8dgowBi3*7yvS9k259`-SD=zO`i20pT3ukcB=3`j~In3xbpb_O9#V5S;jCwu_
zX*H#{BH;~8ReNQ?(x&$1Ac~u0!3x}uailWTCC(+5gwQ15IX$_h8{!6}LaUL@Z#PA<
z4MDKLWA|LC)clk@YbZ&@2O#t?@{GC29YtBoAKc%)ee#X-Hcz`Uj@9w*^Jg~#8?sr$
zxZ$DJu85one!bh_Kr2;Yn=Kp=Y9O}y#_AOsC7KBEwY4~?s=969<x({bWlL#bVfA1c
zYtz5mawC`cGeF1blidi@gDhel1=wpQmRak;r@kbj(S!&b&{I6;E)J8J{Fk^iO!yyh
zsZJ<)mhS%*m#_nI7o~gz5r{LKltA+oVRE!UZsEEyLM1^5=l*fo20rWh2gD_`qPdLF
z;ERs87)x|bezFPLl82|6H*j`NJZ!mj?5rkr8exlvx~Aw#6Wyj`$?^|o^r04TEmg1#
zo<^1<&Y6dOVu4a^4y9ge2=Mtm+ExS0$+M;377OI|Ut1AT_(#L20^)(^gGXfv)SNy7
zg2`dcZay^<w$l$z?$_4*dX_~7+L&g87>FHb;ED18;$@#w`7T~OZX70Fj!#p<A&rbh
z74D61bEyow_`l305K0pisy*VD4a97=WKhbR3N;W~zz!DnbT(NhUu76X!kiZ`f9FtW
zz87&ivbldB#z}#ZNhB(b73}`vqt<ni2>C=Onz~#+y{$Z?antJrHA?Xq6<hHb<Fr}L
z{6?fqq_gDz@|rgO$7>q-kJqGAmcE4PC@ex&JGQ!GDMI*}HJD%(tiWZ3f-qj_<Ze_>
zW~@DPHOItnI3lMF`l#xdQ(`MZLg@1R=S3DZqEPIXihMu6UU^55#*385r8ctQM+(}7
zX<I}Upxa6;7{sXC3<Rud1drpsv9aDRBjdLX)YLjA9XTt3syK_bHW6LtG;S=$MgHrE
zwG?GcQG**yy(9FS^g1**7uX6{;Ke9n#hy5=UUwIqMj%pmog+=%O)&H0X49`->x=hk
z!gBx8n%!iA1A#pzpBut*vh#k>9?lMK71Yr71$(CY`B_+XHx0<8N)WgYvBYkypJ*u=
zY#`*4A5j$3(pOzauobF?yb=1{ODc0zzsjK1QZ=FM3O4#rnXgYn!;Cu8jjDRrUw8Qm
zYYHeCZ|oz1NI02&!&Ca5-Y>f&Pd*z4s_xpA9?>gWE2#b$6Kw+|w@d?U6dC2*fo1!Z
zXUGK-Nccc}${vHy@uo|`7)DGLRF0X>MSrIZTboJ1tSeDm@{$M2??fJDsTBKn*N0h7
zfSaub4O^PdeKrWchjL4ss{R;1MXtQevGEp97|GH3gwo{T4(~WY*?AXa7<EkBQv|hF
zU8c@3f)Q`$x3onI8REuU7Ui51${peV*H-{7fER)iGAW%DP&tvnF0tC?>Y^;@Vj~Y{
zUs8u7j-=+>SK{cVENFw}PmsC#4%0ae3arvmVsilPT-4=^Hx9^*Dht>))z(YSeKM~d
z|2>m@iqlR#tOAe}9+|7+8Gj5U{UPssnn*gTZM#%Qa&KH5!RUgkyYgQ`6&4=)dK-#?
zynCBmSe2TQN9~BlTE!_GXx@cs)CoI(_}{387ja~E*dRQM!Q*H((qUYDYAVg!B=ID&
z5_e(V-e?oPQB601zu8)@{D87-Amg(0`Prg-Neo@3GfuG;BP>(d#8G?$s|AuJ*#P$V
zB3kfbQ2&r5zoX64`tFj+phWP`iAgln!h1SaG&^yZ(@j!04ndxKbCE`zPyL({@0D9K
z6R#S{HDfu1Vr{>|%3|v$AGY-2V0^^=HV)U7<2x(a%0&-q+f>5|h4*s<4=v@}R}t$F
zto+BP1+wZJozM_omMg!{rz<}vIlIpk1oWq1@KShuBc=oA`xhtN2s7@u`l)OQ=GbkP
zPu32MDEn}MbiX~E1|oy5{x5;&A>^t1uc61=p(AKN9`~2qfhfQC>s=xSq|e9mm$9R-
z=b^0*i?ub^8Gkj5h@%exs_c>ParMR0;~Oc!zMlqdr0!&0#UhqW{l;zITzcwcJNfDB
zSS`YgxNk?_NY<MBPmhg;5JcQVBM@Ov2Z6gtfc{-JC#i(cl#0T)gij&WP?HRQutu7k
zz3Wzfv%`yp--qRy(f7-|59F~h4UwYxc!7YP-I+XXs$Bn7hz+TNUr~(4b7?A60MTHd
zZ%3Xs^u(JrD~ik}RqJYkXo-W(QcH?t%VYWD-ralHUyv_2FgH3B^4>N6>wvp^;S-a%
ztiuP37EE)kryfYtFzS&QC6cq}r@@tmWHE=cKf0iyqkOQ*x{(!Y)6q9Dy(5oaS(myy
zoFUz>ev&9Fr4<znBE)3%#~I3I4;^~b&_DNGfQZ-Yv#)+I+d_%ETkgZwc`Nkg0k>#r
zZV*-}kv$c1WGdgb7JmnLIu7xW@itc;@Q1|j(`aVdCZKnomB3K)cB<Of^HJrF{;&(C
z{>4D7**ev>hFE^vkzei_+h)JwHB2M<seHn*1Fp}cLJ!n(|9Dp<lfcQ_r;uSQ=`gW}
z#fo?M{W#7<6g}omO+{v!b&T}~>dPn(5AW|U>AQpFj-aL~!+HKlo)ZT&1>97PA01n-
zG3NZEi`y~wp=-c&UyYp7FkxsVf8U4d55@H|=DN+h*KbD&c2{e2FHAb@2f6{o$^}U`
zEWNl-LK6QTCu~&^3fUdUiE40QArKz5$YrxdE<7`!p;5ko5a^}x25A%|)JW-&`2lCM
zeZ7eLGa*Z3hVuhOV%b9lYg{EFWk-uZA0*zYL$g;)A7WysZ#*p<L>|0UezCODxjnXT
zq1P|Yz53=7OU$<eu|z~~%mqk2J@3jLH+LSCz0p6S_K`Xo@`FE>#G|ngH(ehn{I9Ib
z>+=m7z87fnX@~d~=k>08d=Iw>9OKY_{yGxqdd}_r67YNJ3-~THnVD6K&n1gFsJ)qX
z5xcC|-oI0%?broB<)ZRLiu~s+^(mhc-v0B*ipsRcKB1^fToju3R2AtbY8NxzAy^5D
zy(&~(AD+XQQ_;X&e=^Y_Jke~+j&lC{YR#(h`<H$)My>2@{4acJ7{n6;$nvM`sZSeC
zt*lr}`@K~O89bY1RU`Jq8$UL2Gq<QJ@3sbK+2uq-LBEjwCj6m4;chH3i<T>Qfq&H~
zG-Y-gXBg&>dHl<)bhz!MgL6C%HWUU=_t<GCC|rxul1uBE25DvC-)5Z+%K+v&i#4<p
zPbzza+Lz`LQ^P4<VLYlI4Zgwe0R-D$F84snS%u1&&oBGyI^i#5{Vw;z<1c#ch|i4p
z&moah0szop^|!(}!Gr63JHzRR%b&B&HSX8!@mWGDfo9BCKl|%*kC4y4tJu%0g5+ZX
zd{4RAFksC72C+uQ2Kt9qys@#Rse-Dfo}Nju(|OIZ(F}l!Mfz;G?(v2A1H{=L5sK>Y
z)yqZAn0+qNV(|f?=Euaamh(K&8Fi?-BVxL<jAEDJJ@NjLQA}f0lYO3_HF)JLyzDuB
z!?dQVXv8q<$tOs!T}CJ9%Z8rF?M1x&{mEqEYi~v1-^cd#7kzr{ms;2KLvQx^P56E1
zXxBw>&l?8R0@pHph;;!vQkMO4ihapt5;~fm(*)a+?*F|s+7*BJxqyPEfG{F}{2#cU
BSDpX>

diff --git a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch b/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
deleted file mode 100644
index b4ea727f..00000000
--- a/common/golang-external-secrets/local-patches/0001-runasuser-comment-out.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff --color -urN external-secrets.orig/values.yaml external-secrets/values.yaml
---- external-secrets.orig/values.yaml	2023-05-22 12:42:54.000000000 +0200
-+++ external-secrets/values.yaml	2023-05-22 16:20:02.748621794 +0200
-@@ -117,7 +117,7 @@
-       - ALL
-   readOnlyRootFilesystem: true
-   runAsNonRoot: true
--  runAsUser: 1000
-+  # runAsUser: 1000
-   seccompProfile:
-     type: RuntimeDefault
- 
-@@ -331,7 +331,7 @@
-         - ALL
-     readOnlyRootFilesystem: true
-     runAsNonRoot: true
--    runAsUser: 1000
-+    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
- 
-@@ -453,7 +453,7 @@
-         - ALL
-     readOnlyRootFilesystem: true
-     runAsNonRoot: true
--    runAsUser: 1000
-+    # runAsUser: 1000
-     seccompProfile:
-       type: RuntimeDefault
- 
diff --git a/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml b/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
deleted file mode 100644
index a8ab9e78..00000000
--- a/common/golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
diff --git a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml b/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
deleted file mode 100644
index 0245ebf7..00000000
--- a/common/golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.{{ .Values.global.hubClusterDomain }}
-      path: secret
-      # Version of KV backend
-      version: v2
-{{ if .Values.clusterGroup.isHubCluster }}
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-{{ else }}
-      caProvider:
-        type: Secret
-        name: hub-ca
-        key: hub-kube-root-ca.crt
-        namespace: imperative
-{{ end }}
-      auth:
-        kubernetes:
-{{ if .Values.clusterGroup.isHubCluster }}
-          mountPath: {{ .Values.mountPath }}
-          role: {{ .Values.mountRole }}
-{{ else }}
-          mountPath: {{ $.Values.global.clusterDomain }}
-          role: {{ $.Values.global.clusterDomain }}-role
-{{ end }}
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
diff --git a/common/golang-external-secrets/update-helm-dependency.sh b/common/golang-external-secrets/update-helm-dependency.sh
deleted file mode 100755
index 492148eb..00000000
--- a/common/golang-external-secrets/update-helm-dependency.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-set -eu
-
-# Get the version of the dependency and then unquote it
-TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }')
-VERSION=$(eval echo "${TMPVER}")
-
-# Chart format is external-secrets-0.8.0.tgz
-NAME="external-secrets"
-TAR="${NAME}-${VERSION}.tgz"
-CHARTDIR="charts"
-
-if [ ! -f "${CHARTDIR}/${TAR}" ]; then
-	echo "Charts $TAR not found"
-	exit 1
-fi
-
-pushd "${CHARTDIR}"
-rm -rf "${NAME}"
-tar xfz "${TAR}"
-pushd "${NAME}"
-for i in ../../local-patches/*.patch; do
-	filterdiff "${i}" -p1 -x 'test/*' | patch -p1
-done
-find . -type f -iname '*.orig' -exec rm -f "{}" \;
-popd
-tar cvfz "${TAR}" "${NAME}"
-rm -rf "${NAME}"
-popd
diff --git a/common/golang-external-secrets/values.yaml b/common/golang-external-secrets/values.yaml
deleted file mode 100644
index ea7db53d..00000000
--- a/common/golang-external-secrets/values.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-mountPath: "hub"
-mountRole: "hub-role"
-
-global:
-  hubClusterDomain: hub.example.com
-  clusterDomain: foo.example.com
-
-clusterGroup:
-  isHubCluster: true
-
-external-secrets:
-  image:
-    tag: v0.8.3-ubi
-  webhook:
-    image:
-      tag: v0.8.3-ubi
-  certController:
-    image:
-      tag: v0.8.3-ubi
diff --git a/common/hashicorp-vault/Chart.yaml b/common/hashicorp-vault/Chart.yaml
deleted file mode 100644
index 6df9f5ec..00000000
--- a/common/hashicorp-vault/Chart.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v2
-description: A Helm chart to configure Hashicorp's vault
-keywords:
-- pattern
-name: hashicorp-vault
-version: 0.0.1
-dependencies:
-  - name: vault
-    version: "0.24.1"
-    repository: "https://helm.releases.hashicorp.com"
diff --git a/common/hashicorp-vault/README.md b/common/hashicorp-vault/README.md
deleted file mode 100644
index 84065ffd..00000000
--- a/common/hashicorp-vault/README.md
+++ /dev/null
@@ -1,31 +0,0 @@
-# VP hashicorp-vault
-
-## Updating the chart
-
-1. Edit Chart.yaml with the new version
-2. In the hashicorp-vault folder, run: `helm dependency update .`
-3. Run `./update-helm-dependency.sh`
-4. Check that the images in ./values.yaml are the same version as [upstream](https://github.com/hashicorp/vault-helm/blob/main/values.openshift.yaml)
-5. Git add the new chart in `./charts/vault-<version>.tgz`
-
-## Patches
-
-### Issue 9136
-
-**IMPORTANT**: Due to the fact that 'null' values do not work in helm charts
-([GH#9136](https://github.com/helm/helm/issues/9136)), we need to patch the
-chart to skip setting the host.
-
-### Issue 674
-
-In order to be able to use vault ssl we need to patch the helm chart to fix
-upstream issue 674.
-
-Make sure to run "./update-helm-dependency.sh" after you updated the subchart
-(by calling helm dependency update .)
-
-We can drop this local patch when any one the two conditions is true:
-
-- [1] is fixed in helm and we can require the version that for installs
-- [PR#779](https://github.com/hashicorp/vault-helm/pull/779) is merged in vault-helm *and* our minimum supported OCP version
-  is OCP 4.11 (route subdomain is broken in OCP < 4.11 due to missing [commit](https://github.com/openshift/router/commit/6f730c7cae966f0ed8def50c81d1bf10fe9eb77b)
diff --git a/common/hashicorp-vault/charts/vault-0.24.1.tgz b/common/hashicorp-vault/charts/vault-0.24.1.tgz
deleted file mode 100644
index 94b385007a0493996ce6d1de00b03472a10e8937..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 45763
zcmV)4K+3-#iwFP!000001MEF%bK5ww`K(`or<r|;r=ru6opn{VN@FV%@A%NOl<Z7R
zZMkR?lDMV_4i7upWd8eW06f7{5>4ANQI%LEfyUM7ZZx_Zcao#oomUT<x{wZsL;AOO
zIP8Z1dg)bfFxc-N3<lkOc;D-HyTey#_^{35$+2w7MCjE@m6uq<srmB0Kht!_=Kpvp
znRa_Et+a=zgHA9^ZQA_zVD9Ps_YU{F`@_QnnE(C5!NDukeTc@0>4nd~r0c|%Y?bKN
zQ3D~FB7)T>2G*^mI=9;@>FCl5AEA#Dyf`MNfj(1|X-J0p8JiXqJVJMUcr^USUc0y7
z?llx_$);-9?A_&juF9&UiEt1@y~dKzI+nI=SVx`C{r!ELA*NxH|6rN6qM^zZjF)4f
z+DqrAEt6GeNdd|Lu)}fLl<qt8eqZT#`?7-j-QK(T-v`5?f@PpVz1}<N?>FxT!*>U`
z`>x+%ZMdG8>Pj-#XJkRHf7T@Vwr%K(#w}jo6H|e4X(0w0{#saeOx0e)Ppr%4n)Qyq
zH?eKOua%@r3%tTQ%`Q1MSxIglRiB%ZWt)y{J0@=2IycxKve*B355v~)x4W(G>jocj
zUZ+JIQ^u?j`JFG6sRekvDwgy1omDKOY^g1ntUFb~X5-H5Rkz(A03tj#j@KzY@ik-P
zm7z&CwjM+h*qr|ly50Sn|5uU3`M<cFji+t<i(O(JIsCsn9P|YKKODg4n*Udj8ndOO
z-=Z~f(43gSqhL5RP1P47qyC>p<AU5Hdnws0_fopUNWq3i)>z?L-m(wYk~o@zG(v6>
z0agG-AS012M0Dg>0J_0B|2?o1^eb>dQ^$aMNV=0$O}f!AT4EC)H5wV>K!*bCG#ZWH
zfjuG<CPuO_QY}PTr-HtIMeQs8vV8$>&|iPG(TpH?W9n!{OpK%(;@GThZt1tkHrG%q
zLO&wPArXv(?N~{$f;<asQ;x6Bv1KRbeCo_kT>q4jgZ!ccODFnVU92Qy=Y2uW`UgSn
zFuMNx-C^&rUjJ33uU|VqHI9j~Hr2(_MsMW3VBx<-r@Gv3OeZJ5wa!!-wgk9!ssL`N
za}}FM=zMb40*STpQ->n@*RL();Sp*wylMkBjdi-Dl_qMV7G$Hj)H#xL1-%J<-a~Kj
zpYZ0hq&e84AKDBH+n9ex-;hnFwh7c@4>duC#?3tjFR~5kHEva1IYP$_b<ZWEvBI{b
zNVY`xHe9NPMJl#(?r0kQNZa_=UlCb0vKCwzmLbU;P-L~U*PJ*26~h|aPa#Go+Sane
zc2=yEs>_<A1Y<-$@Tyq>*h#f-eX1C2z~UuS+MEJ~k#;?)<>@u^&5Y8zSw~Avv3aNR
z-g=|Uhp4@jwIlS6fn$wCU)gV(+^P5Gc%hLSNo(UTHdH8Sj3<l~#q?T3Q&WN$*s_}F
zJ!;Yh<d<zm>Vs*(SpbC*wP1~VV+xEX7gyS8NYJ+K<fBl7Ef_FtvOh3xZG)J0ysfY%
z+@}83V1Hx@+JnBjPnv4kSO<pMbaeGgGc>Ypr)ZyGKW27JM|U^Fd=Xhhz76WKHS1bY
zEyiizBf6H{Izx?kY_e3Ric%8)ha~}+W|~C9rRW6n^nYF08w&it+uyJGe--JG_<!h2
zjE$Q&lH8UYdr3_7zf5`7zJ15oQNZ9ihF$@N?#|*v=q~W?XU2+6N8^e@7|mZy;ux$O
zE!3p69~gwENu=*wP9(`Padg}2*yI-L@CCTkjhjU_F^pi%6~60~L;r7Jxq-~R8ym=@
z|NBEh|I>$8!<znAk)A#M|CwWGscgW-`e)7!pd(j!PTTJBgN(6-TyfS~0z<W&8>+Hn
zY>8LkHgUu`&z5x*+=|z{D=#I{e?`J80*k#Yi-2tU50w9~E9n0Z2avs{{}rSsNdJM_
zSplg(VaPbe_RbW3EA`zoBl;md8wx8^6>k)&&dij~SP$9A2l^+Q{0_^#K(TK~hp7QP
zKm#9yM``(UWMZO#LIx+U($g}qOb6RBV0Q5o>ap=+&4=G!8}1M#wklerO>+yQP^jEW
z`tnH+j-Olzz`y80*e90v$Q`I?*5XY|t|FrLvtT-9o0z<+m1N7yvk)ehg^Sx@qc@pu
z(?Sc8DJCPW%xtH)T(cXx-NH#*0|rr2us>r3h=l^&e-{A|#ee=rSOXMP9Q$cjZv`Y4
z3sA~4J~}444Q-+TLqHNy-Y`|difEE$MF%PNDTd4$g#~>z^7IL=RClo*dG_ZaHf}b^
zl4fk&*r|gpsXDNZ0R38MyJe9$`o7vEQtgHl<+m~hL|p+zKZ=}fP*ChO)NK$;1&Xky
z#}SEHY-tfWM{prdV3;RFQ{{DRQh7PU&k${oWG+G@$w#x*f|)jms@v~7-jH?N^AaN8
z#&Rq8##y`<2_t<Ott$~>mn%u0GGjV%NqgXFjuyAKYtac6Ys!X@bSRVoxm6H_c-dRL
zj#n05C8^zJBxVGIpOiO&ECu-kg4F9Lc2=w(>v!S|^Y!w1^yzGNJvuqLN^0$<$FpKv
z=y@O%KH{fWN1aZAld8ysZFqDTt#i|}!z@(sp+5TgVg6*_5zSfQbEe}>o^=m{A*ayG
z6)iQ9>?Mq!zwqNjR03{zZQ+OQ6hB%N5wM-!qA2!kx$45B6QAXjr57m_UVTO8LsRdt
zjxB3qk{cYI5Nhr83$~AhRv5gyODt*jvSVUNS&KOcH7t17eb<eAn1ih8n0U4X7Pcgs
z65|AswzS3U;&`aKYO9iVf;DLk<dx`(l>;%Mgb38YAYv%Rz(w+kfGkG_9&Huvte9N{
zXR9kr9J^S<qM4(h=zOV9Wx}J4DP_h5kULMg0B^TB7l7?J=>oL$SucSo77}3@z<gPf
z*IPiM3}@V2t_+t>lP+T-GcS}bW6NZ<l5|DnTq4a+l3K;lVIm$kQhMLPw(N=>f!R_X
zvvB8cLqSa}wXwKH7kjL8{)S@0NkP9GCIvYX-r40Z*JtC;<FkBODd>Sl7H9YlYcVM)
z4*SF9)%j?)A@C2xTuHV7UD!uOI|a;tWL*&biVzqA-;BvilBSXSiK*VH8eZVBB}<yb
zU6JMz2z60Vu(U6AZB0Rafc)0l0z6Fs%If@NQRQc^+l_y6Pg&qw_+!2hCRiDUQ&{H7
zMO#V~Z+Pa^9A0M=x>vp&wt>L4skl{O^~7FrU<tZ{WGQ$_EZ)s12V)&iRs4CNtP|CI
zAhwW#F0yC#8f|YGcCW?p1M0BX(Di5=R#;ITSW)LNO6EF!f-<ls#$!{FC8DLvLWjuy
z-e+)JdBB)a0O#O4Jx)wI|0~V#&rNyu9|!xQ|Ifjo->c96sz^`p{I7uhM>&Rn-=)PL
z`lH$WcOz`?2X9>WWcGnu_`%Bswj(*2{)rDmVa04q<b%oCL{(a=_<%+=t04;f1A5IZ
z6kpRl<w~_E_E<<}M=a=u`gK{rNo5;Q>}KuvlA{Wg_PooYgU<ZQOgzUXhUw}^Y|Gf9
z*r>Dr|J$MH+4+HGp?tb!la@c$Th0XU2fVAE!KBguQVjpxlxzRj8;bTHhr`<byOQ*L
z>3?a4e=ptQZx>U)+Q#phrzH9x^$pma1?18H{(j8=XK+~Ce^-*8ApQ5Lyg)^2`@ik&
z|DxtOn;8LSl-<G-P=FRUh^py%l}V)ks{S8lgxHd?X<M!}%#JJ|H~w2!r2oBMua5s#
zNqSiN?_pC46A(Vf0z`y$<zC)4&^#ckV{R*(86V=!!cHh}Vnb79i4reWxA#zQ52Z68
ziv0<UhX*~2u9fQ83s=8;wO7kvLex3<`PfKYr>#>u{Vy*FK(74XJrL=C_n?mdRY`hs
z^uOXr08v_6b}WF$q}0i01Cruu%1yjbE!zx_YFt~ra;R*sFYfWpl8{?|9PD_8_<;`F
zRqC@N1@AWvSK~k2Q*Rdk$>2}W@LJG+<Wz+I?|K%H@Bc5xf9ntW{hIz)k-j7PzsrGu
zzy?Y@4tP`+P-O^!3{G0&0YPjyiyaZvj3y<e(tjS>mBulD;P{_?_%{&s{|ARP{jVfF
zIr{$tI`J`&g(RjSdj0jD5huVeRRRNe8M+)=P$nyb=+K5E<O=z|Kfb3Zi`crx)o45W
zu4nj!CydUvKH&)+6;3Dou34_rzVD7uh5LJASGRY7PwZ~U>NRve<oA0c=lH}@TYAU)
zur_p$56aEw)b(f`DwLMhCI->SVm&peA^b7a1kG1<+bUEx*$X{6w@wu7t&1!_eZRog
z&iX|l6!O?_Zb~SdnIn)Au%IQ51U1+b+;jaKXo3b)Yy1mr-xKpTx%Z(A8U4-*8DOaj
zmL)U34AXj;?z)uVjpdihamEtz74XH%s3qcy)fCrs{+y-9E=YAV8vQc9m|dS<{BwLf
zyFNRe&c+vl14-aO4H&E2bJRTg+g&pOpQ)d7nzwMYnrx@0r19}xn!X_g&snf)7=}4X
zbx)2|nC&h9NS^9RRAsxmGmC$Je)8Fq{Au>_dNP`QERI`re@#7yHmK$F9A0iPF^mwO
z7NjJh%yDv(&XL%`X4}e$$C1#T+1d2^cziXx{&0Gh)*<G~<_abqR!b+T*}Q)Gzgv5<
z?_sR^U&p_fR{JepCsv*wNhGCFfJT?87_^~sWxgn0=k>?S>1<k3&9L6yZc`|A1(yqr
z(u1v6d!F-Z3KMZ%S3_Kc3h0VtD#bX-)%f$}ujA{>i|gsfPqUNDf2DBCL@Hq7J93LJ
z_36^F6>_hKn!)^B^OkzLxRuf3>6rdI{&aOZ`~CX(@?tjrEzRGTH6mf*<i_XldkEVt
zQ<W{>(xcFF8=sBO$Fr;7Gst$c<3iq~byb_C<o5K_bPRIO=wy6#4ShbIU0$X1mQ|hz
z?_zX5o=!%`iPZ9gNmgQn3WVk=))ZH>ocN792YWl^wy#XtdTkz0KEXoyzfa?70nhR%
z+dJXw0r-gFT;V?*dR0>)PD1NEJ3T+$sm3#Pr53F3e0;uhA6Iy_Q6FiYyY&%j+@Oyq
z;}1;QnT^jUXQSE10*_y<&ohb%1#WeeT75YE<$C<v>5Nj`D@G(fj84x!UG3f$e(w;7
z%&L8<UjcPlf8a4z3JYABaOs6)s_R{M1q%n8r?5vep`8VZqB{oD*=TlpOer{YABNz9
zQjb%h;#Z$X1%g79(AeT6H@a_Nx~8#yr<z2ks@~6%X~nmVnPCFFp_yEsTvN*TutYDE
zH8n_yE7=I2`v3UfUg*`s1&&J8BPHyc5aPSGBlK}Ln?&Ww%+Nyti!3$ZR0`OgLJ+0E
z+&&CZ3cwvg5v4$Uq##t)Ay3J{tJ2_>gFdB&u}Xtj1_BihXocuin5OL*&l!KhT__KG
zB2df0oe0PhFed`947`Z|jAPAqx}^LVNv^)eH?|KaF-THGw<F{g;vWeH?VGhcHJ(sf
zV>ys$2Lr$<a#lk9%|=XU+B}#|Z4^_dbo(FGG981Sb>2A2VkaN4Jp0eVU|+QV?DgvS
z50#{H?SB$awTW`#<I>LzmqdpvgPl(Xwmg$~k;gLXspk6LCu{}uY%P1zEmo2+GGLDV
zuy0%IduNZS^xt#+Xt`thaP)tFKj#12hqpETuOdA;`%mxNv1CX$ss=kMSh}Ohsmm;^
zHZ%`qx-kJCX^I>sCx0V+n7cu_8(>Pkuqe*?*SWiP{>7KhaoBCD6fd>;vv*BMwLfyn
z%_wFG=zef7rw#dGx0e)QWkA?AumaX3cYhxWRsAM@;^qR}+iOR%hfYvqMWPwq{xhCf
zw5m|%@QLyGizM6raWOSR8_(y=WddCQZ)>FN%`>YKw&tPQ_Pc&nK7wE2I~Cu1tBgAT
z!7_RaSi_N=Ir{;x)l|S4j?kU};2PTmo7ye0I(&3rOi<&=aIdIf9LqoBl%<~?T@kM6
z5)Dh-JTNwYI>Zic{^G8a-j<#ip4BHEmgB4OXf~!p^J#KIfBoBUNj&zS|6Ul_;9JDs
z5+oDL4Fd=?keCVQ#Qw-kUBPS*upkQ!5(>E8jD0zxN&#1D+7M{gs!3=8J>=%9h=?X4
zg(eW@J~R#4(za>^MmZ@}{?oZ3ZHw>CcJcwr-T(K*{eN#*%YW6Rrz-!2ZERvTO36{u
z!*ZL8z0_-2^cZz5#5oTxN3Bp$65DJ$ys0SWZP*QZUhpjU>@Zuv4gF{W^T;WDD}i01
zufBgo_?C=T(hWI=No*n$?Fh||ClQwOqPa*a{WmP5tU&O&{{Q`$|7U-ASkwP1(les}
zfRV0UWdR28kU`{yeG9Z}E7kHgd-iHK>4_m^UUP}?wHPesHQl_p&O<DVimlh7Fy}P=
z@!GL)q$C?3kK%94dK06Oy-Y&BWy+=hB?N-cmH+!)QT{*Z*7U!U^up<Xi7{ioV>S?k
zk=ZI@eBwYA2}l#fjiKBjC34Kx`?fli<*RJ^U)CK^IrP6j=!y3~9q!lhf2&E~EB*IP
zO860-Z&xyPCDcby|2z?Do-|K%XydUre2tQKi>4A>p7{f!ZbqsJvt|>>f$yj`AN$vA
zTJ*I^h}~`!xr;MmNZAT*GIXE4O9kCW!z6U@vEn{+(@6J$dO_YxrZSqGHiV!NUTyT{
z>Et;2Vsd&Cya+D(WKjLyvS>tpNCehLM@RQ6FfYeu{S8LTYWs&t^hnsUuR=GLGRvAX
zRd>F4HO!W(<)ST;EQ{S^NNZzZM34k^I~E{38X3mOToDtQ5`3odkt7{W#|&1uMpoNM
zr*_wtV;CBy4l|PG?&Ff0#@|W$A~^i|0ev9mjjA9?p>h&y5bNcFf@%8-x0MQ$8ThNL
zq%TM4U^v_#!mGJ^Eoy~Trd{aDr?+POK}zNSC0+uVd;eoU#{UPk{;!(!RQdm7#{aKS
zcgQ=_at}1T8!2Bv>^a}WBI(A&lsgmOq9zv%R+3@48AI`>S!ikZD#hT1ACg*(LoEcU
zW{-}cxTOm;%Qe<WYDKhCL#R}N;h?oV1wNEX|4X_AGMD}j;_?6M`+uuRHT~b3{+Fmb
z6xcuze)=VFf=X_!EWmdkR@>+m-QYUQDwskl{r5tsm9PcKxBn93{{v5`>3=2Z$<hC;
zn;^>|wcN`11<=*>psajhXXyJpV=B+go?VsBTEY#h27`TWkuI4a=}roG@<+YM9&;=c
zEYDuD=|CR+FXIy6Jo?`q#LoYR{rdc;lJu<T|1LKHzsvytnJggd4&E0_5MNjl>AztT
zSY1o(SgqhEQ`T+I0`kuPyS<qI@BW~^|FM!(CjIyIHqmI@GfdAOZFAiYFzSk76vL}M
zt{8n2_I7hm{L{-{GM7B&{8qFwS5vfy_8QRKR;v|ZH7lai0NPaBDH9VDi~5p=B2q+v
zZNq>Xj}TX)YHq`wdOJTMu19A_x1Qv0A%(~mw3UZg<m3e1FR_mAFu&!;bs)453=_FW
zFar7lx6x0X$ldZk1`v<lqoT7P6bgX?eEl);gX;qs`WU|HK9n&W0Nmt5a)g4qgM6Hu
zdONIze+b_~Y10@(AHgp*A;LwW^%jo<^>TMVb;{uXu9WCf#s`f5(cKsQfBNuP^ZzPR
zsr+B$fGeWlU`HW%w3or-T@*ccQPgMgn=|-n1X9i5pFD#Xrv7R1_lF6Zm0Grl$8BI&
z%a$c-E~U`*6s)S2B-`qpcv(RFo)ex~)%nFhN!h))l<>nKs_to%{g|&A*8wpwsv9ai
zqE^nq09A;EZpo%(;295svI(F_!2lW$KbzI~ZwRm&`}ZrkF>vpC9cyiQmrb}|Oljrg
z!kpb75^`RSqL-~%(ReE`+ti2|Pj6KN$eTL%LYXE;^zacd<Z0*n+SQlk)=8BA_}VD*
z_V;}K|L{Q6|Mz>f|6eufLFGS=Oe4o$p1{y8B-_6T(>no3$gx2bxGY1R=4Q9arv-q^
zDwGoat)wgI-IbVp75#T8U6y!Ry=(4I%e52_uXehHUN|v{j8QSGo+s*NkVgNR#L@E2
zZ6EUdcOMA9c>X)6?LVtY)$RZJO~2UNet7qaHskCd!5lOwr{KG$7yeDqD0r8DvfKAG
zqT@El-<SfSy_Eb<sb|i|z7N_q)SH9f>X`XEr0w45vHP1`+CsxSwOm!fQiiSGw^qa7
zrqXGRY*qKd&%q2g_q=oN7W&a%8<?sL=-<mZdP6t#UxZyB2eIc)e^8ijjX4N_PxVCp
z_E=FZijdbUjmWp?y|>wl?WjY|3Umm_Hbez|977|wGYqIPv#G9v#(8)9dPdRWuq2?j
zDb4L<<7j>(<6d?P{RL8G%UrYVyoNCV1zH!VA)+b_!NR<xCPRHIY%VZ*qo}eCbSjKA
zO@=dj*(e$A7p-JsV%uK-(;|8hE^`p?(C!s)P-kRB6CO7C`Pi(lPOnnsKR_axz>jqq
zexSMW-wyhs{MW1fKdVU<%YW$-UQ98a5C|fAySuj;b01GUl+B>jWqEq$3v@;0#OOl%
z{w2Z0kaFC;GTFJ(jUM+0^QnC6d2qgUT{qwQKAUenKg)k72KTJB+R3R9{ohdqoNNEL
zFVg@1usf{je--KF(f{YHTHaNsoVcuOB}J8vr~<?P|MuQ>tBq?-6kUIpo}wD3+mJ>A
zakE43bT<JK)3GtfU}vw9UK<LjK(#2Tl&TU~Yb9sw*EnOG^K$!1&Uc%)x=1Pz*iNLq
zJIhG(KEL_hFQ0`{dO;`uu%BxBKd<VK)8)Sx#rUtC^@ac6lYBk{{eN>7_MnEguA8gv
zH&JtkQ#>mxIBBP~>ju|}ual99@=RPL;47dM*F6{olh_Ran#TG!_HavEPf_i1LB=~y
z9gM#J@%_NR^}`5nzw`iy-OHBSOfUE$9(<DzVh$xU7y_Lll~w<q_WmpIzm(#bPXf3p
z_<yV2UeD)$+u2^oe^2t6d;Q-*Y$|{i3imLB`Cv1#i}Dq$205zn6<HgxDtw6}vFT+R
z>5jr!)BA&-69RKomvYZ1!Acd;&t+{UlRU4S=Bcf)`>sNTm3FG!2EWCOrGxCsTl(j;
z`OoQ+`|A=9y5u01+%T8`qU3~Cq6x|Zq0bh*V$Z}-Td@z_M0Y}LDfE;2IkNkY=Es(5
z^xMqkppJOb1;u@MTmYuQt-4b_0@oc~MXyyl-`fVpVrl^a`ie9rlW|3+){^nPU~5W4
zJGBG)PGh=YCk{`#()VVM%FQ}oUNW~kaxbS8hsWw-TjuX+Cf4db%Kz?1ewvz*^52$t
z#!no<S-K8LoO*uF(eMfK%=oY30b#}&Q~L`MLb@v+KQ>wydLq#r)(_fv-Ci#&I)81;
zgmCNvsmo|v@Rrt=R#xmT<eX1V{dB9&FT6;^TJ)<ybGcTRe&+^Ovg>?VQbSdJ^jmkZ
za&AzX9%CyC-@*W+{v{G?Ylst_mZt<77smWQ)Te^~pJVmU8S=js{Quh^0WA3cr})gB
z|1aTB2X@8HN!FPfY}<pYcsAxxw)0+W)}z<yytkHN?)5h})~o7o78<rI8<sOUIhdk_
z^DY9tiOLKK<-H4B=pVr<Qi1>HSp9Q4{@=*^|F>Vf*k06sev;2;WB(^@htd1w)%&y5
z0D96y{=egLZ=YM$&xOeGc%Lcwe=ZdOruzSGxAXiz{A+>#pW?H?{}1!1`W=&j2Uh+3
zRAoLF)S}L(8voC$`sZ~2-|d|O{}2Cvf&ZW4^Sj3Xk5>fri^JxBtg4@OaBf~3i8p<k
z#R;6)6i;!P7NIH4V51*sx%-hH_KP;kMWNBgqR{9pg+@OwPNahV!wF>bD*ri^{<pWc
z3iZFY7WDr~K6AJKO!ob%@7=|aSn%zt@1j-5qlzbeN`ERPV!^zw2umx`rzo=P!ddCw
zjF2MSWzI@`*mHMP5@@RAw2U)M*>cE1hJBS{z7@A7mLnRMd5PQw__Tq9ku}cviP+Vf
z#8j85i?24F@uJWj${Yos#llDA3;a~j|2bBFnnC|ttpB>Pxv2l~B%de9|LCgnENAE{
zUud`Ge5*n|G-mP-Lm%N*Djd4i*^#>?`>W{u-IFNCgzh#~ZRW^oQ~6>{xynTqtNVPa
z@IRbn01RaMz|c?nOve9M>mgtNVSRg%|L18wpF#X**{@TwLO%0O1wc<ZQWKS9sJ{W}
zYUD?pp*|O==>}l}ZcMG}4`#F{ldZl4QcxP&WX@`WOk>F*vlt6iF#-0Ad_!wPH6m;1
zcfAuo@uMh+Nae=$+e?R4KkDP+>_8y5!+)>GBKRmT{TzXE+Zylv&#;<9F&Na-Q^_(d
zFvd^hthkJI$uBj}yF7HK_uXsxZVk6l!l{(ACX?Bda(?8c)8FMu_?yDUi;n^us)te4
z>FO#RgxT0Rv66OKJdC6GdVD%W)$=~g0jtIe8`C>RSWYLms?w%p2oRXhwJp=o4U;fN
zYg#VQ2tS3N%AVbX{)M<5z!Lp%K->5s0knD&Kxee)#e;5IHu%I2cKnsiOIBj7Nz#KH
zW*OfM4=FfF;!eQ(vj_ssUG}ps=^?{9r{JPxlT=pYW#y3v@R0#rw*aS>UF5V_UBMK#
zWvh6?*3T0z&N1~>z@4<oAq`!GJnje9LsrH?%L%<4Jn3B@!Q0wb)->zhL+5*Ub=6oR
zH=2blst=%3GK<<8ZQnssC4^0UE_0^?Tj&F=EREvBACMx(Db}?aL$}?kR+)co#lJ0)
zERZdgOmqTtTM^}|!G^kxI{=_@;5wYxx2CtWb{P)V(%zE$Z8PZD-}uROIl;#t3P)1=
zedx<63>6G+-KaWsXRqF#o}C|^IKO#Z`s#Zpa6)~6XO6n!P*wWd356EoGDjRQnHycr
zeDe0-5hn&zQ8Dj_z4x!r&VPJ)dX6hN-g|R6_cbV{g)r-sMc@KXPxkg7c@>0>CoE;}
z;NV@^3U<AvA}4Pby4qb^Yj3=0t;7Fo@1p*FY0@kwM`bgWW4xZ<0#RqL+f7_pw$@gH
z#wT<tmH?~0)vuNrY*$LQT7oUzGdTV6=;VC=)!UzrE2g&#kd<^jJv`grD}6B&`{EP-
zq+q`P`u*wI;k#NlFVb%P+qXLw;<4>%Cqn{8Zl`qN>iAY#v&(-79qk#RBWKjTPu})P
z{n8*i21fX3Vv_pudwaL{{n`2P+k?aNqk|^|o++>B)!TAVhD%#R=4y>@W~uCqb4LUM
z$m`%Xh$f%H>$g9gzdrnM__`WrRF7L+Ml}Q!NBN#g>P=tX_ix|5**mMVK0R`s1ui3u
z<{3$Zco2QiIg3<lcFu<x+x{4gr$FNCqy59<)5G(Vy|Y*4+vHnci+JF*;-)7|UbfxR
zQz$%tV5^F3o1B+RM~LA*9NdOUJV1@m2S34{ZXpB1fwwni9rKiSasQE7T6u$lU}`_v
zQa$J>FQL1am6L7oLw)$gTd&h<<b>R+;WQ(AQjEamPnD9fP=j;QpzYE@3H95myvc)X
z++$@;5NC3Xeucz`(-f6IlcYNCVPAMbs3-t;h0jue*#beF2dVzjI4?Op-8Q>3;I-VS
zm|-M;S9k+I1cf{xCTYp^5i3c*F5Wt2kX&*R{>)ZBbu=6X1+Jxv<#^`p_kzxi$Swco
zjQ}<Ic+9r)KZSG7M#;ci&-Fd)1zzwm%m6N7ElF^N>aJAsJNl7~x|{3edFuemYNo=E
zZFE{rk~k^+vO)gJg-*doqZCvhB_(@5YteX><>6I1Gg+M1%%ZfJ-h{*EEtP?#eEGS9
zD`Mj-Ka566aMnwLv=>L+8SXUSB|ju;Q9?gD2qJ$xK^K=BwWL>m;Ndj&ULN?$wR`+Y
zM;%nL)!BHyOMb|Viv-WUK(|8?m&}M@qVP7Df?u2_yAQz<?qv5v61g$vjU#4(X?F>8
z0%>>9c|dgTq#g>;?r;x>XLr2X;2eclL1)~Ff;?vZK#0u*JapqA9X!tfGj{@*(mOr+
z0VLr!l$6B#QQMGmqadFRvYV8fzea_>oH#BeU8SCYh;gwn;*UqKU$;C8h{z4p@keQp
zdSRNv-q}}_Mgy_cOM9aX!%b4WfS%{4UN=aBYm5;=8PN-~G>EQp1Jb(DTmu6v|2^(s
zhJi9Vq$@2KM3Ue%i--B=Sw<^tYEdFJIs^phM@f@s-X2Fk_+A<X!O-gk7<>|Y*Ldo9
zibFg+SSOlLJil}ZOmo}`I3y?@`q#kvu6k(<m-h=CUxo)5MPzM&)9?G;Jg>{6K=+J8
zQ@Y+=FN^{>$>*st`B0^T!WMbeWmY9R#Z&y*z^C^w|Ki=?Vwwt|zFHoJ-S~>RhLw^t
zDiYNa6Ih&Pr<q^GYWjzIw^{hX&Q@13bwLuuPgMd!cjOAmwIpL+1+!gdTH!8}815-1
zl#)d_vYfU@uq2l*Iqumz%7dZ8%+$d!uA-;dA0g+D{mJ`(q1`84o9`Ux<@I8FyUPC;
zKj{CpiB4kcoA7;myS=sjCvSVc%P9Z+!TrC=?_azC@sBwKflaIbys?w_|6bqRT=@Sz
z$>+23|10tID|P%niMu6kdP^lPL`@5lmm0IW=~*5;Op2G3w^T2VZ<cmF98SBs)gVfu
zLd^RDG>z_S(guVGK8eBqLB@W^Xg<+gY7A17&4*JhNUf^tY^ArIl2dS!ljoV72Wg;R
zI$nA%JJ<AtBe%Y3cC0^swazB!^kQ#`lw8Q5U&V>2kYIsVG5p7SZmWZydmxDoM~(q!
z@9gaG&B@v6w{2VhHTc&4YXt8(@_zP~z8WlfP2e!UQoS73w;Q{fD_Y!MhPMK6^VOi$
za-|qoQ+35=6Qm_@RM!BbUh~j<{=axbyWTRI)qbU@>6Pcmq+ce1f8z`|`1Y&i<-xzU
zS5{mhnE3x~XQcyMzyQ4RGpsMawSPn5W>B&xlxe$omR<yp{k|vfv3Ai`lwXC7M($^I
z59PLma)#S(TjKUo%5FP-X5h6QZ>>qos0foRZ)!z(<YGMN&m=%ntX+PO1G~n_Z;MF6
zNBQLWzfq`S|DG=Y&(=;p{(tAi&Z7R;lYBlO{x9Eo6jszt(Ld0)6GH><mC|h#&dex2
zc`P6=?vuxWjKYbbA9lFJlZLsJ2MXAZLW(ru4k!}?DV{-~z$`8+g%WczE-kRh9UPZ2
zhky-7mr<DZj^pfI;CIL9Nfo4N;Ofy~;;MEsim~fA>sadxrWcq=Ju<iAgB|$qwl}|2
zI{iZ{725;H<Tf41H~C>JJ2=Nz2+J`&O)QSXpDRkGwt1Fd7)6IUh$U;B34Np3?|$b;
z2v<qIiyiLqJLNv|^#2^t7-qa`WyARp|36Kk|84lKy_wVh?QCu=>OVZmXP)#QM*^`8
z$b_#o3rJhX-Y+9R!cJYp>V(u<jh_MxaT#=|edg_Kq8TYky~}`%Z(bS$UN@FL>cxJL
zoTMxY`(Z|j=o(};TD}~Uz3Slj6x*WUh7@U~<sDstY(d0=2NCs4N)u-M9SCD+q-tDZ
z_A^{3OhSv7)zTgj2f)U{K?&<%b0~sD)Q@k05G7&P)HADW@GBn)9tQq1?4OPRp?&n0
znpVOf^o7xRkOq<fNu76VANSO9ya-Fz0PED}z@xYnRj<|gw)O&Zxscq^c;1=DoKoh}
zfj;Y6k>=k@O*ptxx>|t~Zbcki<@E~7R<#-Xtoh%n{@kw=riy&x(!VZwOXo|qcFDUr
z{5ZtrQ))h(BEB-~u3WJTj59+;{nhOQt2Khd4rNto=yj72RblWJ#UrKqTvNl`YfwH%
zI8Fmtt+!-1SSEie$5k7Cp5)h!%?obfm3^8Oxke{Uu(C4Ssf2^S5i2~)nW(mt52nzn
z<aAV<+DA0G<0GDvC{brPCC5TgaYnf|B`2g^o9ms=q;8LYI&My;*$=BC|IUP?EAJsk
zLack)vE+hdJB*A=Qme88cUikh*1wuUuel#KCMt*1jDl-Fi|>E-doav_8fD^{yDg`k
zwQskcl*U${^@Fa=sN9#)i-)A-i6argTEbKR0`6MYUi(EAo>F=Ks}eO<^_w$Ti(*Dx
zgXn}SoOm3wod(FfGn~L^3gsS6B;2F=bi1m{V<22ShQ9wX?2r0VI1{<9k*N=_vyYHb
z2%De8-GeYqMnhDEeK+b}2f&<Bie+KGC@1#vU~OZi+4k<py>5U9O?;i6qaWbEQpM!u
zQ`hWuyXc_@@=WMQUI#@PT!325x9wFK8swO?7muQ@=KWyyb>w~Tf~cC&9d<8Uu<`e1
zr;bE}#|*4*Nz|ZP!3sLRv)7cVxQc>6X^>(!e`4<3YNY#i%*i0#@YY*SN0;6*{i}~I
zm{WJNzT$1b|KPu7kUS_25!~CYpM<oK=cq({&OVL$I{O@JKu(cH5CNft5`3p2V2|)>
z+|Xzwim$^?<(;v1U8P5x5&LL;9#VuN-zSPRQi`Hpa;5mZicRc{Z4NHr6<Vr(vjPPh
zl!Bt@_Hp0g%JRJjx049uwArBhj1vL;JYXJ7MqHexif(6sCjBTLOvL;5>WXM}+FH#R
zg*8v>>U5a&oSrj=lo#nS-*xGu03UO%uWopC1t<@`?o;M^E*~&T_+{a%s(LvlOO#G7
z$X6<=e|vw{eiTM+n{F03SV^U=KGitJa=+Qk4LD^^*BqWdwb4*cqVEqmiZEpgAEG}y
z`qZO#?iT)U7{z0BXz`SqfzFJN3dv0eh)>+t=gKvEJaQPvfBLA|3p30r1g9Sp*E|?E
z$X!Nx5Eum4_s3q(zYUm(kuGpq`Oo`O%Yhy3&t9LdR3bf{BgR2yx#A)CW>=W$t%iQy
z)=JqkmY*DtYGsSz-z={SUA4mX+Md<gsK>LD{1|udGQa5$dDjcGIy`C~v5E9^kV~XR
zv$Qg{rno_?9H@+NOg}H_Z54yvjk8+W_y&1dqw)O~hsxKzuNbiCpDyp>4cs^Pw7#%j
z*4D<l=inO~Y9@QM)bVF|Svkj3g?>A!gqjk~ZJikR+MRg#HC8$4HrBVc*4@*Xgy1oO
z5Am`Z+mO#3C3S>863U~)gA68WTw#a^VT_{_tl=R>ROs0EZ<v=yFD~GyFXNA1@DT%n
z0*q4${4@kahm+!aNwuRFbVbVpp-NT{)9@0u^9l|8Rd|W>5ZUBJNOzH>R9czUP5$bf
zZD*)r^m+ShgahP}V^~r1mhY|CiM+L}KU_<>x(zqMum8;%@Mo_%@Rq*%hh#ANZOQv9
zdfXvpZ61cO)L-S7Uv-=R`0dy0rCNh?wwIEz`G;Rsi~1w0v?3Mj#-DyQt?G}jQtgzC
zuYUT~w5mV;*}J{t)1$MhIqaW*bz9e;ixQDkOr(GN)oM5U6l<e2S&QP1ACXIIH}2d7
zNfVGpG9JbtUA5Aln}$^=-M8g~mmwg8^F2fl{60$AEn?3nzMuLFMeb<oa;7t4zUGtA
zAzFD4YY{PZxmny!C3fL-8Rg7s@dWZd*9V6m&fmR#dv<>I_Q%8HikviMBmhMx_&+Re
zbQa$PgXz<}J~};vDG-znPfyF|S^9Z*_pdq))bw+_>xIZBn$uMDR}>u>Q;2LX7bSD*
zW;F^&Y)J_d1Zz&$kvs3A4i;84dnK{_p;7nT30X-$inrm+r(5QsaTfAZtb;Q-71BiA
zqT!e3QgAJQOxU~5DcQ5-4ykZVxg&ds6fvt9VQ;M<O5`@@ko|{B2=>HNr3Cz_(q>L3
z(uymPqyRdcL{@I*!RuXf=bD)#cU|3UJGo05mru!@+h<?JpqJl$dAq{Z%)o1phOD48
zH4M*`(-*3a2lUVoYY>|8gg~RBI+2o(Ao{=BYxK!a2-SATDpM!bHVu)x7H%0jM&V6B
zDuU-o>wxSIx~pC<zC*|URl$F%FAoc-yc?up;wnd{C<9a^?`#@@8IaQqcz(r>lW<Sd
zBzc~go^Cd*xS~yWRdU4aINLKuK@FYFLY{E14DXgiMd9yOLCm~Aa3K&IKXwjm&+{o4
z1<H(0o}K0tq;9&|7zaIRe@enEcndJ-5EGp_*PcXWCddiIJjFD!l7@dTQBoAqm(z#;
zmvUU&eeLh7B=K3sDGin{37($^CsPeHE>BYeHPqnAz{c6vr-2)139|x@+vx$2Gt)p*
zKxaCGPHG&<Ur(wW%-})ZZzS*#bxB5p0VPKncm{<La(uPN`ul3ticXC`9mD7MuU4gZ
zroM4feSeh=(Nck`%D2VKD2!o0CF}}F8K22g@ldm2flJZD*}(o%yzcUI6!V@{vp;&^
z(ooa_12pkcQ`dW~`f`hRrfrE8*H*AOKIo1njB>wQDh@cednyh+x0|Z03i05_H=*7{
z?blenO1=5YCbPfS8D@FV1Fjx_-Y>d(rUw8{)f=y#tj?pK6<i8$;*nva&O8r998Ulr
zGt4zd)S~LfJOXKViqhNzpXlB;l;|&QNo)$rC>dxv5TJ3l3_qB`Cf|73eNVy$X57--
zEoeAuQ20r=Jn^|#-Cqf)KJ>CC4^{iRN{5@vg_Vx{@GBEe8-px$jO`=5Nw@k_?MI2-
zPu1%5M(uBBewO7!-S=HOqs{YSIs?!BWlp*736FEaMHV1+9=A4Su=_vI`QKdm&~v{#
z%f*Uo3wo&(7o2cys>!q~Q|)+V>Mxa$YRVP4ohM&S)wSp`>?_%Ft|WgQldeJ!XAf4c
zx}SUn?0|-^#8NI*Di>`1Q|W;#@!B-BB-MPPu$k~$=}-?-Dp(`7Ch~rD6bja$v$2!2
z-Hd)7Q?JNK%u{cvtm(b)Y4TtXRV>W)u1be}l-p8KGPB*73QMVRb0uAPsfF8{1;JGf
zHvRT0Z?0_2RuNs5-QGmRS2AqXpflZGuDYELRdF6(goSoWm_Tb;B{d|c-C&`MrNwuD
zto05j4*bCPST^<?-(}hGGrvzeNWu-nD5=v~dB7kH?4`%?0R4D!)_nTuha?^i9rJ-+
z{dL&2tR?OB^>xQYg1z6Tm<yt;^C;ih?t68gX&(mmCcAuX;I|4y)_VfFqXRINS9Q<#
zV0PwAGuz9k^*YQ<_8Td$x>Q~$uFhjIvrV1r{_ke$h4@hv-<>4kZ5RdD!C~6*BSO==
z9wn@F+IIY*e;Gz$76v&Zq33mzVpe}NT<*PoeP7sCMNKit1~H2YHYkB@<GVDuOz<Qo
zcuMC7A^W;hJcwbQHp|?Y=xGyu_M|}eaUVh;U2BtpDN{c9q1?K)M(*`grV)fXL)1V;
z4|+axrxLa1oFl!cHSgz5IjVqp202V}QPh&hRDOnPv23D_cZT5}EV5OO`EbdtZ0Pw3
zaAl)ENRBJJ{kz~2bI{Lt>(Y9!^0v{raJd)<F8x+k?9Hr{1dJCaP!8cUK)~`N%)U|=
zR%Tv+MT=%ShWdc@XiIr06h6=CwG|M?m-vO!pHF~8x1kM#U)>@=Oa%mYfHGLfx3GgZ
zU=rE3+o}pMp}mP?p8`b$M9=}RTe~j0W{F%_H}~QzhmI4wm6__*zY0iV6waokE6?Fu
z%Eq{jYUB2@?)A}lZj}3D?A$;PdKQvvFrS?-Pn|iWbW%E@T-K!0Op+7RHCdplu)=cA
z?beDpFBojgGB>FmyBQsf*R1>_Uj<|0Sd)@HC<v~_+ms&RJsF$w^*;pkXB@HqYnVRp
z{U6BmvFFFoTw}cUEH^AoXE)WAbhz*JRStFUdn+69!53CG=)7(U#Pe(>f<g^vzokO+
z``%H-K=;0(;&>0fpW=}7x*aES`E+*bKf8U-#R*mCJPQ(>KlXbRwD*MfL<I$ET^IGZ
z$E_9m)xW%nLp<aTiv!Q^DvM)3>Wz}K-Q~E>l}eZTcUsc1_N7i4;{mr?HuBuAwQTT5
zz1MKSIp^wJtm;$$X3KikzS?PnJm79iho0NzmX3bU+nwoh2l1fiJ2!hAXTh%bQ{Z*{
zD8ihY&#BFG&ZFrK0?sv|Gth-f6r4m|C67g-OfLR#7==6#&LVxLf)%Z#K1>z5)dr}E
zBRl|_isQ}=l!`+?97~+U-BZ!|OWn&EaKbPh&TwU7X~;FM%@<D^rv7bJjCTJ!su*xy
z_}jMh&4R5hBhu`Ts=U*^l?0Q9yZ`&D81><=t771X-=Gy4ZXY9AaVgaVCtRqy%ZWJ&
zW=Ic_+h<9NhRKZ_bHzPjp<=uT!a~)k4~B)RfgcwZI7i83V3?e0pguH|rvaJRY98=V
zHQ)mQqH@>=Lqz4sbFxAi%f8OgpflLR61*PpXpH;El`&4b=M)u{o}j5Wjvp&EgfZn*
z_SFU+or!3M7?OwWQd`BQZM4|1&Q?o$e}c_oVV`OHblTL}qT6w9yF(<le|iKUy?2e{
zrC~Sd_({!O``CA;z2{oiJ%N1p+ULNm8SEIyc+dxIFpW9GS-I(Kj9F#-+IV-$NcAyp
z^?>)swbf%jobbB0ROV1;dzwzWy4ih9r}i@^QtEUy>y=Iz`C(T(vm@y}u6Rb@(Yass
z1TV?S3!LU4Ib(0nK~!_S_re_Wz5QvPk8=Qm$xe<l!NPnJ0^l;C$qe}bN?Mu&sFe<2
z;z-l3l1NtmF7u<!CDgcV;CTcZ8;Uwi;@c1trB98gRBM@yoaS1Zl@^HUEZ0;z(k$0h
zd~^BXDxCFeUQjs^oyP^$@@m25%<R)*?_rL<E3*uDKXmyhUMo`ueh^1=L<mtXGnd9Y
z#q=78H338R{mi=w#=Ez;q*XkZVLTimgVe1|>WyO_njt^Hh_3fnSqt5Ov;TetldgJS
z(X@Dz<$a)wRZHHKv0bA6o>i^3rK;7AhC`w&zl`Ecj-Mu>5oA8=*Gl`#%m=E^3sb*x
z9^JIYL7q~N>Bm{xE_bMtTDnJxnb}Q23_6wXlekY0Oy>fA7hDORH2q3yX(0Gmzd^@I
zr&%~z@3hkk`dk;T7x+=u^Wcll4QaP1|2?*+l=ohhE}TXv^*|J*eHNt$VQSZCTk2)m
za7nM!)Lr9W(xvGj5%xj8JQ+n1pLptlv?*1Eh9k0!@z+@F!V5xpaf!#+1|5g7%+W0`
zvax6W^7^Bc5(?wn|41vAl)?z{&+#UnmuXINYcYpGr9g7WQCK-P&VRXULzaEEh;@%r
zgE?Ca3O0B-=L%hDGgwZGy*Uf*^B$LV0H~n~tDPm7p|B&?trYj=D`V+%B5WniP>njI
z%2sgHt;Q+fk2t~C91ez~j7zqc8tDi=wS#VXFcuZKESuIULP>>&00S<$@GITV@K?9(
zx8*<Ts)bo;7w231EJcr8zD}LSna5dr9sAwy{Ky}4KtNite>sl3!3mt)k_u%g9Z!%?
z=~VVUszHITJhIl|me<jdbNGMnH4`)WW+&aBJ(Y7soRQeR3Mcijb5x#nv-W^TCwy4$
zcYI34cDW<rmu)vYB|X<We6neAVEb41am#yjUT*a(%zgc*Px0Y2^GcbMuJPM!_WUNh
zPBqo_je+C3=N#+s+1c8{|82k6Ubp`jKbt%2>wju*ZEa$s^-cJGqrLT_{U>jIt~;&x
z0G03)&-+t91mYJ3mF=ee{)K*|{Oxd@Py+tt&WiWSPkZ5hoD5gJqd^BA{K>)pY)XNH
z<`FW|SiUdW_1>JkZf>;J`N=m*O5JhI$CmYIjgie%@swZ7%a;n-DXF2XkbAz3-JnpG
z(R^Q3M_D`uCuc!_rhSLV8p&>)T%!y`$%a1+KLkk{VxZ@3yKw_ldsp>n*tyeZEfUBx
zNQZO?oI0bncL0%o8nlkp*MhA4OThljbM~-mS=w8pdS=us7aKx9Xy$|5l3F*TOSqgM
zLmN-LrdOHkX%<+~F&v<yUfE)+`}F+*uut9Q<=E||4qQ5N84W&{UAdXOkXv%DrH)xG
z=2t7*miXLa7nPR2+;*sXOR+_0hyN;zb1$|Os!%5B=lV#2Xhr_?pOfav^(n~0`j)3~
zUgg8{IK$Cp6sEo7IKu?{<2_ZKZ_>J|`pAgDa|lRV3~vr1l>nn*lKV}Z6@IrgkbZI<
zWG7Slm{tW<7P%5kL@kQJt0>QF1A~Kn3}a{}9msc+7VFMhq0TagN<v#x`CvMS_;O>t
zU2;zHb?O9F-W!Wd$IuF^s3^`EDpuSFHRaBy6ZePl0EpkNxQ|w&p%VVC@}HlY{#WyV
z;$uAr25=hxx4pfc=l^zIY%ch}r}!-RzlzX;It-wS`glYRP^MV0fNFz}!ReKT;?!gH
z7M$LK)6;<T)T~}^+6Axon7kfkaQd>Cy^>EA{|E0ff;Tx2_1`r9Z)3ClqM-lV*jn&^
zPx1Mk@_#OW#(bGj!};@O76M%`XO4bOoy;R^=*lB)ZN|-FmyQ9mKNa7yG?{T(dQ#5i
zbD{e8fx{w2{$eQX=l!Xm|MMXG`ZG=cv-M)jrT^_0J6j9=&y#!>^#8&1e?j&iQzuiB
z?qH#jnW&L@hKVcgd`vzl2?+t(G0Vhd0Aw`q{98Ya$RRGc4F(c&Hh!K2l=T=3Nseih
z6c&T-KVj+}9G`mdKOpf^I>Ro#s=vkIz>9~<tG%^Q22~}Ycv>ycV4?n*xBBPz%WN|L
z*Ftg>UJv5rF&LaF{NMV{MjQFR_KVH+&FvRE!2fNvw>K92-&1^^c_)5`2!JRAg8-Kh
zy&Q#67k#XOfw=+N4+#F5cZSp;We-sJ2b@Ucp)a)8_p?q9TCV~D!5sIu0rbmy*7txS
zVSqt!&F-bk!z8#0Kf+rk_sf4;X?br4(b&T}r9)nlhY<)-I0#ye*1_pH<`f8Ei2b<V
zhXFq9pL*ReNgJ)}Fk7Sl^70!k=nUjCPWtfm<=+$jullify@vl$f2OyCH8bcX>~%Es
zuEGctF}2dWA^i8!zk&Z|efanP4NX7zNf?h(@95wVCLbm-1~fEUVK?yCxE*}ez%h@A
zE&v*WpF3gF0VEdkN_(SA{s$1^W+!Zo`%weitvxkT;rGA)YVY`m!`E+rX!X1EpJVd-
z-)Zl(^Y4FiXY<A4{XfO$*)#9`AYq!=1)zQAt+zI|T5WH6Z<vIU*M70;ZLDu>t~46o
zjjn+c``YWI;jRa4n)mLzy?uD@zl_3!qjqlFt<BatA`(eW&5;|#ExvjKjWP6s_(y1>
zf;?2CTb9XE@8=(0HDA8i`0Fz9C%bEF{9al>me+bHn|44pU1J3!(ycWN5?O;DD`x%c
zYW+KU`TIR_*#6o(^phxr*XI4G83i>xy;k&XPl4CE^V+SA4d`$|vt39PS6Y6%)!u|-
zqQ&lP)?MrltVj*pym^`ChThO4zpOp-OKW7fs-_AL%}s$9g;TuP`ljX-&;yS1d${0H
z!sp3c(yn(L+<6xiJB92bY$_h=Py)Zp#DoY3tN>+`4|X;_J8u{5eXCt}?_2E^Yc&X>
zI-~)`9b$@)M}4?+jNC&>2Z&3Wo+R-lhoMA3x6C)Xc97`A@(bLoy}(UcpbE0y_1^e5
zL2go9Ms8)!Ch&JZzca*P*=WekX>HrJ-_Q2Oiv76#K`u23+!@~&hP0koF~@YB0%aZ{
z60hSE(U;8(f;*5L9|Udut`TOJkK@~bu5jaJ)}z<G;lA$j$Eu%Hd#morw6`Wc*0#K)
zhmJhqu|9C|rH>UanIG$G(o0=fsxtK?13RdeSFpZQcLnP^`B!;S>Y}QIy9)xFe4CtK
zmclIrd@PT`5WqinB|H)F4L0yiW=%Q5+OM`<Kr6Y$si<T5^B_z+0HjG_v6XAJjvduF
zT{VE0#Pa0nAD7{PkmzIWqf*|sH$XM5)HVpC0|tmk8R7{-mpG$G>Px!-I<L7lp={fn
zhg$moMN!8WN?XwLm0k^%M;8+R$rG;Eo^V~G8+>)kZ{ZvW+w9cCHi8q@Ywvh{GHbA|
zP{I91)>{KidKwHf07*c$zec4tCbe+|!U&-HegOA6O5c*M5B(ik0F(qVk%9yVcR-&c
z?4&J5`?cA*7cWZBnGZw`LKv8rb#Wr}z#~3G4$!~$5$J7B5YX-R!$vNL3E;V8*zMZG
zZtI(C6K^}Z#^~nux($;g!=2{O%31?}&I>p;xskf)1A5F#tk&l-Me+DH9yaVLGD*bW
z6Khg>@mq2_TeWX~i*EiP7$(3i;i@lmc08rSr}sf9s)a8L+ejRFvBj!N7fnf`S$!X8
zJwmWYDoGD%7vKw<BU2lw4P#r|xPc;bHy~`!#)OLxd+%SLo$nnSyt~L}!w89#!8#>E
zpVJ9R+H{w`316*PSU3oE07$l}lF37MQO)isa%Uy5&E-@g<bt#}L2||!b-Gpxzl(f(
zS?SJ;x+~pz;qcoR6H`4s^|FkJLTjrk(0t!zZPz8s&|`(he$cL}c~50)naF#ZM##qv
zgHCwG86_?T`WGu66h~5#0g46X{qNLfOLmYg0TgBtUU-v?$gEU1@xaOA^*k+O;a_am
z<s6`gra#DkEWh!`-o~~eJ~Ppt9pPMFY}S?mH&F&WLdEJWWgw%M{bq#Qh7(Zb2=Bru
z0(9j?F)$5@7_R6*D1W6%Ziax$E2%5YKo5%_RfJ06HI?8=lt-)t>)K{k#T|v5+LLMs
zkPOgW#o7X>@V*SLPzO&(ErfKlHoR}Xur6$!FRZ;&!7V5vq<DQ?`(2#eq`0JR+!^7K
z;|jB$kDFW7uvh2`8zR4Gz6&Ma1Srd7Yz820KguycVn%@QwXqFm69RGx{~ZBM?jk&!
zrXVoUY1C$XUocC3Al2(wJczHni{^!~W`{OWm0LoK2u$DM>JC1^(imEk1eD)<>tU;7
z3aKjWQ4SeleAZi=LYQ@?x3XsFh$Ex?_%bavp%=JbQ~TN8fex=wpxbQi{40H_6uvH*
zRhTJ@hjA2Nk57lF!~(RRW(m-OjB;hkvEm79ioyu7wz_Hu)l~(Q0EdLGJXwiiL#Mf1
zCAMZ&-?RO2X)WK>M$X@?E9#;hff#mpkIe{<B1oDdRFf>fO8->?J+Fn-;IxF7b%6+a
z*z{pYZX#>9ZLC&t5T?n9#P{z;UBrlR6E4@={#T(Wh3jFMu1&69Fu5Z2CNZcio_pfl
z;VtjKet&v)_>MTq6<3!@2e46_M67>fD>rE7iz?TW3wK7fcdaAZ`KB)W4?P^+3SkJI
zL@*ks!|5VQ^}WCBy?HIQXjKk5PGLosM}dLbYhdB?4L&#cKaBwto&1T(<i3;TM@@^V
zwJvVkmqF&YFXRwvzsYa338wuGQl0<u2O~cLR-r;p{a|4zwc2*;o7RSd$=u&z>@8@J
zS5pKzjrgzx?j1DGXs7l&+uk&Q9VGp5K*#t)0#E)VNJ6R&6AwUaDuu8>&080|p~p)3
zMw!RLd}#1L*W;2+?$ni+p@$Yt{L3%`{+%_K8Kw@5iJy=BG$j`r$z*P&5hkgTW`0o{
zlfGCl!Rn{N#Tn!(eD2#}FgWdnSDE*Yid6EXwa@m2I$NnIkrE07@s^W3!q!QpNjxSJ
zNX<X)yr>O7FAV&gy*@2MiP;j>jFf|XS(i_R9{MT1bgU-r7xEU{?pu5Z*LMrRW$X4>
zeM<z&%h50+;}JuLxAC*){51g1v})+EVnCL?4$V-=a*R^C6QfS(2c4cj2-7}s&;h^1
zK-LJO5Bb<?8=H2vzFC=om)57@rFIc``N=BpRz|+0fCxLBAMjl;fJGnS)^3p>CdIjB
zICau8GjXi_py{$18eTX`?QIJf+?9JCKM89kM^dx*#Ls$^r;S##S({F6Zdt2Yw^q|m
zGrgK0kKg`u>>Zt+zGwJ6LxmBY4T%<4ei-rPBZwkGa9Eo5H~-3jsYH2IAy>HdZ_#J)
z0zG1V04@|7FNU(K3lYv{pj0ngThkz7y#$@f3sc7lz<{qGmX1OfzP7!SBRbpd+N|jI
zH;$e_$!VmdD0L-f=J>)+vL`waqwP>!GP<Y=LfWW}kT!P87ADtX$VsfF1a&+NWVI>D
z=DH=Q9}ZIB6}$^{42|H)#c_5JqNRxNJ$tI*ru!%ba7IHC)^SDT442c+<;MYt5iM93
z8uJO&_1u6S`dOf=#4^upd{d6ItDtgoGE{CNo>CJzb|9@H$W3(miHQO|d0?UwAyUBI
zDv4DHTztiz>Wm`hLquBMS?n>wpuJeu%$T(~mHWqo8j%_V&cUo>oh^gJUXT=?kS@i$
zfVTUpGvlUK0U-<9;3xtvdU2W|KF-TDx1pa0TGc5fkfk?18LA16YwI(1P@mx$n6Uvs
zPM(j=V-s@B4`#czs}uBCku}!Uk3kRp*0wE!+Qw$mt)PcY4GRf>4Zb4Ikakkr*tz{;
zLvf&5FCt3KJxjamum&_!Z5eU<rJ=p#CHG&WXly)b+C}?sk$DL|hS}S}yC6%(-vbp!
z#5$d6+1{y5%63X+0f8z7?Bao7myTFvLj=&c0Z1yW=s^X&4qG6-CW+v@vbshl=&@pn
zC0(sobo6Z$YeRB1IYp?^yg0cAtn+u@g8aJRyKT%FHoKmT1_MRy{Z0q4x=#^20GO$^
zclweG`~u_NE>zUg!xxfgwActD;b9kiAY$%Qy6{jjK)rYrbqQbc(#d?HxDI|&wV~(5
zdVXajP|dO~YWSF|Dg)w+ij?9P3`4%kc<v{OKbGn1GGWjIo|HWQO@97B@f?w`Tz>Ic
z1STAZpmuA!deCBOJ40@>GbE2MSA=$kWSE3$An~RSw%e)=o?9=>6h^XE2Fp~2tt%yN
zlS`uFEx!*xdLvzcLg(J0m^5F`ruM=&Y2i4u@p0<r^jWRG|MC66MDsZ_*2Za@+vcc*
z_B25l0L&pwGV#Ww2U4}_9Q<C}RKLBYomz+~a*c|4N^}AOg6-4iC)Z?_BK1tUPfAM9
z3RxU72J9u*Df2YjwWXJBlwL~pQcU@fbCQ^1<)DjtI{d8(w@2~Pf`@4VwH4~y?R9fK
zqO<*5ip+;~>9xJ<w%eqQ+H-Y$cBP^T+P&@CYKZL(dhzd%lxdcbpfZ-`Z2()fU(FU-
zJ=MD;TTnGt^(o%<E*I14?v+oqHhO4lkL7mTL?X1eCNfzU8U-3tYVZ*YDufxZXz5Kj
z^vFFkidgpgkVnB=wY7v>FG(oZ{zT;Jqk_9=AvhI^7)m?A6V>*>+F}o^BV&M{bn!3i
zo;dVyhUcSU_jOgYQn6{NzWL(B-_(6T&;utvq+&LxMF1upL`)q0G7v1_#5!n}$6_P4
zYO}^$JA@5h$JZcA-3Afi94SI%&5t154HGz%XspnoKv@)De^2dQhZp$zH4b<o7g1Lv
zgC3PE#08CXL0Wv<I;zitfP(L#E-ir``InEhQ_PO<(07`q#l0RVdDnQyX!|b*G7N(R
z4vZofZJD1&c)&vwlpy{X2@GCI?ed)c&kQ}b=s(j6Y>K!dz*hV1?v$~G7i_&$j^Y=2
zxDyLaU-{_x-F}!7eN^5$w3_YOC%LUp@*7l=eIHyVY-1c4$z1`$k@jM{0%+j$8=}Kv
zk<A}uVN*$pAU`QYP&@PpdaSHU-@4L2^ibj?yH_3@emH-9bb5ApO!o1^(^HSkxwjsr
zPT^T<AKaF8aF%Vh3IxlEf`c;$97+{mQTed2<EKKnYp-o{0v+;4@G8+(h8Nd|j^Qv0
z%#4iJavG%vEu;YJ2kPXVb!md_GM8Jm*`h6Gi}Wl>93v*WL8q}266u&V04VVPP-S<9
zJ!B2-+6c7G-oFN6ekZOemJi>>t+)nk)<)2q-_ZCuSA^2Rx7KS@o%NRv_$aLIUYF&=
zTF62JGjDCwKC_MOYN&O*zl|pnOjCPz8!rv(e?ieVCrNl4M!|J(n0EY#wy?{7cNZp1
z4{4oVo7POHxP;pL)dulb$HD_jovG5-AbcV>X$8dXz_vGQ^K_dpH5dKTF%l|Yk}~Ze
zDaeH-KDJjvh0}%smw^O?Wt0H~&oAq~S?E#jkHPc>ZV3tXrFQG#S?UTj(1TtL@+PR{
z=dnj11k>$eo+>Ye>qU)Y6*s+Eo2lJorq<CsS1`2}LoZU{W^LE0O?I6+vo*%nd{&SE
zVLqQszwozQETfFt9Q3*+Pg`n*vX}<G(uB<P<Zc|IE2~N>#y(!W^}0_RdNAd8xlj{_
ziRL??e?3aR1az>EZUf{At9*;uIyoWKM7bLC3hVMFo8;1Esk+GcMp7uo{0&E$5Mc5V
z{jh;r@4oWW-+WQ~KwfAY=nLB{vt_;c646=Qc0`upzv$73?<c9QaFyr&V0=z?Y(xU0
z*rKJ@4y=V9E3I;utV~-ChdOr7%YZlOqmglpVm%hnORS4#S@p=)sBP9ZBW=DY^NE!+
z5|;N3a2OYb<+8i%2RTNXy*3-O$!yG99Vn{c1TO`(=qKbHN8up+cAuw3U2?(swEdzk
z)`T7uMJBOICr1*mRD~foYI|91u$P5$nd+LLFVUR^-e^FH)J(}$J4}NPxOUQrO->pi
z!TEMXaaI-ta%zH{_#nTjOM;<?<HhS-R4%ZD#p_%NNlSUZS=+X>$+jhR$YzIR31P!A
zyR8BPd|^bR&Dz?j%@^%i5BB84zPi5J2xDi<wRa%OFR~8r+4X0mc97`C%k7+1VmQuv
zF$#{%_z)MwCLA_W(mrZySvQSsqT_!z8gwI09C#TZhNXhgfDe5p3&8$_UA{FC|B(|S
zBF+&7ynx!S|C^kt0vDh$g;Gzl<GZYdNwy-Ax-H>>%u}i4coDTJ)wZToJKB(@yay`C
z6d~E8L6~V*4~}J)N~x%Xuo-n_M;AuJGSqI=Uhc-WEkq3CG^1$P3oi<<g3h=DcSr&m
zi5DdHrIIw#SVx7l)3?cJpzsVYj~GDzD&xRU$|lJOkg02Jd6DJO?}E(VE!gjrW{iif
zEm*Y6g2_%9tMP6fhF3Z6!`nfhftCkSY?OsfOiZSXvZ@=ZmeUNKl`yOc;9k?1+P0Yu
zw#_K?cXYCU{`&3ykLZETvR^7*PU)RLM3`2AWOy&OxW~A^F2F#KmA|5~CKbgjIbU-W
z6xP@V7@#hady}Wx*r>hBjZK<{112cK8B<QPGhX4C9U4j#*5;9*2Txeawy8MhcL2%k
zGorNBXar#eFwMJD7wVt~&6{_CEIQP~^|3U?WT5s2U)meAmB`BWVDcY(7slzdb@P(4
zWttceeqMEXBj_>VfIF1X!SN{7c<$9+nUlq4yEcJpzbMEoIvP&SfIL10X6q7i=s`Q=
zk!_fyJZF0<=y%QCjk?j=es0i%pQ0$sQgkfhAVzJ|f}>@71sr6^u7^bHC9S($=6Y>h
zx&DpD0=c`P&`dr|BCkDPJ;~bK^ow=tJTFJrI3OTW{86IfU=H|Z@LX{j#i&ig(QMSl
zbsOJkTE1=UwcnJ=oEowTMcB^^E}nT%hN{|&*x;i+wzX<ZTMxBYj0|2od>(pOj}o;C
zO6Tw{xDF|HNO|tbHqwVp<p_f0;kx(3;qlq|(eZyB?w_5DX!ic>)%nTZ*{h2ZpFtv9
zwV7b(VQsWpn-j&?*Cs*PZQK!oWl$lHGYzke^xJ%=?om{)$~gf$cM?s%S(_AW+N8iZ
zL^{5b$~#h7@^oIU85UF<b8a%`eB;AAVby>^o&|ERKyafj0e~I|g7l!t$<-JMRfI`V
zd90Zb__Bjo%|x4}J)hVQAdGiGFtGIN$`z`>Z@s8{G|*!@*<^FcsS5Rzsp^77+hKvy
zC<uls2z8ji=<(2!3P9!<s>fKHhkWT0F7}mDDRGHtDM65#)Y`B88~xf5S5gM?YE>xC
zr@T3>$N~!eFbQZ_$-$6U+pipYAmlOcAu_5VXbd;zZ0|4@cu2x|S7av=5iM|PsY|Y{
zyLs`Aegm7WO=ItE+qzVxkF)4niCI%8eT!nBY=ZHXtuwb3;UncZCR@PPX)s7b;T?$S
zO+~R+<GNXS0J}0e4oe^XH;E%KM|}qf_PPSoA}f*SBl>tcs8=UdF?>k|XUYPt&Tzw=
z;Y;fXXIKo5b&CF5AJ7$WO!tm49+)y$F{VF%`0?dwb939=S=)-A9&~4$PpMtdAF-K^
z;qmr$hE58f!N#cbpxN46W;Vc*2SG=ofQ0pFf0Ji@4s+l+#oGy|F2QN+Z3sYwe)?o4
zGp)+VZwab?Lqf6R-A8b$z0m0!v}hCN?4nvt3mvM`2<kD&)tiq9MO&Y_Ojcb`3{7=O
z3kuWG3kTwW5BSyD*~uFI=hPF)IMtaksNh0=!>&g~+!b-#&Bck8X};E*LyOP>kn3xo
zJa0s=t@K$2s0zR`8eS(zdJ$Bh8AVf(`hpNM`Nv4wF?Ge9Urb`H^f(~4#mFmNxJuv)
zZy7;beJkdyixu5Z=e1qKoVOAElTJ*GrRp&t!lC#DB}%DRNEsPTDD#E|r+TYOV{(DB
zVM=*)j`$v*GQEcj{YaET5~UZVr-ZK!n`36R?a!5ugYOe@q<1Nyl<M;JuiF1F_kC49
z3W>Q~-dA;FRz2lmzUtXQo2y=sb!>$Zd67u27TU}zXKxt|DEx(C3$=V@j1aBKFhDG9
zG8r&hRrUZ&6+c(vAS5YYQ1~^$L>Nn99F8fKG3*UP94uy#Smj*LZrr&El%!|JyIlIn
zOpsoC;O$eM{rw~RC<1LUKouPTW!E+uq$A9;m)i5=W2*w65;GEdfzYbZ!&tdTl(ox0
zNEMNUFEZuI35-LDFX9KuOdr62I*?Vx%7=mQ?}$fDbbxtph6J(Gfbtc<S87!DisZrJ
ziSSo4fJW%pnNegX2nl<f9{q53`0fob!`HwLq&mO^DW)>u3I(frG^`qD-|Ry}v_JTX
z&3<T|G>0N6)qtNiymC@+#?PYkfc2wA<EJp!3J+y*Cypc|ioxbE1=~@G|FKfGxQvq(
z0g{U?^7X@&=R|l%C(@G66o8KPs$#4DPst0l$eJQ9FE`fL=~-BmNbjeBa46jUqG<cI
z>=AtNv{5#cOGMNqmd_NRX?ZHG76)Q5&$fm)#aq81{-4N>BJPqTbffSZ474dibw?9Y
ztiKA?5Bum-idQH8oQ9plB3yDV%j}OJYEEid_AD%}fLK9h8}+MXo}3;aIl}8lX+c)r
z%8Y44v=0_XCVE$;j|sg<ZV+}cOV%htgkc4m4fq{uYKDSXvm4(HF0_=!`u|X)dG-~-
z`h2X;fXg}UjWX;ckCSRQ!3zQ6kLeO{E;J+b!-x~STeFyF+}6+d#bnZVkz-6$)+h46
zR{n(gZ1TR>0J^ZeOTf0Mj~WiKF)tDwV9<>s?pD&Oe8xsyXYE4bgGe?U_oEAs!##v|
z&Eo6p2;tc+M-XxXFI5E_&x?5m{p>M6!T_VRtH4`_*js)qJJ$K39WeBfoKnjCPgP8c
z-|PO{gTuE!9Us0seT+G#)qh&wF4TY7YOgQqzdXg~Ywthv0(a1fnb&DvA*&=D(WhSM
z;`1mU_5P2~-W`4S{_N=Z5lTQ!e*YVr?e(pE{kM%p{kNz2VCAy`NJp2W%%RT6KLL6D
z`h*L*fV2?oe*HC87R}Hdj2ck@6)O-)42eexlh)^`8%e386Qw@Ja%s`H)i}EH#_<T4
zwI~dL#le5~{96>}P$cusXe63@%E@-s8}cfE-53Hc3NNE^18ZbNaY{-w(pGQ{f)Ox5
znI6dCHdHOPa6{jRNt)qSLRt(us*E^05HWm-A9hhSg`T36vG#n``y1}XPj5UbeQ?<i
z$w{EWi$v$=5sAgWjHsZ%V0`C~)0X!a*xg;sHcM|DM5vqbS+R4?f)k80#xuLb0&&3=
z{F1fE5Be^KHL^kqnUo$WiJ3q2sn2sxhlAcu85R<O#j)JT{BI*Aw^Ow0<BdUgkk&#}
zdBN&{0ZPaRzN0T*8-lvDUaB4I!~dX@?^OfCqEfEdrL$GS7C8rwpTVh~;j&UVxm7t;
zDL;#TuynMnTXPQzwiAUnxO!Gj_JagC_ti$`M>njh|0g;_JOPkL5WF%1F<=Bo*S$<-
z=`$11VcNTD@cDNlfC7&sBQL(Z4N1rbuu(ufz(~kQLM4fB-t(@}znZp*0#QuKh2X|X
zCrEjX_?cj-ml4OceIF;I{$GD?|CJ6TG?|k*dl40M0sbFH4G`+0IHqJ@Y{sT+lBvW}
z!37xwRjcvcSf#}$lO+sBwwjpI>J|oDC5gZf(}3j(1c?r*z40g;ASrZiP|=OY?Qvl)
zQb`p~4`yz_cBD@1?%G<HH`{U^)mn$y24Z)QXvO%?XCS$#eZU3M4-FlmfmeoLlG!CV
zD4~*1U#Wt0O7qzAjtF3eaf+`W8TLE0AhMp8#VhQNB9=Vr;NuVwPcZ1vD>%dy+#(pm
zI0B_40pR2F^dc_$@V^(7jGJ^a=+Sj0%FF8!h)HmCa6H~1xHA>&uu(jSuxzqkIpw_e
zuAo^T&a{Vz`L(L7Kvp&OqYFTs>5e*LmBLfvml$5@&FU(;*aWwQDtwwM<#=YiTQsI>
z`Ef*Y1^wFc1cR#rU6_V{m9#%;CqZi_NcCCzPpmmb^hzme(Q$p45oR&#Kt&AT4|=|A
zvL$8m*a%N3NCiG6)FN=A4Ykk}ISPyeC?hYz-d#+29>!gcYG^U!5U_Z!m7T27Xfs+A
zs*uVP3A)gJBlnYJTaZEoXeW)6@bCQIeT%kH-5UQgrh+zDy4u@Ujg`A9Vna@(mHF3j
zknq6a`2GG6vo~wt==;eHr}bUJ@0MUqn=SACfaJ!Iptb{~2sgNDE*ZL^m#P;9S4<Lo
zIS9h4VL$Me35UbKP(y(BsWIGgaFedAD)OOfF6lRmnT?uF9Qu-;*FXIS{^<(_fJ?!V
z)N|KMfdy~n4pG{$PB4eIDVVGeG|=uNcZ%aD!4<mdbhtB@`M~CYaMBc&k7=xPsl!iQ
z!QJ@A^m#>?91UL+R)4*rd*041k)a1bOP$gx>+ma}3;^;b2!=SMxq~e6Nu!MO4RYhN
z7bixIeH36aiB?!s;a!bT0RjLL+yNq3^(1bI>}<^#D0V>4co3jFfuAsRQ`I5VRW)!r
zhD1(T*9(W@9ZhbKqk%+u<uf_8xGVk6c66rNq6DHRDmo-9C8ly8=K356!&%TE6eR?K
z_McixK4Toc@-gdA5OlFRuGi&!MP1Aj5D$^SwP-<wj8l3+W$TbwE-Si=k~4O)=t8gn
zm1lZSB=3MV|JrSuPk{6Ab50~>)lY%(>=^%*f`vfE3;SwJZOi0Yp8<*vXyGYvRw-gd
zX(-VwfO&O|3)BZ*!1V<k!~n>iP--oJTpkK{fGp>+FwdE@XzfmIP8_|eb;dAf66Q@}
z0wUsISGhhjwLGXYjNp&7>)l4<;^KnJH8;eJ!rhx!-dF!P`RU-dHL5<$zpdfITl{az
zM_$szYpTqCxWFb+QJA7}OymU~O=pw^W&tK4WbpuY3v0u3XaaaQn@Qhm-g-;CfL&U_
zQhr{(U0xmi2cHHl<_Nhvn|vXWrqQ{2OV}wwhLCwAw8U{CALKP0-0yCKFb(^|BQI-q
zyQG{<mJ}vLi`t{?7VptaM|(GK=#BU`JmAp)JtTTgRYBNB)+&20Uwc1)2fa%DI&ioq
zaE*ca*9xFfSnDP5lc@SlfLT&OW4aAD!I8(mm~n^WVc3e3>oqCAy*B=3ZNg|A3DX?^
zVn)LQHRIu5t+Y2`h#QT==q_X+`=Ot4SVZO^XLxx)D)=m07I@mN^O&=wk7?3CDY`Vn
zADT&4#eB_HPfC1~D(EX>;RbRcYzQ=YPly_lvj7Q?fOp`X2IMD+?3ltUB{&@z3@Svc
zGS<;ZUWz<@%f^FeWCTGz15QpVwdW$oc*%{QF9gn2J@<>*U4}B?Zr6~TUvtM;G03!`
zMQlax07obR=`!K;2e8T?emu+(P@!54O|&@ll##Vi0i>v5S~Yw+ggw&egge#nTt6yD
z@qwMx#Qq$FQMj^mi@d4_Ypz5MC#3WzWI&+-4THd%>e7nJVaMS_6g@)IOn>MPLgAl>
z2qa0!@r`Olig0p1A?9tG-pNQUSfGzn2Zrnwppz@d38w83$;G&6p~AyYR7-8X@%zXf
zG_6X05^gUm7sD#E7ClZ0lCf@LoU-f<7s6I=u5`0XItY^Pcj?jLqsISz)||tKM{*ns
z)Eux2iuTY)b4gMo=EtFBBIQ!03gs9K>XuYb%ark0ak?QM2C@doGzTm0cK(y*So$BS
zau&1B;NN$>{{eSS<yt`|4B1&(G8|LC4y^6pm%M+N)#E>YLIbvx_0|rZ<VqRxy79J!
zTGG1I<Z8tl3grG{t{Z4W4Gz(=u&j3w0K0}x2K5My5`R<DYmHS1o94kt&LOHS5y;3O
zu#6&M?$~0Wg7DE)?4v?+;IWd-;&f=`BBb)}FR3K91jb8f;)o>7pCzj%JEWQ20B4Z4
zgeDPfT6-o80JmHbH!UoamCD@wOP9SCG1qcTMM1*rUdAz1yb)S71CBpl74?yFg`nHk
z(iy(Tctk!u%GuL;&MLHo{ef5uAqIO^Qoy|(`nX6Olzj?PeW{|$w0K|TR%8sV7tJR8
ze%D0C>cYE<{A)VT0g8!z+LzxY-K_Qc$yO^siT#6&dulZa3oCM|!feA~TsSvzp|6XL
z@&j)e4jF$>XG2<zi}5cP?6ZPgC1n*Gal!=FB{SQ_ub5L};U!RdY^lFBSXE^-$xn|(
zYStMOM;lsHl5dw#tIqajDVeQ#{7YN{oZd2FJsc|v2G?0{g-_+8neb^jM2iy+;g(2Y
zg)oOi$G=lydB`FGvL&}*6#yKQ0|~+?oM1rgHu=}Wh*zVConLGXDB%qdTRDtLWLz$`
z;-kBzM{+2<e1j;Zgs4dg$_E=zQB+3t=z#Xi2szzLlJ(IGPOr-6Ak8F98Qmd+tJG^k
zN>qVW0T*ag02B=vctW!7i(jEZ;H`m-yq0DF)`^D=Q4t_lL{hpG5Q?nf3G8z-5NCnM
zZwKJYuu7Q%ciN2ua?Bzyx*{iNx;R9F7Y+_RWI+ay=qvIK!=P1+DH8!FW#d4<FZJLs
zSPq@zkuPm}`zY=zg+8B>9eiqgpOz4yQMe|NN4r>bgW~^87e!(`uY<|y@l~J0d0oht
zoVc3xo8Nx5>>QK#-_i&_7Tz$3YHbuYm3s)i7^h3iE8f|!*6-tAyk_D(Zy_YNaM{m`
z9ag0M&nUw2GJjk0zV(&{@cNg$ztYdYxkOYUV=Y_)tI%WRzjkKQDgo^utC8<ARxYv8
z+=`&cJ9@nKvrWk6W*k@;>5%q<3Nv1qy<Lz(l-XBB{sa&5lR=f3D9lS<&GH3q_(D@c
zWFJ-(vclJ#5H`A~IwyqIJf!J+)*z<|267!npl7GNDWE5<*_Ao?gkVQk=RG(1qtOBI
zTidbs`O|@^J#7WJ5=gL`eQZ09vF!$qS;KMgksP=I%5DP<$-b2=U$g3p)GHVk5i4P9
zFH&-pN@WDw2Ev21rooD+_|RAl%cc+?WEAwq{wx5(E@W%ua_&b!z?xPHm0jhfti@`C
znm-pn=Fd~%<<Ebvf)rjrQ&p#i1JMv8oe)+`4QpAZQ`6{qX=A<UmZ<U5RzK*21pMvB
z_RgDd=1!gA2zspdRflqL#9v%Mlr8dKCVb@Q^}kjxtrT+qTmrVV1%%hn{_rDsFg1@}
zx;*N^JIktn><)quC69+nDiL4%F&pRs|KG)iV@t_UeW&>U>zI9I(*Wp;FS_Fbv*jn6
zO;Q}XQJ5pGOH~3;B6?(5#s7iZLPLC<+!W9SFrI@96)74_SWCe!@`}ooQIvE%=<NF$
zz`^y}fsPv4En|l2kr=Nwk(mI!1!CjYE&i7BMi!{duU^pU#oki0*<4zgPIR8L9O3=D
zw_b<h(A-5*ga1pc=^b;Y9l5SR#Fab<2#-S0qpNr*2OgVOu=tuZ8%N|3;RSvgMr4gm
zfgZtJ;z?ss6a^8Q=Ma&HO?vyr0PCr`6?@l7Kwip?1}RZlSI5JVH;84kMc-`Vqb3gI
zEidiA-dkE}NP%$n=TL!CA`EHg4fNf39rz%s(eq=;@2)rYUZJjZ9}CeKuW=6sCaQa<
zM1TB3+zu=y%iY~w-uWZ)R~D|JU+{<hKVKj1A0D3`KGGbM{XaKfY_#+KpZJf3|L0SD
z_T%9=Azj*XX9Z&uUK$Ls3esr@5XqbP?_m`A-U)`nb`)k>)g|~gu*zk-g^@rMmWF!n
z23Dl^{?GsZe=VH$fByIX$4r9P4}2ie0cr;^EaW!qqRSHI<p{1R3u{K<fn=SbM5n+k
zXzZqq7CaU;V2w5TV8nMY^gepq0iHgMud+KJAuU|cMt(smKq$X3p)HqE-C2>FecL&X
zG)AbQ10ftJ4p5sFR+pjvkq5J9@|9K!S(vaxCT8bo{-4wtpBB97F1Tc+`F*kuu6zy}
za!ZDEyXA*H<&qiu=$?ai9XxQ+IQKYF9fq#h`|Du<WtRC&KGod-2Zf<DAo?GE?1h)W
z@9nWl{E!?3NbOAH!?Gz1Ge0po!|_;e;w}pKzCQhm4&i_S3$+eH!?;LXVk|JYh9rou
z=t#EdNC4DL%C?_SF6Bzz7=JGipW-o@Q<4+&TSj9(%gLxiVPnfBF%z1ZQpfb25~}kz
z^=}@=!&BQ!YvKYNV2CHV=NY%9(SYq?f$=p}f!%6)4E91#2d+)2;9fs?a(s+4shLw8
z&esDK&W=uchfX?o_j%Yu&FGcDM8?k0H_9}GLPY+?Y2+6)@@p(Blz2ZukHV-t4x<!$
z+Cj<dA$<hTg;t&<M5jHr4T)I7V-i1z8fmm-tZH>Lo=qv{dCAM;qbOn<%UPJ3e`7Vr
zbISMV`M1hO!nhlqvlEbTRu$Ov{f}XP)Tgv2gG~Ftp!PeU?J?ZQV?cky_{xD`8crPE
zQxwbxSwyuI+11~&deI8VNOT*F3IC}l2HUc4zr9Y|a^7*-<;%F*+_`HW8o`Fxkc&79
zZ$UZ5vJ1jM=P7}MLEnfd$ZUAWRzx)V)}oAbG03RG82ml?8RD|gA$aoAv>pnZmx4)~
zN#==9m$o1IVINP3k-CLbWM=EkhTNrtU6xS^Y!Dy9H2J2XlusL6m1xRUmFs9##-p1Z
z5}>2mkLG9iH&Ym>L`p|E*v59aQyEQ*_Tk_P?L=s8M+~A8O9_bOam-i%n6%O|6xjr^
zR4x_2f*ZTK;#};MD#1s<mN$Vo50=~?QicSa31&&J2${)XVpv1#SB|3RzBCL1-wyK+
z1=MC>Sn)NXV5`9U;rPAxLogt<W1fBbVA!Ws-S{>7-6k^J^qy_ga}UoX&h?Rj3OzS*
zPGU>O<a3`GXLh;}46KQS>hb287s*3*VekBMbJ%-G7R*HF+PPu1kc9_$4rWgN5|0q*
zm!T>Dg^c4$9_Dk5qwlhg!N(x!gzV7A_(_qgFm=y_{kpBrlvTkjLrKAOR1RZ`U=m08
zK-7@(6{~*ed_y&{*wds16B?L-XCICdz|cXes#wc#UCmF^f}}4liVtDgU-38+<PH;n
zh-Hz&N%-GH4k&D1MkFJW3Ul!|?~#8UsFK$7nt6|gQb>GN;?vkN5YfoH5J3t?S-xCB
zwwtSF<3L8`cNJd2feqm{NQJSz{?97{8fv6bM%q-$6xH(+HuYWt6a#P|C2|I~R)|I-
zc#%p^@&jTMjtSb=Dn@JpIF)}B2qK>Zhd~2G44b^>0Wjo<n1!g@ybBSTB=OjfvT^e&
z34&F{*AAM&M|846H*0w)7M<cdM@wvksRR&4*}o2}OfftzTP%&BR>oG{07D8^G>w{u
za4DR9)kKo4;sdkzzEwREy|^&~N;-_t`2!YoMLcsCb3l@8#nC7FdZ`3qjBfc^s>gA#
zrgl`I(wDGve%JT}{4_*+JA%4H^cnM*@sw8A_bdkP--z?qB$iLqp^O?Ha>s$&U*$tV
zf+5sGdF|6jlZ+roFx<^++EGO^^nepd#|BEChp-6t%0EChl6#`FfI_njfE+e)DlZiC
z9ntwEfjA_^!abNpU}lWCFV88^vs@7$Z=a4NxFj5)6zukb*-6WQg6z&cVzr}9e0hqY
zAO~T3WZr29z<kQ?h%?k%)Q-sPoXxL8wa#O0jkJ$rI|ZHeLPW0S({6G7VH7$>bhSav
z2<mQ<+pZuMm{r&d$na(~?vnlRh;VO+6a7mV2~GOyh0E%YET|n)T#|JS78bb@0&SvX
z{DNeeNPZC7-efM70}YuK<I=fA8gL1_-g3BtsE-vD#Dxob3X?89&@rkgTvTEU<N2wX
zE`;GqnKGpknb-nYs!o4dOvxCECYU1k*7RWV=2onYcgk^x=1K7a3Ky<?6+rYsFWgB>
zZfRgQ&_TX9Bn>i;i{~jIs@&%ko=;bG!V&pXZ6}JaW0tDz2al&}&O@Tebcm7EogczO
zQl@oB5o6~Av+>Mk3yaynvjz_AR117s?;%@+H)pQ{@vKvmStuy#J46n{<r7qOdU2>j
z&^!ytlxr{e#(Yco)XGL-k<{9Fyk)fesLg<!xv_%aSEivTY9>g1H$+#gEE79lSx<9R
zn|xH;EevsmeZuMpva9%uM72t7eU15D!r{{@@<ISf*e$#!cQK{$1VN7p4`G6IbcGxf
z)x2d`Q(6H72IhyN^kWI|dD(pfH8<b;VS<Uk%ivvfAIR_wBnu>on>OVCMMe9|<qoNU
zBM0;1JJpKlZrnk?LS~1rd`@S+%Kz#HzDR(Hpb3QNTOj8H@<iW2O_0t1(b%WTD7=XR
z(`IV}|Fg-|9zdUMjJlH&T}nuoGaO=hWI{Jv5;>cOl-DlA2eXNM=Yd6P2!>dCLcvK^
zwiiVXK`JFbB^m`=z=ty~(~uIZQ2;$@&^>03Sc^+vYkfL!jOdkmX{iWBg`<GqC4JbN
zda!RP28M*g&;{`Pf`!svmA`kShxpw<fnQKQH(yyVzSCOVF&RPQOVq58N9S-{v0w>x
zL0`uHkU6Oc1z&}4RhB?jYUwQj*~{VX5(VTYa(MaM&gnVj#*YXi+8D6xzVrHV^u4n<
z1L4VX{pe0eH+vc6mA_>$qzM{e4_g~;;kq`T_=FpGggLLUaJZ`p*Ho&)*BV5+6hDo*
zmKw{v)EyO;RH1n=K*5(7BlM}bM&-KgZ$hj`n(5(SO6RqSwp4E?Cv+&du`Y{NoZn;#
zxp1J?786p^%P`i=q$fOE^6<{M|Eh{s=$iMW`q)xTnIT1U9u}N4DyFiOQlH0#Z*$rc
z;k=9uM$q3Zg1#fk$$6^76m&%CM$EZ7J=9F<FfA5B&eA;~lGzdNbG(ns@8oVp=^>S^
zE~k(6B+SlUmU0@mdD(nN9!_GANc&}DHgt<8b#oGw*q2td!?}zq^u|Jyc(t>bs#e{-
zGJlhro5*bWDJp_^r3_?X+!7B9^OFwRj`Y_6rxm`|x%N>Rq4dTXRWRWy1VHsi36c5P
zIL6}gv@X^<40?qXt0suvBJqxr&$_V79$_ePxz7ptR1Vk^eqB9R=DX2EtjKkq+mRNl
zN<`FuQ-ULqRnWo=qrxtc4PmvS(dDO_utuSz)m^c&H%qP3(&y|FV;9u4|E_*txP9Jm
z+5QBPvbjmoQ+j({_QdN4-LZEwz*Ll1lA#11QKvIXeBfDAI(Fcw_n0eGk895e7iV~_
zc~sJiQBjS7-H1Tt`NWDA_?WbSQ{tG@lSHV3M=-%dpNhZJsp{P1fTOQXDq{Q9x}>l4
z@LJxh_zr!IR}BS;@imZ!19nFE43FY6==sr=D#DR@vHD8iYEJmGm@m@uA&Y&P#?gq<
zKvCih<<`i$LP1A`?VFviR&5>84V^2aE|^&O5A=IAe1WJ>ee_e~vY#~Y)mT#CI4UOA
zXo!HT=Y+>GN@SXXMlUB$*1So^2DnbzilON$sgA*dS~M+tcC_8d)_7Sj&O{%uevU`_
z+b9XsF6W)*Br8V)EA#a})2ai`tc|YbBj(cIQ3e7nQ661MS`^e#N-6_9N5SGY$+N7d
zrHn{JQ6@{BNRdBMvbu^r@A4W`ULz(%>ymE1K`c!d0iEPrwQgcpHKgv6p(0P3D;GG~
zf=wJ685|VHD(sQD8AU@;ZPxHaO7KZBirNhTFFVdvi9W-~@2G?~m?KFUa|udR?dgcN
zY_pJQ<)M`+4G#sWYWF3zyCf#R4|xIx7R;Hh^2;b$dV{F268@2vQ;e)w+kBVw!gT@O
z#o&z_RFHD&H3|R3foRpF)C8!LygMAG#sIn9l4MMkids!(Ndqe}Zds74Umac<ghKh9
z%RxD$6chj{7Ea}^qW0!aA^JXO_F-WAB}`bLq$w!(mNL4RB%mA+I0ynVv7V{$O{*|2
zWqP6_$Ac`43J6U2kdH{%LQ1KHPU|7FUHW)ZCJL-VTh&0$MwNJQ9dkwww5SNaD=~g>
zfMiAq0uTW++7qXvK~o)7hb>9kXiyNcs3;+hv$O7XF?602VQUQz9XuriqA+7KZc8a5
zk|0*}Pi<=QapzB(HZD}q-hJu5X}e*NPTa7ttGM+1hJ{%URd_OGUqq)Ey<^UHA9R%>
zRk4@3Sp>V~VJyF3Lp*KUjfP}%{+s#pPk1H6%xn|aLl1SMrIZWo#FHUf%oH(K@p_gS
z8>u!&<55N=W<V7+HFg4a1R=GvXq>tMd_|el#z+gUsg>Um;~u5+4w9z$kH|y9n63nn
zxO}~W$TYZSH>QGRL%Atf@ywdatFP1&Z3mdu%I6P<N#{LQE=-D-ah&x`)w2q8ZX4!G
zHPLC$x3L~w%w~(jJOkv2L;^B6)g3wYw%G>{?o-*1aKwO%s4LrmK$owA15)RD6n(-C
zafLfHgu<Dsya5E$mq8#ej54Q1W7{T0FG)bo8LtG7DsVMQL$x(NjdYaUqDj*F1<qxM
z)CR(9;hFp-tQK)SWhz1~^p~uG5#|5+-~X?V?-+d~Ec0_bBCyuHobc5*Ay%aj2~qMr
zp_7uB42h{>S`2`0X<SzoAC-5jk_p1V(exKLf}RAViwck_;U@xzfH97w$^o%A)M)_?
zx)e7Nk1*b#DGz}1Tb@ziJBBggSipDQP*M$MrG5cvOXcVllfRNxt5&G}Q*gLbPSQ~3
zwnldn$VTvv#aT=kOcsEaNgu^*vGv$i5c`ZI2MVg`)V&yU7MsRM;hzLUKTMQ)jKV`D
zSt}=7bwEkqG)TfJ;5u>|$55XX?J($7Vj{`dv}_xeF>o3~{Yy6-a+L+iDp`a?=IV&e
zvwk$o1IT}2+s<*O*GiBe(0@<e20&NCq%-QXVnJ~j@)P?j!NCz^Dp#EhleoC5hCy%*
z@*G+*S5~zjk1?OH3lBfjoT#b%!#I;e>@dD%zO!haRaP{GxiG_JsFI5yC|ClZa#1qQ
zN|GglUK+e}cnc9{RfJ1qD<Ixn*T+0}$}&p80OCIEiac)A6D@t8sw-CjO^NS@mj+k@
z{!%(43`9iMb(OVuX%-KM&})_G^N4aZ0h=WWqx&GMj|LqcUd;94A4|d!T?-}9N;=Ns
zX#u3CLz<wu8nU#@eK<&(74Jb;JzAEBbR{*G4R~;Q5s?F8T2^gnB1NxqIOGJ(MwY#z
zQlD5K89md0Xps6P9Dq1G7CD?eFBM~h18N5W3*KCvkY(@lBL7ZHJSi{TES512a%r~w
zj1JP`dLFSw!4v;0_G5E5Yv4ztixLPD1tle4P(!&=zA+l9V<ME;c!>{KaaQzZ_edwE
znJud1B>B`GG9?E4%Y;%`vqDIxNgXAb0z%)}y;X__F)atPVrnz?C#IY*32u6bm<<J4
zJcUd2ngxv45cW$BS}&5JfI@GLf*S57Rhhk=H8_-1CwWz-WXy;L*PAuttEOBp3rQ)d
zQhPd$mF4+E^Aq$W%oq6<99fDIPQ+$2kBk&-E)y>0o0j(muq-e-{ve1)tSfY^)Q%xO
z&}mQ&7lqsCz)>jY`gBAk&M+1rW7bQ;Mv&1au2XHZU|fKI_JXJ@0`_PS;QQ?aOx^Xf
z(cSf3B!PP81BN*32{~>aqW&XtW5#YVB*G223K?embP_CMR`LheBTO5rqBpdwr(O|}
z&}3w#{2(|?SSB&3#L97}y0G@eIu$L1<l>SV7#r}x@j%ut;q+r0z$m!WO_VdRicI@n
z7b;OgoZ^tvECA}%)v6cYVk3>EQ-*_yHpyL!6u!nkvt&SWxo`q7*t^oW$V%ZzH&b}Q
zG)>+j%C|-NtX+pl6I3)!m(!_@U@!zs)p#(%B8V+I9_?R<6O<iPi6wJJGYb7-oNr`2
z>wct<aV$`ND(KCp#OAWejH^?rrw%Ew3+_L1s>V+svZXJ5-E=A-cfC>0sQCktQWRp0
z)V^lqv*maq<ed+!>IO2DGHB9GTXtGTxT)UlxM%=HPSf|4$E=K3;pwE3)&t&Ei37D5
zNHQLorL^|h;AkxeP(RnXMT4_)Dr4o5xEmS+f?lKU$TsWLN}(p}T;aptvaQ1CA6Xg`
z1Knn^W|~VQ&lPR<vA}uu@nx{$ER}YA=SHkp7326&64PhJ^5t(*>6}$qAZE%_@sVD$
zxE0lpjgkt4iMAEmVrl~+TXvMJ`<^Q!dPRYUF)2*sERP!KcJf-)j<j$SUqIJVesSVQ
zDc&J1#rFd-tBw%DyaKyxYkgh~CDMZ_)?o6r7Uj7Oby%G?eGqq=hPrwqC4Mkbm7K8N
z$jmwi<)D$b{N#IK5)L9E%eo?{CxP)gvdgCe54Z6C8#;^ZimI_`Y1(z{lPPh6+3pNl
z@Qvn9TUWbX+nbV&qnWX>QdTx)Hr7!Q7VLZnurqrk>#Wd}8&R59kGsn5L|5U!3I?14
zbp&sVJQAPa!}%YuDhq=6<IFLo{@>2#_I9EE--|{4uP6DO9iE<@AHCW8;qX7c&FAy~
z;qBWWULT(CzdJlQJU%<xdwp7H)B0Nq-1GkHx9<;54}Lt~fBWw6{N&x+|2o`1bJ});
z+vdjB&USmN@eGUJssy|~7BRh!B-Llr3tHD!`fHWesOL8W6!t*KO@n4PX<<&w#@_z^
z;mO(F@&4gC?gAEPXGwpCI2$DtN~3O7%ix(?jrYe#XWa4p`=i%qhwuL5+vlyXpEt|`
zpL0$xwbXpRbxHHhWC3-_I<5NaxBGjq&x`A$bVoRW-J004#*atG2j}~*-=D%l&X4!r
zIM<=O+`QDx2>1B$<>~o{!*{1gZ;zovyS1^?+Qilz1q#Fi?}sbV`$T-~RJkoc;Jlf&
zcZYiiZw_01iO@tx7q%jUWX+A6Jjib2&y<^r|7u=y?R1r$+xvI*7yr)S(ZDI1RGtF5
z|EF7kf{Gqw-dD>85?81!#q$39cLzuBRwh@bP_1MVyk~0;Dy={>V2y-ZPgPbh)fC)$
z307$G0(7i+rk9<^pQgoryPjSF|I3C({6ZRVnGW3zZ>to%Fr@0oLxINYIL23^(hP$L
z(G_LZt&c_?RJS&Av+g#+tKb)J`K#q}cwAXU_+DxJnN$fd%V^jnD6<wGAi%oES#^^C
z-S~4e@QOI&+pqpn{PH(xUWz%ON9p&f(~s}JJKTSJ{Qc1n-&%Ll!c_cgoSI)6a&2be
z;m-GuVBq{$Jm#I}Zp4L(|CS@N&t(Ae4_;jty~g9QQzAezSgV2qd@s^451gO+G-unn
zEWW7_9Bka^uBL8XH~ri;KQk!Jc1n7m_BoM2l%YQ&$ujx!Jo#r2Jy__W4Dk}JnJZPq
z&z*B<v#{#Cduz6Ea2wwQ-G+-41~XxW>rNDpx?Fvm>PZ1PQJHL;s%Uq!c@vDAh>FYa
zMjpza8L>7qe~AAL`>JNZ+E@R`FW|R|Q`4ubj?RL+d!L$t;^Ltdu5))@hw^9rK*&|Y
za|@K%KeOSXdFv+%_g6zSwZievJ5fmaNWCUHT{Wq0$8C_GrUE!ok2KFCRv5B)z&Wh4
zYj0fja&~}A*4j3Qhnn`RbY(6>=3qJ+0v9F2q~5Ps_!D6C7jNl*ef5t5Q})|eUoBy7
z%>S0YvKX}rL={5c@n<~l0f^GOGLprtG5%?iMy_lgkAD{wl;eePY{5>%b-`k|3XK$|
zLA7F&ve$gfXd%tADVTbZ0R&IXVPN@t=a{6a+UlgW!vXC!8m*I8Z;$`7>pARWfdw+`
zk}fw@#Agl|xzE;WR(P)kvh}Hjt<Uho^1o*PA7zdy^8aT0#d==;-&}7m<o~DmJhN+}
z?xS$nX#Bgkd*_oCbk}n#fPek<?!zj8qe{7PpAz7-zE$tMSP0xxg}~3fMp-HFpUZ23
z|8=<!(rp&+mjAq>ia28xpEM*-N1eZml2u$udK!~Y*D9gKsTQbk9QxtdHN$Xayd}V1
zrec>W7RD90II<!2`si#ijL5Ruz=VdR1up51W#0l$L?J0Yq#BMgc4FN~^bp26G%DAe
zZ&HH5)YkGb!sA-Iywh-4(_Ga|ZlKwU7eQ^zGIXVOjK@dYgOtg}1F#osFThPNO!!Dx
zomLoAC8RY>a!uvmZeFHXU#C&5(|N{jTV&VAJ)~r+U-f=|RaWP3ZAIH)tO}%fYgp#6
zQLJr;s*)^|f^gQ)xG_37u9QLbc*%1B)1aWal#W)=t187zmN{jVD;vx?AE_y$O~^W~
z%1=1u(AV%tsoQ32=U>16TE4NyZMQZy;0Ld%%Quiy0VR1%oy-bWC$0^~_8_<Tw(=g(
z;7U~?85C6JNWI!iE;uClThL{Lhs7&=kM)4*>Qs?Mc1g%`t1?rql92>ky;85$BXyK{
zru5j5N9Ek{GV%piKt;!dI0_nHnO-zv&x~dRiWKwCRXlGj=|7jq4FG+#a2R%e7_*nQ
ztcQ{T$aHF#1mj+=XdxHvJaL{6mwo0?$W&nkQ&`!li^rwXq=+y1<3(xQ!1q4Z@Dy|{
zk7^!+A86w)xWtE4_buYKR%~>En!|>UKamZql8&a%=)%_XxqO)a6F|bE)c}-NTs&ZI
zb4=m?)?aMp^MCJbtiM?Be^2qj>IHTN@O<*`XWr?_!T)TEt+shYYUe9J@w?~^(4^Gg
z&jjnB-%P?q77_ng)k38TMk>ywSSo`hbxlJ6LA(X%J4NVgG`K_smax<yx$BWfSwmGh
z#vjF`z}_y30PK28NpOvR31h5yGC<@7<PvCBX{}g5V@otb<^#LCgjvGd&CzAJgrpUQ
zA7n=lpT(V_y{V^Q1J|7PQZ>t@`*+^IWwe<mj7@z1?e^Bj#wNc1O>DHj3E#K30UIpd
z|5JRpEX~qaeDzBJIpUOqKp;vRa?Ig>K3n2=t|h9Q2CZXqHB#S7l1pHE;5SwA2EOm4
zq4P!c5c=1Oq4e+cG)sS)KKQJY=yp;oXJR8~+RHe`;@3-+t$!<D5zqE9OZ>g$dh(*2
z`7qvPe81TU@ytHc!~@l>XFOQb9{ALgI0`%Cnc6!m;wq%on^&I+hoHwasQ1&Z1CaP5
zE?{Dd>R%^8Q50Wu0r1%&Y1(q9O!qpt4Wg%+&D8v>`%J2*EB&STZOO8hx_;1)2dBZ4
zp+BpD`OGKq^K>Ae36)UGSs?qb_s6xb{mUSl=jBeA5KT2vkiCoJ>>x~@27W~en50iO
zqtdGGvlZ%7lNW8Ftc_HsgR$;0GdSxWvm$K#RD-wr%tBX&@pL9eH~s>T;1MX>Xo%Ue
zPcw9<yPnP#JTfHr{g3YlI<4a;W>R>}&y7oY2xSc}N7anibnd=v%xSX2^k=5$n}l#D
zoNDpil&*8C)G<xkC>wRMbTMZ>rG^wSC%$lIX<;t&%_0@dKG6f-Nrau9LwhDnyG3Jm
zY}>Yzj-4m$*k;GJZQHhO+qP}1zr3?EKBM{tb=6%}d#w!|F8H6Y;V5CNI&drJ$rtZt
zNCD0q_d!t?^sXnza}uo%-hY(9p;sDC?oN;eVa{gTYn^LB0Wu&m=RKBbLy>nJU%%$(
z)+jkSFVtTzkdqXc1Y9R`?2`;iNZ*i2iZU`Ha32E1PHrW1Mti^TxOy|=+h2jM$?l2#
zx@9YfkMD5|?v^@Gh~O%^(B!W)r@mIZFWWsbeFzI;<i$?`@(9%17FD1i;2N;PgXc^h
z8l*%yPg*c*MNGu-$f99b@X26#C4I@w_}B8FQpi(wsdt1{0>WE_U(I97rpf(Y$1&CD
z2Bj6KH$##Uv~mgQvdM5bbH*qY9)ok{eG}yb&O{MmxmHyGXvbK=9kCb%gB7%L^7c9D
z?`)@TkB?}OT168t3t@kmJQE}u{+kGHXw8yRSN^oE$Qo^q7&t^j*Fd8D8OqcO!aJaq
zC-q9wC4|g>cIVyPbb})017I!rf2h-jQ?;FBCN%5v8QNo188%$!)IU7~-0ovY<Xx?F
zdnU#7mk#Xpm?h&SLJB@=d|$M<(<ee5V(K?PNb-ZR9}f^dKpgt(Ml8SvulYhS5iyxn
z!G&XG&Bp(3K{go~zLISR7p*l%j^P75Eu28fhAe1mZ<k$WA2^uK>o$SwV%0<eddpHz
zK?uMkv~!{S!{XvWVnJ+7sUPaBo}O^-m<oUFeftIRMvjy1_bc*iiob>6_9>SfdUOqz
zO^>`_HxcN)?NJ#1;jhW)HzGcpy#Xr`l=aQBer@IX7)6*h5dbfkbeJ^c0MxDPZ}LGc
z7>O`V?nJe(uyrn*W)i094@wE|QZU6Rkws$ZxL2tN#B(u2Gpa9a^qK!nbUNth%XEuT
z#~V7KE1$YV{0^e}HnqF`#%*~7S|@^d2wEC_=RKEX&_W5%5$C=&SAhK4Z#hFpHa62B
zF`WtezdpZS9Yb}jK9olxVClThKH6dFJ?wY`j`i+Ly2enQ+0kNb_%RxCbDZ1(Tzi-M
zYWnLTuGiC)>xU<wLO>@Cjs~cmwJ&Md;n+t$YjOmcLPfRb0^t)QrtWq{=-oD{S^Wdv
zLe>p{>+!$)*C^`M-Xo4R)%~`?*0LOb&WdANYWT;QQRrsc&$O&E_I7f{!^Z(pjcPu$
zJk;;VxL|4|ZwQv}r|)S!y-h*T7_H8JmITJd0<_gv5G{ZpJw0lf42K^P?UG4o|0Y7)
z@(gT=57V_^`=5+LI4^1-{hm64fS<Je=78*#0w2GH(QWBfv=j2ozQmgz-l=ddd`er*
zrMqsg2Eoq2l^LRm?tB<;usA;4q})>zLZ=ufuIz*Uu<IB%=*uU?!A{7Yi0<@fV-CUx
z^O$t{1;-~m#~+4JlVH9v4b#;nRy+ak>z0b^%5I_d5fVt~sZk*GWR{iDTu5@S4DXlr
zkx1LB4M3CZY7QWw=f>QDgW@|d^t4|&Ci%)9eKA&77LG9uOXU>5A@|o)8lZe)=HRTD
zkZ^Eo_f%o!4ywkaJi$P}Eyki)E0A*1u6u@D1Q<fj9~!2iji$8WmYp+epI$BXQ}9tQ
zuP}Q-upYgC#vP!923$~OF~b@Z9il#)6BoE*fLJOnOYZl+OKxg&RaqgoevCCr8pW4+
zW-pz>a+II7<cVxgooeGQ;&;u2AVR>Wzbx9>#e#oA^)tIz%L;=c<m%;+B3&;KZwu(?
z3{f-y=$SdE_2)x6w;8DT9ee9`8iJE&pqFG!W?>uneGlF{t*UxTLKR}^8y0>7YjX9$
z`Ua_BCF;DqQT}?ISL!~+cBwhUvUmQj0_T&k@!TPj1il;uG%#4~?}5>guzU(<C(^Sh
zQ-uq!`LtaCs-czm3IZ1KXC+9dg@k{L!8|z7t}$laABV>4{0I+QgXk|y4|XPvGtlwg
zGro^ds+^&aD4stVz@abMFVFN3O<To>hE^nc9%)9*=7&V|JKI>3?_J=%6Wwf_Rg%uY
zu(CQBX|L2(zV^ueMi*Su8;~9zF&F9B&<oT_Z^TmKMn?t#H@oGTfg>|P9`bMQH5T$V
z`1*tr4~|k3@BTBjNiOeo$s;@d;YtJyMvS(~@Ei~BLJGkuDP)8f2>0>)_y7tSZ#iE#
z#Nw=1_R<5C*CFJl4}<#<-hbISU=)&(;U9)cS7zMkr70W8NI3*U0TfDxU;F_=_(a&=
z&(>35LorET2#DuPl-yNuEG~jM)Z*Dp3zgTmr-IllCb?4#r_%d#rgmCcM21y1pWyg?
z6ofzT+m8dld<O)`xt0_xSVK1_g>@2NZ*4c0td}5oTuI9HC|-^?N8$~XraU8T(`Dn*
zKPLju-+fA28OF3j*_kwnb#Q7JM`V{B_<XEQR7<8sUHSR}26EL1$~OuNlWTFT^EHI)
zAa{$3tQ)G)IthN205(W4W`z^BjihmllbBP}+30B?DwWc*zJFg;cO^q7XZ$UpRVy}M
zW~hZ#bvrTm`q56WmsZw$|C)8JYBv7C{#)PN^sIX-d0t*7XV=&XyxGvixybOjUnbC}
z3z~r{yc~S^UPR#OB7~vdkp1|A{o;N2FX#hZ<B`^~seY&PX3nq~ldxCr!g|_>J=3|6
z5b$p;QAB5|z=m<Ozk*T1xr>9MCIhGH38HaLsg0^LFX#0O2+`;KEucE($)EAAT`PXw
zkny2<AI#@AROyzRPhd<VYS;-?_kE5&*UvOt9>5?|roS_SOaH#{NI%KlmF$9Tghj|;
z=6_|tAT8zxX{h_AfIZ9UqK_)c@tHTFGRjBLJ!HpY=Yxr$Cr;HE_+zs{ts3pXt#E45
zqfPTjAvd4hRqkIN(6ftS@!P`|GynY|?SFx2d$Bs8Rp@Ghx38(O=)gcc9=fT>s#8=n
zJJ%~VvTeLuG>{t*viao6D;Co##n63^sae7aBRZJVdziUF310r7irsk&>UH5Ji{P}{
z@#%q*vUO<uU^A_gGv6N|*pfCR`%3U?N`ZyIq6RSvAAmYFHoK_o(1LIvAKE1jHFQw8
znLPuhzSBxQD_2|R<9-M%?S|u=M@E205aUqe7<9hh-p3d|lG+Om7;qsk&>Y7o29s(e
zZE+&&GCy4P;Q0kn(sc{d0%mnZIOKB!b15I=#cbwELCTeI9;%MHKE-%lJZq5(?-FLq
z<aueaT41?+N$o`SYcby0v=#9BuX`oLIAn?v7c84Pc`Hd8a@Ch3>||LmG;}_d5Ih%N
z?~uXcug-%RdPL{N7xg0AHI`skk+L400QU3e^3*A^94x-&I?Mr^E9#y0ET80l1tW|E
zMfZi%!L)2_<(ROV?C)XN55ITK;Fplw^A9_N;htahX~7Hxe~XW#Ff2Q@YYaNmmN^z&
z;Q+o@za)UsFL7?h@$i}BiJC)}hyoR%&h=%?Heki5gtYx7!-`hS5#=Lj@!gSvBacEx
z8gl#SK{@$f8Gsafdy92P(R|M+p<lm4-09hpg3X^^F^MvX>VMUA+VS3Be*zOR^d)|l
zm&&wssztSZE6EwG7&>ktcbXZF7LoIDB?%g>SWb8lAAnUR#&PGPU{DqQ=eywBJ#En2
z9Rl^#oi$tWX#2L;?lEvD5mqZs2bwJiVpgRagkuP=&|^k#69MaQXVSQ1LBRhpbpogP
zR>J(NLsAY#U?gepPnPYERdd8D1~$S+M0XCiT2JjQLREbnDHo3MM2Pz5TW=dvD^m6^
z6v`D76t@q#lkE+;B;MzkyzX{MkWmIi3(M0B1Qt{(a8W{A8K2Gl)Chbc$Dboii!ggn
zb3ltsX6?&zuurBVSM}l8m^zA%*=(n#Sfdj>;mHW2VH5cK3TUIQ7}9VKxY#deqbll8
zMi1kdy7Qiv;5`qpFNnm^Qu_LRLds;N_?i7%2_J4~@M8FT;}KIiIw#s=L?onRgu*bK
zACQKyFywc|*1A>GKQvq3s8p~Ye;jFU0taliH}!Q`BgdV@E8UAfHGTvFL1}0corkmq
zG~_0q%Il@a>5jM-3Vb!C2zngi=f7xPgF$}oWm7bGf26e-Ah6#oViNgfG1xUJ#siKn
z)^s6`2XgHY!p<PB7M2!P=dH^xkfWuilIbQ(maJx`obGtf!o3L68y6Q}WKTytoZEy$
zH5|=LD_^-a>&+ZG-Ox`h#dp)_-gFa52eZnn!fna$Np9r3(!Lb|7?)1JeM3KriTXqO
zMZ<e@2F<aVO^PO<A+yXD!9f}xTUhaFk!<OKy>$2CEh@FYnS02wL^%Jn&z+QAJ5HCJ
z=H0#Bbn_4z?rIZ7^o=lj@VJH;9eco|pk|UOV=~kZ$Q<(gmJ+lNoW5f05QM)`GJ-b*
z<3ChCq|GdZdKHV!5T14MmXEzd!7q#ngvB=OB=%j1!Ir`_CMKH<VRn~DQxZk48PEh9
zn~N2jYT0^XH)=jmAP6ScNuMIh_6b@|83G1oM8L<t7U&BhLAibBtVLQD9Y_k~x^~}S
zUZBZcxkFQ|H*O_QvjzviLa}sH75j72lCW<`7@~hdke|i8w{jZk%A4Gh?#{X&ceY2m
z3R#8mveid#-ddoJv3v02p=2Y({hpbCWFT(K_EdK9O>qBt)k3(VMA38TM}FfiCme$7
zYZ4s#G6trBRm)?+hl7nZ@cGwhJO8~8Wc=|0N(n|~<oL))lRB}g?$X8KPq5=Ffy&YY
z?ql$wU5#vbM<QLMD21x)K^Ut|ti=8&VHKAS%C3N@?pE7E#voI4pM|xz2832Ox>_|X
z1B9s;0P#b+l9ED|I}#PL^@LZf^hK)aBej9sRyeA@<&bR^spzw6@Zy~C*5RNQi@>E#
zG3{@;d<G5@RYTF0cm0ZBVq{5t7OQOOW1b7_-x{Awt|eAES#)S3cP^(XuabH|XKI%&
z@H44RX5H|>B18o#3Dw93+M^b;&i*r$iR(t->p)7M4EaUX>KPP3P4>&z4b{a)zF`2F
zVC<I9*W3ecbSFxNep>|{SR%6sZQxCdki)4DxdR&y{0o}a7Fnxr0fgN(D&mwCi5>EB
zr>7>*mYwjs?#$&wKRkobgfpxFs%_8I-b_{p6kvWpOUIy%0CYj=Jzq{;rv3+l-3KaW
zcH{-hUkNhJp>tVohCqwN`4LIr;m&=Gvfss>%y3`zuh=LTe6`O$%0^4udkGi9I#y+F
z8ly`N`x(xME7Vw=?*be%DI(p)YGuOO6THBCmP}S!L`b6ddPzGwyCTY`4QO<wXa%uQ
zdt~)584JsXU&>g4SkVkqjsduy9jc$CB{Zh7)3&j0ja_Zk@b&Wg%2~$c-zIe2)B-&D
zaO|egwqevbSkk^Nh7hs>XqjnfqwM4a$RHS@Ch32vGQ-~mfyp{LHFw-$*f^TpXIQwo
zYK%l~2!1>jwii{?2N0a9eI?vp+cRI$+k6pN(^+UL2>=0((m$gMsUZX*X1GKuU7kCS
zHXy&be0?0&%{#@+g^yw8F7Zd!=6?Ikg!^fKxh#B)2t*nfgrRTd|AweJ`g+z(KoxL5
zg7c#9tzUHp%Lh>>f9wSTIp4*^#cb44Ih-ve&Y=;yCagM<LP;|f!uP{S9fp=U2ECpE
z<>i9(eQk+<2lV8EtlKh}>#TMlyZGRzcHp{kmKK1Rrszjw-8zvqXL}pcm)q4?(z|w}
zPWV7@dKXJm8@xbsu;MkG+`U((7!gUo1X~bo8BEzUfv^J1sg1`I%5cPQ6(s;|w7GAv
zY$&hV)BQp2=2(`gfi16au@qVe>QveXS;G@%m&gI^+#PWq0d(PM_(p50;m??_Tc|@1
zm{D+eF-!l9&Tk5`BGIL^J$(}{{34G%_OFBeVeIzowcN2^aZYg+Cw+^7BpdaHA1Vjd
zi;QV3R_}Un;Mx^>pWRTsoSV~uW@-zoUF=`Q{%!ELNMGkaQhs=7aNjE=cH@I>%|8_H
zT&;+oWHzr}E)o=_VP-8V=p50z0o_2VA{<f)^}zb%%6hzK<|78WWHyb7XV$92jC4Tz
z=LrG1A6)X&H~)I7Vg{Z?>Qie3Vl@Qvz3mZwCyFfAgQvSlu84x@r<tl;D-k+S_iYK6
zu)uU&wGPGva@G8OJ~wz$!qg>)CEg1IR;M5akCGx4gZYj36<*yb=zBT}7=#tJHo*AO
z)W`~qQF9*9?I(Z}bh{M$-Ok6UTfhjKEcl?g|7`@MU<rcbmVx&?5k%2fL>ZYF3E^>O
z$J@J}vMyBM^GXyZKA?U0s6ntA0iX%49;kk)$S&;a?uOUO*?RE`_trAj7JsWQK3V!I
z9z1BR2MDSQ$AyUO#G<sC`^H@CGG4tR;ULhd(t~vW*J(iHo~wD<o-rtV0XXz{(dn^q
zeIqgMgff*~jfYUSRCraw!6_PJxxjI<6$+h<{K^F!uSZ>FapZkBv*7NjUU<Ec3q2S{
z={%~aXZ;=)IVJU*3D*EJo|pA?CnM?(OhjU9w>3Lf9muyUM1Jtm$M%w#=_J_kae2Ld
zy}i7B{CvFK3i)Z4d{F%hm~rNd*rri!du$$%-sxx;l6_WlbEwl$XZZbDGWZ6qYX)Qn
zoV(9#`;|NR0o|UPkWhjN;#?WlQR0i3U4X1^0xC&(-YgP-dSFt@p$A;QRqu~HipT8|
zsqR+LULJtL0S7V;L4vYzQF-d)fAVXfU-fW~D3o24&K2QA$eITq?JUQboeZ|0>#`4f
z$((9Wwhan5w&?4}Sl&+Z_^OYu)6M@W(e7bvWI9W+J&9(xR6;nG4rm)}(**ctvKNk@
zgARh)jdb{O7NXBZ?08Rfgj=3WYKw0l#)L1uBMlk5phxBs*{Kh5*_6_Wq3J<+o?pwz
z!C<DL40&^C4|Kog6l=(^6pb<+>ZzQrru*3)uo1`dv!tp*6xSJ+c3NQqwn6*VjS22i
zk_r^!JXpHse*XQ^&F1}`aP!pjvw}1W;qCefUla>7CgJuEw9ppB$-Ns;QaG%ZI-FNH
zf+(!_j}DMmviE%O(gx9xs;ntt<d2Ed9NjyzcW$n&@@UOm=8=cP4hNsPQ&Bq}yJ5^5
zqI!mZ84Sx{ro$t39iHmSI$SH^s;Q$JnlSc+?=fPl(&a0U4Q3#fQeGDLX29rOTB^xQ
z*AG)`M&&2^3q1+RxsCSs$BijkxDQHY7v8=k3sQ<aP^C?YN$>=Ug5(cm?-8=%671n{
zecm~OdpGuj;N|p?T=7tCb|ueY>EUF*i}I8&0|B3DRGmx!7}gxiRf*v6Yca9%++{to
zsfb}N1^ytR9Y=s8Tl*H%5Odh)9R_j+f6l~i0z{33^&#j|e;*_DehDJRDEh`!kY0OW
zs=!zoF*hF<nPR#i*e}Vjsj5F`?1Hx}mpEt3l6j`+@P-+|bZAs&x|J_!B?1Q4)a2o+
zR86~IRhYW$0yjrIkiqHjm;bqPOI3p!ssCI1US9KigUdQ~?s9q7i-I_?$5-YV?-xo*
zm%bFba>teqKyXg=V=p5LKoS*PDJ@PlC4vL#EPl{Igqyo!!V!z)L6WpI71i`hbTRcl
z{_-rnSogr(d{^bSiQXjS!w9Ik^3t<ZpIyK%Qo)Y&3h(%g7$u@&?}PfqCp)OmQK;N^
z4HXJ>AISprsV>2IwU&qWGIRwDj3CkEPu+A~I>6i(DK(zCfw-d^8JY!6Os;{E1y^g@
z;#Z~L8n_4KK}S~w#Sz6Wg^8~M?|FEW`d9YIyAs8+MaNxakOg{aRzT7!t{>WzOH^gZ
zJYN&K=d}KTd*Ph?tRRs>>dqI%%$g>KGP<J-n1r{bwUj_Zqdqx2#LS%ax<SJdWZyL9
z5Yn&1h1lO>&OzmNtsKKBD|wlJ)G#)D#q}ktHy7M{O{OgN&}lE7JB`Tx*RcJu#<{Uu
zc(HA3lj*k0@Ps$wgjstIyK}+%_)R}L4$FskiW}F1T~E*znZ9Z!>f+_)RTMBF+ZZh8
zlDs-fh85Y67+@@MJDpg=@a<|5e`{8#2#~8qTc<8U=*(&|tyH&!X@?v8SCLu?9KCn7
z3xwH6JNj`(Ig@KS2r(=@_GH8{r{LhElHQ7br=0FYv|n%ZCm%QA58tDvMXQdqbWTC>
zaVYF(-7=6%zmJ8suj?FDC4qx*L6-3a6r8A5P>}c_G=+);+FNomaZ0icF)2?;wB<o-
ze+A}AACG=T@f~Fxk*}~UDG-9N!u;=pctk&aQe8xC+k&`T$p?06L&e*QQQL9a76D<x
z0f{i}t|vt~xu$QGe>62xxnY{5;8*UTzU?t+vJI5h?|A(iqujJ-CfOxU=nuF$L^S(X
zyU8Pt!EYe3<L?2OEfrN_%Uo*ws11^(FpKHL#=Vgi1eP<CsIn~JQ?a_KRckvW->V>^
zy(2r7@eaBEF6E=+i%G0^-6b%B=kiEEO$LGCV2$c|tRyhGd#NlnG5d-m06ai8S0*TZ
zb(j@p#Pr}xZ-9M23u&xea~&+Pi!GYBvZ+w@P|foyC0a2zCDzjh=2t!#6Eu)XH?v3#
z<2{*Nz;$`#qMdw6Kj!JU^q#Iz%G;EK1sYpxp!>S9Mdd6UwYDX%)a{IRw7CsLWs(^%
zb!<pUbNPOVzP=P~L5(>dbelpcS{&uYsjvoj;1ask(QR57hdjl1z<IhWLveeJI%K7n
zM0UHSF2`a-*CP){E$Rjm1;x&NNK=YAHXHC~D2JVQajnn^4ghRGdsFB;$|$ajRxM=;
zj+<g5u-HWFf;_wIg0dqNg5;OrCT`TKvVKVS?zSRWmg&%_J%vbc2h|!B7msI>u<MCB
zf_KL?5!Mj93Q<rD^tC$x0qB_-SxHPHTh<%olLpHxNJO-ZpPiR})h1iB_(%Y-_D2#&
z(-_0KNj<qw9C=Ldc^Y#>YBty|t1C4Sl=XWYLCU@FZirk)i5wgM=t+a*irZxZyGUVK
zc=--{Yv}M=o~7IfOivmZB_yC4Y^Y$}w~@im`-(j`EKGYyFgZGYgNw1fAWv4vR+1I-
z24`4N;_LdlS`@jLF-+m4K*3{Lp=W90-Bo4!nA-3!bOSD2zm;wXLOVKZV+W^Tc8T0G
z_@5-bgJcC_Y#9pwXTsg9{Nb6Gc{yZw7O|{5Yl&`?w^MyUV!Vqa6ap}uGQ1R;CYSkG
zhv9EieMr~4y5{9J9{XO^WlG=bLiNpYMr>dT;d&(6l-Ehi-_r%s$c|_2D`MvLVt)<k
zU>E{o1Vf7In=oTG2;k!iz`X5L0K;)O`qX>e+GGaO&1~f5;o%jes1~eIIO?2_$)9FW
z0kmf~Ja#<@tq`++*EOHg@uC9x1lpW!X$U8)TauqbwtGG!0@iQjK}&rjUpD;pSAq!x
zz_4~>l>MXMTuEtu7#mA1=~elp>O6Qv<Mt-aUlKYwn^j{`^8eW1S4pe9X&w@mM|wP_
zTHb+fXExoL2xK1)mI}$gG;6LmSvIX~;^h!xyI*PuN?sPXE|q<+w{Dvr?3G*?R?~&;
z%gO6??3ZZJ|5l|D*xN83JO)U`$1l!eyTQLfO1lMKN%n$xvjAC8iO6gU*rTZIB3>8p
zdHxo8Ael5qY^>Id6w~M2`KegmTlzpz7|A`%#AGjWT#K&rO|FNW367C-?6)^4l)rQq
zPS()+qUL1_Kb3nL+oKeN?%l+>RW6!_9<|~_tm^N-9GVMF|BaOdlb_9OBq{A+YqS6~
z4qcMEs-?T4H`W_Y`Gb2wmX-*iz*RZm+f~vh?MudN!WE33F2ICBHW!I%z61e8AQ1n&
zHFqUPFEr`wimTrU6g~=hK2+(aGUD=$HR2f&Lh-hM5B&q80m5x@^^s(chVxR6aNXQ-
zNj)kCec-kW!`c1o)}sRUmhw~Aqm@G5e-RH`!{zIQaW@jUlJx}Mdkoa9PqWimZBQ~*
zW(JTQY?2X8oITPmfWT!(jA{b6GkHNw$`JX7(ppoI%W^Fuh|-lZieYA8V#68blrmo0
z8;=@MxnN=^K7LPwwhHVH0yY%yf5|P+4QNiSkZT&v-$O=#7-dups1r?dP|RvIhYZK5
z&)fo&8|cBo;r5*}#w~ExleiulWuvacIGKGqbAs<EZh^Qz)L2jGNymF)W67?K4jd|K
z`c5sXVp|obxtf~$t9WvwhzsFeu^G*i-%@zCSQq-$k1h3f$20*^vW(j|abJMdN$=zO
z@f@-ea&iOj!|Co(d2ij;lhx_*p&RmH+M(k^%iQqsu{}2S)0^JKg1PJYZ)>mb$N4t5
zeX+1LZ<vTQ*^^GF)C(R5KAcHS5$KlLfaW^z(B%HgG0rWCY<Y`REXcT@BtaXjFDs34
zYKEq7T-m<y0nMkeXEZ(i^8A7T0L=LCenuRFSd;Bk$x)bk6KPt%AvVU9>medV{utUP
zaIYcb(xju6!WL|Oz5evy3R3ltv<pU)`>`8LnkZzdjYjMj{X;Nv{O5J$|MbwTqjNdr
zd@ad!qEe(5+iA)77%^vO^Gu(~V!DFB6vj~C0a>#bC7`7-#<cxaH!f4wZEE93jMMm6
z0AJA#fZ_SvVhmZ<EfUdKf~P!)c_I<*+1T0>$V@QSmfs+P{%`0;96uIK@$hLkG#JyB
zBD8km4o&0!BX-5VcBR)gF_t<7CFL1uP+0HeD{;V5K5=0}#l9$`>EaJwy#$+cIDo{Y
zAy#&J8Zz%l%nbJ2IE1u^GJNMH%)8#lPh%LvQ6@jmcE$pID1f`~-a(W)Ec<tJciryG
zwjRsdr`MdR6Ay>-=Qn+40`HX%fc{Epq_qWsrw9My1+u*s2jesd)MMI@&xaNE<!NTv
z>r1||bR5OqjG4Nlg&b}$s6r|NvGyZOpA}?+AZRsuwKOk7hw~FYOHXU!FU6o^$<-73
zS5H$E-GI|zSk<sieq+K=7U%lY^fRDRP;I8RsY(5;;Ks(LJj6Rm=>v5%d#zv#uVk^z
z3u5JReu>vQ*S90^o)Osk=@OVYjJAeWK|l7<nXCENY>8OW<|r3t;+YKsEcEeO9x@zj
zHJxVUAhP>k9>=&h)nO8G?Dn=$(4ddmZ}gVlaad!QrM9TJj+PRoZV3$5Tu+L^l2*U_
zjpi<?yGjWMM2&5HG>oc{N|(I^dQF70^g_*hudymX2ihFV^o>TOWES3ad3BI{%4P)Z
zK7un-fa~moi%-wTz^~iW<yW3<V)Y6zE!C_jN_-*ZGbsXRrmz@#{Q?FfY{iv{i>qpE
zXvhhpTjgh^p<XETm_!FqB58Vteo*{D;1<v{aE}C@jC`0+<)yDPzB``nlM^pTf5{Yx
zzMxIEzr+j~iAZ75*u5w|wo*iNnWd4}eKqAq5HLs8G||6|Xd5h?dLyt&#3mX(`~Emw
zuWSly3Nnl(3zEm}!~9WkcGzS%i+&^413A$#s_euP^{AmM1J#-DJ#wqDFH|#6HD)~E
zSh|UU$ixk}_M>0tG_0#haIy8Y(3BW6w3)RgzcVhq56m4r(0)hKQJo*(fz~bezt%dJ
zouXUS2QEaigGYC6n$fU_qhZE(R45uSGFc8zbH?U{=Dhi2To4rtlq3q`jaWfro3Se4
zT+U8J*HbF@Y}4vvK7ZGrUs-30PGFDKbPJ>oqcq}sw&eUlp(xA3*0UUx*Bx3;KVXH&
z1Iwo-{bkZzYCKz>WvpAN<c^(%Cg%rcUG#|9+f9rr-h7iCms(UF(`L`g7n9w@sfR+H
z-Tr(lNbzO#asi9M)c9I<jC00IvDXCmKZf3>?Yq4}V~lG})-`NCpLA&L)oec5aLOUB
zr(U*p^b)s0KtmoUug1-kB4;NuhS8A}kq2s!gTC{S8i{GkLi3q+ay39Xm?Dm^1t{7@
zV4N7t`YRu$l~Z@S-0SBwZ#=QU%gOpB8pxzT$1JY}*v8!Yviv~p8xWWU3duax^A(FK
zVWXVADUJa#hx*}`omhh|i5kCxhmNxBD=ZXlSwB1A^9Q`b7}y^^ZgHrwy`hSj3^c~*
zF+(+3pA~Xt-_4K4^{6UR22cH973q;joJ|<GkeB%-^yv_C2(jdaBn!ym_`*@oF^cV)
ztd>dWg21TmRX>o?4L{4CIe(wQ@qceJw*v#$+Ci<<!eyWVqwyH-Xd{@f15S}YoM)+)
z=cuWH9x)$+M12<F)ISJ@Rz{Wf>}3K=4Omp8+Hn5;));-({+xJyWD8uYhgbLPZ1qh@
zmzQ-ehRwlZ)cbWWlV&poVhZAH!4KSe_F{k9Oq0$>=DHA%e#-~ly%Pm7Jlg>Vt4@4R
zgG#JWw;Hh8flVetJ&Nap)<ZPVk!1Y0DG#$-Fw<e5GVnz{t2gFUxG+*<F!Mq2Hs>x>
zA4S`Ww9$8Gh#C(^R95NLe&V4Zxg{hF2si`jXy}v}2wO%X%osC6C#7{icof`qd(vpO
z0V|S4adBjL`n0kVUr-Mp#l%di)`E%%%7#L8G807Vt@h>nY3;3VFXX}H?@o4BPS@An
z?d#{MZyL4*WPl!j3yVw+0%J~ZPs%ub5{W)ZtXyUX+!p4kR<MW|pcnOyY;f2wC9;Y3
zp|9FqaB&7SLOO;m@qwk_&UT-SbXYnZh9<GdRRGn%ea{J@cQthlsWFhQe@6lA>@_Ym
zGQ>N4X?-x8>W!0=D`?&4dXkJTz-_~7SniX@nyzjB<RJKunrBcAm0zT>=>jKXG{idD
z3z!ll$=}qvF>HC!)fG-`>1M2bD`<sZPmcLerORybR-$GD>dQR*AT<Td6D_J$j+x~u
z+bm;s5S{BjTZ-af^TaTjWJu(PgK-MsZoVyEM~QI;)}5#g4e{UW>(R^%hP6l%dRxc~
z>E!CfIjSE=n9%A?M~_(hR3N@88lkjsj-5M;rcs;p&srUBVcx|G1bjo;c~lg+jxDlX
z6Xce@xO#hN_p0PRFO-knO@r2eL-5si#bqpd^`W{3N<P*1lfOe7akp)yZa*#*@9nLx
z3wjvPVRzc_u!s0R)(cV>t>T~+<Fxf3ic<3Z!zoVH($&HmwBl_B!;_9@V?JsqM<tvo
zRMW=cf46omPV;5X&VA5`ktX#aC{7ChO1ElUT2d)+rBh*$294P&-cc!cJ5}5-A=pKZ
z8VQ7pYu}7;l#tUv!M}of3LAwM(0_)q(q3vemltp({@H=IohHj<!&V;bArfyLf<D4x
z%li<x%$ddhnUPCd9JjEXZQjec;F)=tffjal!Xt!GfLp>)w=F`MQf#5hi9Ddz;q*LC
z0%2fD?j+g%B6o19d_>JK6-bIc=v8jaIC8Yhmw`LLZ~|}0x8qzFArwRT%v_cipZKC7
z!W{H*wGH%hbF3&?V%)DzCm{s6mp<1&h&(T46IG9v+o$8f)eGUI`AV5+Bd4IvOq0qe
z1k3GW`G+^&jZ%uCMht$NAfsR#a9_}f8qO~159&xI=21#N30c|WC?j%|m2MtMj*doK
zHi>zGbCml{mfOR@lD#hN-5%PrVJg6bHmoC1>#`t;VAtX3C?wzfdMQJP?x7S0gwg7k
z57?|nqTpRHk`AhZ0C-<2__hkFGyloJ**q!|gOqD6B_A5Ayzqu~lwxBT(>NRs#L^V4
zpXD#%TY<@aU{1LaJcF@4=bOA)V6n8~-*j<lnJ00I<iU0(ohWTI#(pyj9-c)&=2l)c
z4xE(HhyDV3gMVTN83(eufm{b?#6bW?Cw`JrOvW@8VN<;JI-8`L2q)4<)KzCw3o$8l
zF-;>iQsdJq=7XA=GOC-ZBgzLP;*#{?pzB4?J}DTt)HRAUe``u@!Lr4@00Q>QB8YM-
zB}l;)>y7j>4>VyM6AxlYRoSR}o#`HF#N|4grZuBA){{B~ar6|V$4Pusi8mS>Y~c>7
zi4O&Xqhhq$Osi#%4{Fm83|Mm_muQ(Y$S#k;f*aD0GKU?f$DR4%57hhIw<F#fR{;@W
zjjr;Zg4cPnyFyz;sc$?k_u91TDqwUpZ%X4uk)Nz1K&h-VtY%h?h{*pqg$xAW&k-{d
z$8`VPcWrKtQfCrmU3PD>FI-SCeFUh5+KEM4+E`s#wX}G1%xCf=@+eX5=t3`-pd0ln
zBMrr`p1_H3WbnrSL6T**6cTX!Zi8LOMvK!D4JQ4R?BS8~JJAKvd@8&rr+Pa{O;!sy
z>q18HSl%IjVf2PMbFd}m$oiXSF>|kHZCJF1PBQa51zYhWP9d?gL~)Hj1&UC&NS<)%
zwLJKjGZdyFm<Fx60H0#!xZ;Cku<Uy@s5KQwQFP|v;&>aS0yhxPH6uO@WVD4ZWmH7D
zdPQOM0UHoWe8jH^%$dz!(ZBu9q7qB`_?MPcqomckE93HVn&+baU8UyExW5Sjg5D(x
zlwm2%*dkbv5s=iwiBK8h=4n58Q9r9JD4nb$Izz)WybA>(ZQ?h}y5Y`s$U8Vk&0d@+
zQx;+sirW%1RFXWnS9vlHD{>}OzZpZmHuc<UywsKYF4~}^<htqc!gvN}9qGl-0_jc$
zZ7KTfpwBRhQ+5>8iDv1^V~3EF>9Sr^=9!=mwD;5d7Fe&$X$k6rhk|ee%^~MRgOr?v
zNp(=D6V-`EDPdCfAu0r&_TS^@_^V2yo1zslr_C!VF`=1!<z(WH$F+(?GX=kk%>5`U
z&n*DD!UHw37Q#-RYJp{WSUL6Yf0hA5_DcDdWz_7(Pjt$y@zrQgRjsD#K^0iVtV@ND
z5(}`JZi-ZG%Vo*gC4Im)>NMW?WJ$G~8fs)qwVC7Se+p$)v?IjavS5ztKfg<vV7R<5
zX$2YNk5O+v{VoDXItfjF6d7ZcI|N8|#e#=Z4%KTy-J*_lf5wM=AHr{Ih4?ioS?4*C
zXS&OU?IrEP>BE}~F5)kit?YnLHDo}kUJU-G33WS$Ul8bKm(zNFe*d8j14$X}pf)=#
zc73Nd$a&x*4XEENI*J8sBjZLEdL83XbB1<vg^{JIPyNMXoOQUW>NN6Z?oQgLDS#ik
zv!&(aJ1-KL6n2CE9$V;2AlTt>Yd5`b7+s&Ek`%l7>}!&A+Gf3rxWaqTz8IQV9yYOb
zuyzQT*~Etgdru?z63a_~d_)0z=c1vEWmY*RvW`zKUy~d#!I-s)WgWs#uH7yM?olov
zbSoTWo?^{hc?#e^mKy)1F;B*5#5zQ)3I{Fl%j>YR;I4dLosVWh)%<r&TJQ>#%@HVn
zLRbc)WkY$K&NU$XU&4~@oa}aCS)e``i{gg)SO~<)WuAek{^Box>q80~jh!w_x$CJX
z&(!oX1<6IJkpTF{kwAp!Q8#lbZyLe0sI&-~S;<oCb~Flh&HTf3EusCGRDF>nj6Kp7
za+K(@B>B-aVd%Ol(2s*+Tq=B>umzgW)<yaEUQhctkEPCBZnWaoAS%<jZP&61^+RbL
znKKdH3Jcn3l6=xvq9R{<A5Zr{so(AvgulDp8(IJ=4v96iQRL^~BFW4U>HJ6o2_%9$
zH<|5duH(jB!y|5z^aqc2jUc#kEe0Zc%UW}3P14~%lACN3d8bn>fifAhKTLuZdDY?S
z9`*3F3EP?R2B$c9={Q5|R-;O~#fesC=5(Xn=xfw@YV85sLW2)T$CiH*7G5|$>7+uL
z@2hh3%Cp(thPwQylVp&dGDzHV{UIQps3GW77Y~ar&WY#6h%vmL1KX}CPSy8a*`O}4
z%DyK{zzo%TMUuo+bTCaJk6!pfHW@iB_<3Z^y;D8<D((kTQ3}iVq!fMSfv3tPC}^M?
z*CU7ArWAK8DhF4LvM0(wil{}(Zi;Bp)_rjLzuE@tf73^Ru>dZW`zS)FrSeL7w=%o_
z2E<triT>J}Nc?1M_%ru;&vyCZMc}a1&I2%pK;zZE`Vg9m(Xz1S(Y3Eo$R_@LNhx=Y
z)9_HVum+`FYHPB~j6Yn5m4EvRkQzvRR;->Wm7<I14AA9F!k3FJeH}A~dWELnrq0qM
z?i<zlp|sfgk8o3{FbA5}i)KhiSdk)&vy+EaO>J07=T}M2?a|&=-V{+rjd@vsTcxVz
z``Xj-nzbX^Gwn@>N$M42CxV?7;z$;$zbkrYFa;up<xUPS<INw1K7v0FT447%zoRvR
zhgqb{j;z+B32yaYc@k(;757fhIWgj^m!+F#7&?l01NJJm)=X@T9imFyVH+G(qKC_t
zqEr}7&u_G0QIo<3z&g>jy)?GJDf?!D7H#Isl!WkWDwyv^F<C2*hDf%T$ImNy-Tehq
zV1ldiPl(zGPv4WTt<&6lJg?#OC(bUl#d#gtDz9z%{6oDmwt%0oJ~sIlZbHdf6(Z@J
zZnOr1Y_J*v4ct_<>%&^(8QHjx3jDkWP80kjcgkEXxkAG!w6HfIbJ=x4nmgRHd*wdV
zoDmy1#S{iCS}0EfpJC-pig&}Cw3N8nop6UP)927{hsI|vEqTLhvgUWgvB8Z?e;Z>!
zuc2p@eJaQZBb{uR_+N(_8qHdQK&(@UldDv%wGvS&D2X3SR0}pqF;z%ckjOZ4BWD7c
z&Vv%0O@-l6`G%~J71z^Dx`=!$XrNQkxE29Qslt-#nYcRG%^6*vBoQm~_MK$Ae_u&0
zoI_ZiZc^5#i_5=gM{tMK-&jP)YW}51%T3}@fAyAx=+ijPM9BBZqEkhj7WM3)(qW-j
zBNYndsl3l4%#K19sG&Zha$XcCXB%;@!k~b`XFBCRTSff4L;NFJYN^E+UYGQ&bfM;y
zUZubG<+6LE%3|7xb6HCH=H>a)#5SmhJhw`IwLt~vMtbPXIU?bk90MqEaP6kLr%dj7
z%feCKsSiDDMEH|>2#=v5Q@NfWs3sRwHlxH-lq?VxG8@(gn^h`Bl|~yAa^gX4k!e<>
zLWQ6Z)uE!Blg-K`)DLDyf7_n(c*yc&7}L3<>AdXb2alGMq^1Q|hxdNtC()Zr9f2b4
zBA-nkDelt@u;!blwsduGQw*LD=$;}2cIuIVMvvKlPw6GDi3f&!+og^o&+q^hpYY|L
zAh~zPJ)aWvM0yeiDcoMoyIXpgFQJBfIF|`5`_O(JfALKJjqwaxi);CKR*g%T{!HVx
zR3j%-9|^ytW?CxY>VGcb6?klOUj=sF^<mts{fV-g-l=<{=lp*chS!IGpjobXVL+i^
GK>q{qILtf%

diff --git a/common/hashicorp-vault/local-patches/0001-patch-server-route.patch b/common/hashicorp-vault/local-patches/0001-patch-server-route.patch
deleted file mode 100644
index edc22c57..00000000
--- a/common/hashicorp-vault/local-patches/0001-patch-server-route.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-diff -up vault/values.yaml.orig vault/values.yaml
---- vault/values.yaml.orig	2022-09-05 20:42:02.468428184 +0200
-+++ vault/values.yaml	2022-09-05 20:42:05.218435871 +0200
-@@ -406,7 +406,8 @@ server:
- 
-     labels: {}
-     annotations: {}
--    host: chart-example.local
-+    #host: chart-example.local
-+    host: null
-     # tls will be passed directly to the route's TLS config, which
-     # can be used to configure other termination methods that terminate
-     # TLS at the router
-diff -up vault/values.schema.json.orig vault/values.schema.json
---- vault/values.schema.json.orig	2022-09-11 21:00:34.834334961 +0200
-+++ vault/values.schema.json	2022-09-11 21:00:57.190368032 +0200
-@@ -838,7 +838,10 @@
-                             "type": "boolean"
-                         },
-                         "host": {
--                            "type": "string"
-+                            "type": [
-+                                "null",
-+                                "string"
-+                            ]
-                         },
-                         "labels": {
-                             "type": "object"
diff --git a/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch b/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch
deleted file mode 100644
index ba73a467..00000000
--- a/common/hashicorp-vault/local-patches/0002-Allow-per-service-annotations.patch
+++ /dev/null
@@ -1,310 +0,0 @@
-From f62623030374c55410624a00755e9a3c07a411da Mon Sep 17 00:00:00 2001
-From: Michele Baldessari <michele@acksyn.org>
-Date: Tue, 29 Nov 2022 20:06:09 +0100
-Subject: [PATCH] Allow per-service annotations
-
-We add the 'annotations' field to the existing
-vault.service.{active,standby} dictionaries which are relevant for the
-active/standby vault ha services. We also add
-vault.service.{nonha,internal}.annotations in order to allow per-service
-annotations when using the non-ha variant.
-
-We had to choose 'nonha' as we cannot reuse the existing
-vault.service.annotations key, because that gets still applied to all
-services and we do not want to break existing installations.
-
-WIP as we need to add some more docs and maybe some more tests.
----
- templates/_helpers.tpl                   | 57 ++++++++++++++++++++++++
- templates/server-ha-active-service.yaml  |  3 +-
- templates/server-ha-standby-service.yaml |  1 +
- templates/server-headless-service.yaml   |  1 +
- templates/server-service.yaml            |  1 +
- test/unit/server-ha-active-service.bats  | 11 +++++
- test/unit/server-ha-standby-service.bats | 11 +++++
- test/unit/server-service.bats            | 10 +++++
- values.schema.json                       | 34 ++++++++++++++
- values.yaml                              | 22 +++++++++
- 10 files changed, 150 insertions(+), 1 deletion(-)
-
-diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
-index 3897391..9e98c0b 100644
---- a/templates/_helpers.tpl
-+++ b/templates/_helpers.tpl
-@@ -683,6 +683,63 @@ Sets extra vault server Service annotations
-   {{- end }}
- {{- end -}}
- 
-+{{/*
-+Sets extra vault server Service active annotations
-+*/}}
-+{{- define "vault.service.active.annotations" -}}
-+  {{- if .Values.server.service.active.annotations }}
-+    {{- $tp := typeOf .Values.server.service.active.annotations }}
-+    {{- if eq $tp "string" }}
-+      {{- tpl .Values.server.service.active.annotations . | nindent 4 }}
-+    {{- else }}
-+      {{- toYaml .Values.server.service.active.annotations | nindent 4 }}
-+    {{- end }}
-+  {{- end }}
-+{{- end -}}
-+
-+{{/*
-+Sets extra vault server Service standby annotations
-+*/}}
-+{{- define "vault.service.standby.annotations" -}}
-+  {{- if .Values.server.service.standby.annotations }}
-+    {{- $tp := typeOf .Values.server.service.standby.annotations }}
-+    {{- if eq $tp "string" }}
-+      {{- tpl .Values.server.service.standby.annotations . | nindent 4 }}
-+    {{- else }}
-+      {{- toYaml .Values.server.service.standby.annotations | nindent 4 }}
-+    {{- end }}
-+  {{- end }}
-+{{- end -}}
-+
-+{{/*
-+Sets extra vault server Service internal annotations
-+*/}}
-+{{- define "vault.service.internal.annotations" -}}
-+  {{- if .Values.server.service.internal.annotations }}
-+    {{- $tp := typeOf .Values.server.service.internal.annotations }}
-+    {{- if eq $tp "string" }}
-+      {{- tpl .Values.server.service.internal.annotations . | nindent 4 }}
-+    {{- else }}
-+      {{- toYaml .Values.server.service.internal.annotations | nindent 4 }}
-+    {{- end }}
-+  {{- end }}
-+{{- end -}}
-+{{/*
-+Sets extra vault server Service nonha annotations
-+Note: We call it 'nonha' as we need to differentiate the "vault.service.annotations" which are
-+      applied to all services
-+*/}}
-+{{- define "vault.service.nonha.annotations" -}}
-+  {{- if .Values.server.service.nonha.annotations }}
-+    {{- $tp := typeOf .Values.server.service.nonha.annotations }}
-+    {{- if eq $tp "string" }}
-+      {{- tpl .Values.server.service.nonha.annotations . | nindent 4 }}
-+    {{- else }}
-+      {{- toYaml .Values.server.service.nonha.annotations | nindent 4 }}
-+    {{- end }}
-+  {{- end }}
-+{{- end -}}
-+
- {{/*
- Sets PodSecurityPolicy annotations
- */}}
-diff --git a/templates/server-ha-active-service.yaml b/templates/server-ha-active-service.yaml
-index 7def2a0..649ffb8 100644
---- a/templates/server-ha-active-service.yaml
-+++ b/templates/server-ha-active-service.yaml
-@@ -18,8 +18,9 @@ metadata:
-     vault-active: "true"
-   annotations:
- {{ template "vault.service.annotations" .}}
-+{{ template "vault.service.active.annotations" .}}
- spec:
--  {{- if .Values.server.service.type}}
-+  {{- if .Values.server.service.type }}
-   type: {{ .Values.server.service.type }}
-   {{- end}}
-   {{- if .Values.server.service.clusterIP }}
-diff --git a/templates/server-ha-standby-service.yaml b/templates/server-ha-standby-service.yaml
-index 50fca4b..cdbfcad 100644
---- a/templates/server-ha-standby-service.yaml
-+++ b/templates/server-ha-standby-service.yaml
-@@ -17,6 +17,7 @@ metadata:
-     app.kubernetes.io/managed-by: {{ .Release.Service }}
-   annotations:
- {{ template "vault.service.annotations" .}}
-+{{ template "vault.service.standby.annotations" .}}
- spec:
-   {{- if .Values.server.service.type}}
-   type: {{ .Values.server.service.type }}
-diff --git a/templates/server-headless-service.yaml b/templates/server-headless-service.yaml
-index b03f491..25aaa8d 100644
---- a/templates/server-headless-service.yaml
-+++ b/templates/server-headless-service.yaml
-@@ -16,6 +16,7 @@ metadata:
-     vault-internal: "true"
-   annotations:
- {{ template "vault.service.annotations" .}}
-+{{ template "vault.service.internal.annotations" .}}
- spec:
-   clusterIP: None
-   publishNotReadyAddresses: {{ .Values.server.service.publishNotReadyAddresses }}
-diff --git a/templates/server-service.yaml b/templates/server-service.yaml
-index 913b569..02a1ccd 100644
---- a/templates/server-service.yaml
-+++ b/templates/server-service.yaml
-@@ -15,6 +15,7 @@ metadata:
-     app.kubernetes.io/managed-by: {{ .Release.Service }}
-   annotations:
- {{ template "vault.service.annotations" .}}
-+{{ template "vault.service.nonha.annotations" .}}
- spec:
-   {{- if .Values.server.service.type}}
-   type: {{ .Values.server.service.type }}
-diff --git a/test/unit/server-ha-active-service.bats b/test/unit/server-ha-active-service.bats
-index d78f5d4..13b5271 100755
---- a/test/unit/server-ha-active-service.bats
-+++ b/test/unit/server-ha-active-service.bats
-@@ -13,6 +13,17 @@ load _helpers
-   [ "${actual}" = "true" ]
- }
- 
-+@test "server/ha-active-Service: specific annotations" {
-+  cd `chart_dir`
-+  local actual=$(helm template \
-+      --show-only templates/server-ha-active-service.yaml \
-+      --set 'server.ha.enabled=true' \
-+      --set 'server.service.active.annotations=vaultIsAwesome: true' \
-+      . | tee /dev/stderr |
-+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
-+  [ "${actual}" = "true" ]
-+}
-+
- @test "server/ha-active-Service: disable with ha.enabled false" {
-   cd `chart_dir`
-   local actual=$( (helm template \
-diff --git a/test/unit/server-ha-standby-service.bats b/test/unit/server-ha-standby-service.bats
-index 6698314..6244565 100755
---- a/test/unit/server-ha-standby-service.bats
-+++ b/test/unit/server-ha-standby-service.bats
-@@ -13,6 +13,17 @@ load _helpers
-   [ "${actual}" = "true" ]
- }
- 
-+@test "server/ha-standby-Service: specific annotations string" {
-+  cd `chart_dir`
-+  local actual=$(helm template \
-+      --show-only templates/server-ha-standby-service.yaml \
-+      --set 'server.ha.enabled=true' \
-+      --set 'server.service.standby.annotations=vaultIsAwesome: true' \
-+      . | tee /dev/stderr |
-+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
-+  [ "${actual}" = "true" ]
-+}
-+
- @test "server/ha-standby-Service: generic annotations yaml" {
-   cd `chart_dir`
-   local actual=$(helm template \
-diff --git a/test/unit/server-service.bats b/test/unit/server-service.bats
-index 70a5445..cc66987 100755
---- a/test/unit/server-service.bats
-+++ b/test/unit/server-service.bats
-@@ -153,6 +153,16 @@ load _helpers
-   [ "${actual}" = "true" ]
- }
- 
-+@test "server/Service: specific annotations" {
-+  cd `chart_dir`
-+  local actual=$(helm template \
-+      --show-only templates/server-service.yaml \
-+      --set 'server.service.nonha.annotations=vaultIsAwesome: true' \
-+      . | tee /dev/stderr |
-+      yq -r '.metadata.annotations["vaultIsAwesome"]' | tee /dev/stderr)
-+  [ "${actual}" = "true" ]
-+}
-+
- @test "server/Service: publish not ready" {
-   cd `chart_dir`
-   local actual=$(helm template \
-diff --git a/values.schema.json b/values.schema.json
-index c183957..d0dca34 100644
---- a/values.schema.json
-+++ b/values.schema.json
-@@ -854,11 +854,39 @@
-                         "active": {
-                             "type": "object",
-                             "properties": {
-+                                "annotations" : {
-+                                    "type": [
-+                                        "object",
-+                                        "string"
-+                                    ]
-+                                },
-                                 "enabled": {
-                                     "type": "boolean"
-                                 }
-                             }
-                         },
-+                        "internal": {
-+                            "type": "object",
-+                            "properties": {
-+                                "annotations": {
-+                                    "type": [
-+                                        "object",
-+                                        "string"
-+                                    ]
-+                                }
-+                            }
-+                        },
-+                        "nonha": {
-+                            "type": "object",
-+                            "properties": {
-+                                "annotations": {
-+                                    "type": [
-+                                        "object",
-+                                        "string"
-+                                    ]
-+                                }
-+                            }
-+                        },
-                         "annotations": {
-                             "type": [
-                                 "object",
-@@ -890,6 +918,12 @@
-                             "properties": {
-                                 "enabled": {
-                                     "type": "boolean"
-+                                },
-+                                "annotations": {
-+                                    "type": [
-+                                        "object",
-+                                        "string"
-+                                    ]
-                                 }
-                             }
-                         },
-diff --git a/values.yaml b/values.yaml
-index 2c3d9e2..32d8ea1 100644
---- a/values.yaml
-+++ b/values.yaml
-@@ -600,10 +600,32 @@ server:
-     # have labelled themselves as the cluster leader with `vault-active: "true"`
-     active:
-       enabled: true
-+      # Extra annotations for the service definition. This can either be YAML or a
-+      # YAML-formatted multi-line templated string map of the annotations to apply
-+      # to the service.
-+      annotations: {}
-+
-     # Enable or disable the vault-standby service, which selects Vault pods that
-     # have labelled themselves as a cluster follower with `vault-active: "false"`
-     standby:
-       enabled: true
-+      # Extra annotations for the service definition. This can either be YAML or a
-+      # YAML-formatted multi-line templated string map of the annotations to apply
-+      # to the service.
-+      annotations: {}
-+
-+    nonha:
-+      # Extra annotations for the service definition. This can either be YAML or a
-+      # YAML-formatted multi-line templated string map of the annotations to apply
-+      # to the service.
-+      annotations: {}
-+
-+    internal:
-+      # Extra annotations for the service definition. This can either be YAML or a
-+      # YAML-formatted multi-line templated string map of the annotations to apply
-+      # to the service.
-+      annotations: {}
-+
-     # If enabled, the service selectors will include `app.kubernetes.io/instance: {{ .Release.Name }}`
-     # When disabled, services may select Vault pods not deployed from the chart.
-     # Does not affect the headless vault-internal service with `ClusterIP: None`
--- 
-2.38.1
-
diff --git a/common/hashicorp-vault/templates/vault-app.yaml b/common/hashicorp-vault/templates/vault-app.yaml
deleted file mode 100644
index bbe16e14..00000000
--- a/common/hashicorp-vault/templates/vault-app.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.{{ coalesce .Values.global.localClusterDomain .Values.global.hubClusterDomain }}'
-  location: ApplicationMenu
-  text: 'Vault'
diff --git a/common/hashicorp-vault/update-helm-dependency.sh b/common/hashicorp-vault/update-helm-dependency.sh
deleted file mode 100755
index 76e4ac14..00000000
--- a/common/hashicorp-vault/update-helm-dependency.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-#!/bin/bash
-set -eu
-
-# Get the version of the dependency and then unquote it
-TMPVER=$(sed -e '1,/^version:/ d' "Chart.yaml" | grep "version:" | awk '{ print $2 }')
-VERSION=$(eval echo "${TMPVER}")
-
-# Chart format is vault-0.21.0.tgz
-NAME="vault"
-TAR="${NAME}-${VERSION}.tgz"
-CHARTDIR="charts"
-
-if [ ! -f "${CHARTDIR}/${TAR}" ]; then
-	echo "Charts $TAR not found"
-	exit 1
-fi
-
-pushd "${CHARTDIR}"
-rm -rf "${NAME}"
-tar xfz "${TAR}"
-pushd "${NAME}"
-for i in ../../local-patches/*.patch; do
-	filterdiff "${i}" -p1 -x 'test/*' | patch -p1
-done
-find . -type f -iname '*.orig' -exec rm -f "{}" \;
-popd
-tar cvfz "${TAR}" "${NAME}"
-rm -rf "${NAME}"
-popd
diff --git a/common/hashicorp-vault/values.yaml b/common/hashicorp-vault/values.yaml
deleted file mode 100644
index 585e9274..00000000
--- a/common/hashicorp-vault/values.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-global:
-  openshift: true
-  localClusterDomain: apps.foo.cluster.com
-
-vault:
-  injector:
-    enabled: false
-  ui:
-    enabled: true
-    serviceType: "LoadBalancer"
-  server:
-    extraEnvironmentVars:
-      VAULT_CACERT: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
-      VAULT_ADDR: https://vault.vault.svc.cluster.local:8200
-    standalone:
-      config: |
-        ui = true
-        listener "tcp" {
-          address = "[::]:8200"
-          cluster_address = "[::]:8201"
-          tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-          tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-        }
-        storage "file" {
-          path = "/vault/data"
-        }
-
-    # These are automatically mounted in /vault/userconfig/<name>
-    extraVolumes:
-    - type: secret
-      name: vault-secret
-
-    service:
-      enabled: true
-      nonha:
-        annotations:
-          service.beta.openshift.io/serving-cert-secret-name: vault-secret
-      internal:
-        annotations:
-          service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-    route:
-      host: null
-      enabled: true
-      tls:
-        # We cannot use passthrough because you'd be talking to
-        # https://vault-vault.apps.mcg-hub.blueprints.rhecoeng.com but you'd
-        # get vault.vault.svc/vault.vault.svc.cluster.local
-        termination: "reencrypt"
-    image:
-      repository: "registry.connect.redhat.com/hashicorp/vault"
-      tag: "1.13.1-ubi"
diff --git a/common/letsencrypt/.helmignore b/common/letsencrypt/.helmignore
deleted file mode 100644
index 0e8a0eb3..00000000
--- a/common/letsencrypt/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/common/letsencrypt/Chart.yaml b/common/letsencrypt/Chart.yaml
deleted file mode 100644
index b5b1c31b..00000000
--- a/common/letsencrypt/Chart.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: v2
-name: letsencrypt
-description: A Helm chart to add letsencrypt support to Validated Patterns
-
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"
diff --git a/common/letsencrypt/README.md b/common/letsencrypt/README.md
deleted file mode 100644
index d277abaa..00000000
--- a/common/letsencrypt/README.md
+++ /dev/null
@@ -1,68 +0,0 @@
-# Letsencrypt support for Validated patterns
-
-This is an *EXPERIMENTAL* and *UNSUPPORTED* chart to enable letsencrypt support in the pattern.
-Currently the only supported cloud for this is AWS.
-
-In order to enable this chart in your patterns, please add and edit the following lines to `values-AWS.yaml`:
-
-    letsencrypt:
-      region: eu-central-1 # region of the cluster
-      server: https://acme-v02.api.letsencrypt.org/directory
-      # staging URL
-      # server: https://acme-staging-v02.api.letsencrypt.org/directory
-      email: foo@bar.it
-
-    clusterGroup:
-      applications:
-        letsencrypt:
-          name: letsencrypt
-          namespace: letsencrypt
-          project: default
-          path: common/letsencrypt
-
-Once the above is enabled in a pattern, a certain amount of time (~15/20 minutes or so) is needed for all the cluster operators to settle, all the HTTPS routes will have a wildcard certificate signed by letsencrypt. By default also the API endpoint will use a certificate signed by letsencrypt.
-
-## Limitations
-
-Please be aware of the following gotchas when using this chart:
-
-1. Once the API certificate has been replaced with the letsencrypt one, the `oc` commands might fail with x509 unknown certificate authority errors.
-   You need to remove the previous CA from the kubeconfig file. Run: `oc config set-cluster <clustername> --certificate-authority="/dev/null" --embed-certs`
-2. When you switch to non-staging letsencrypt certificates, things might fail if you asked for too many certificates over the last few days.
-3. The cluster takes ~20-30 mins to fully settle when both the API endpoint and the default ingress certificates are implemented
-
-## Implementation
-
-This chart creates a Cloud Credential that is allowed to write and read DNS entries via Route53 in AWS. That credential is then used by cert-manager to prove ownership of the DNS zone and answer the ACME DNS01 challenges.
-We ask for a single wildcard certificate for the default Ingress *.apps.domain and one non-wildcard certificate for the API endpoint api.domain.
-We use Argo's Server-Side Apply feature to patch in the Ingress Controller and the API endpoint certificates.
-Currently we also patch the main cluster-wide Argo instance to set the tls route to `reencrypt` in order have a proper cert there. Once issue 297 in the gitops-operator repository is fixed, we can drop that.
-
-## Parameters
-
-### global parameters
-
-This section contains the global parameters consumed by this chart
-
-| Name                        | Description                                                                                          | Value              |
-| --------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------ |
-| `global.localClusterDomain` | String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework | `apps.example.com` |
-
-### letsencrypt parameters
-
-This section contains all the parameters for the letsencrypt
-chart in order to request CA signed certificates in a Validated Pattern
-
-| Name                             | Description                                                                                                           | Value                                                    |
-| -------------------------------- | --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
-| `letsencrypt.enabled`            | Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True) | `true`                                                   |
-| `letsencrypt.api_endpoint`       | Boolean to enable letsencrypt certs on the API endpoint too (defaults to True)                                        | `true`                                                   |
-| `letsencrypt.region`             | String that defines the region used by the route53/dns01 resolver in cert-manager (required)                          | `eu-central-1`                                           |
-| `letsencrypt.email`              | String containing the email used when requesting certificates to letsencrypt (required)                               | `test@example.com`                                       |
-| `letsencrypt.server`             | String containing the letsencrypt ACME URL (Defaults to the staging server)                                           | `https://acme-staging-v02.api.letsencrypt.org/directory` |
-| `letsencrypt.organizations`      | List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io])                        | `["hybrid-cloud-patterns.io"]`                           |
-| `letsencrypt.usages`             | List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth])                             | `["server auth"]`                                        |
-| `letsencrypt.duration`           | Duration of the requested letsencrypt certificates (Defaults to 168h0m0s)                                             | `168h0m0s`                                               |
-| `letsencrypt.renewBefore`        | How long before expiration date should the certs be renewed (Defaults to 28h0m0s)                                     | `28h0m0s`                                                |
-| `letsencrypt.nameservers`        | List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53])    | `["8.8.8.8:53","1.1.1.1:53"]`                            |
-| `letsencrypt.certmanagerChannel` | String the channel to install cert-manager from (Defaults to "stable-v1")                                             | `stable-v1`                                              |
diff --git a/common/letsencrypt/templates/api-cert.yaml b/common/letsencrypt/templates/api-cert.yaml
deleted file mode 100644
index ed9e7c0e..00000000
--- a/common/letsencrypt/templates/api-cert.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{ if and (.Values.letsencrypt.enabled) (.Values.letsencrypt.api_endpoint) }}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: {{ .Values.letsencrypt.duration }}
-  renewBefore: {{ .Values.letsencrypt.renewBefore }}
-  commonName: 'api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}'
-  usages:
-    {{- range .Values.letsencrypt.usages }}
-    - {{ . }}
-    {{- end }}
-  dnsNames:
-  - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    {{- range .Values.letsencrypt.organizations }}
-    - {{ . }}
-    {{- end }}
-{{- end }}
diff --git a/common/letsencrypt/templates/cert-manager-installation.yaml b/common/letsencrypt/templates/cert-manager-installation.yaml
deleted file mode 100644
index 59375b00..00000000
--- a/common/letsencrypt/templates/cert-manager-installation.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "{{ .Values.letsencrypt.certmanagerChannel }}"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers={{ with index .Values.letsencrypt.nameservers 0 }}{{ . }}{{- end }},{{ with index .Values.letsencrypt.nameservers 1 }}{{ . }}{{- end }}"
-        - "--dns01-recursive-nameservers-only"
-{{- end }}
diff --git a/common/letsencrypt/templates/credentials-request.yaml b/common/letsencrypt/templates/credentials-request.yaml
deleted file mode 100644
index 27aad295..00000000
--- a/common/letsencrypt/templates/credentials-request.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
-{{- end }}
diff --git a/common/letsencrypt/templates/default-routes.yaml b/common/letsencrypt/templates/default-routes.yaml
deleted file mode 100644
index 8a01db6a..00000000
--- a/common/letsencrypt/templates/default-routes.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
----
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
-{{ if .Values.letsencrypt.api_endpoint }}
----
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.{{ $.Values.global.localClusterDomain | replace "apps." "" }}
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
-{{- end }}
-{{- end }}
diff --git a/common/letsencrypt/templates/issuer.yaml b/common/letsencrypt/templates/issuer.yaml
deleted file mode 100644
index 1370500f..00000000
--- a/common/letsencrypt/templates/issuer.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: {{ .Values.letsencrypt.server }}
-    email: {{ .Values.letsencrypt.email }}
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: {{ .Values.letsencrypt.region }}
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
-{{- end }}
diff --git a/common/letsencrypt/templates/namespaces.yaml b/common/letsencrypt/templates/namespaces.yaml
deleted file mode 100644
index a4f65fe5..00000000
--- a/common/letsencrypt/templates/namespaces.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-{{- end }}
diff --git a/common/letsencrypt/templates/wildcard-cert.yaml b/common/letsencrypt/templates/wildcard-cert.yaml
deleted file mode 100644
index e7b82480..00000000
--- a/common/letsencrypt/templates/wildcard-cert.yaml
+++ /dev/null
@@ -1,28 +0,0 @@
-{{ if .Values.letsencrypt.enabled }}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: {{ .Values.letsencrypt.duration }}
-  renewBefore: {{ .Values.letsencrypt.renewBefore }}
-  commonName: '*.{{ $.Values.global.localClusterDomain }}'
-  usages:
-    {{- range .Values.letsencrypt.usages }}
-    - {{ . }}
-    {{- end }}
-  dnsNames:
-    - '*.{{ $.Values.global.localClusterDomain }}'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    {{- range .Values.letsencrypt.organizations }}
-    - {{ . }}
-    {{- end }}
-{{- end }}
diff --git a/common/letsencrypt/values.yaml b/common/letsencrypt/values.yaml
deleted file mode 100644
index a95957b8..00000000
--- a/common/letsencrypt/values.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# NOTE: This is currently an experimental/unsupported chart!
-# Default values for the experimental letsencrypt chart
-# Generate the README.md sections using https://github.com/bitnami-labs/readme-generator-for-helm
-#
-## @section global parameters
-## @descriptionStart This section contains the global parameters consumed by this chart
-## @descriptionEnd
-global:
-  ## @param global.localClusterDomain String containing the domain including the apps. prefix. Gets set by the Validated Pattern framework
-  localClusterDomain: "apps.example.com"
-
-## @section letsencrypt parameters
-## @descriptionStart This section contains all the parameters for the letsencrypt
-## chart in order to request CA signed certificates in a Validated Pattern
-## @descriptionEnd
-letsencrypt:
-  # By default if you include this chart you enable the letsencrypt charts
-  # on both the *.apps.<domain> ingress and on the API endpoint
-  ## @param letsencrypt.enabled Boolean to enable this feature and request a wildcard cert for the default Infress (*.apps.domain) (defaults to True)
-  enabled: true
-  ## @param letsencrypt.api_endpoint Boolean to enable letsencrypt certs on the API endpoint too (defaults to True)
-  api_endpoint: true
-
-  # These two lines need tweaking for every deployment. @example.com emails
-  # will be rejected by letsencrypt
-  ## @param letsencrypt.region String that defines the region used by the route53/dns01 resolver in cert-manager (required)
-  region: eu-central-1
-  ## @param letsencrypt.email String containing the email used when requesting certificates to letsencrypt (required)
-  email: test@example.com
-
-  # By default we use the staging URL to avoid any ratelimiting while testing
-  # To switch to the production certificates signed by a recognized CA, please
-  # switch the comments around in the two following lines
-  ## @param letsencrypt.server String containing the letsencrypt ACME URL (Defaults to the staging server)
-  server: https://acme-staging-v02.api.letsencrypt.org/directory
-  # server: https://acme-v02.api.letsencrypt.org/directory
-
-  # These are only for metadata in the certificates
-  ## @param letsencrypt.organizations List of organization names to be put in a certificate (Defaults to [hybrid-cloud-patterns.io])
-  organizations:
-    - hybrid-cloud-patterns.io
-  ## @param letsencrypt.usages List of certificate uses. See API cert-manager.io/v1.KeyUsage (Defaults to [server auth])
-  usages:
-    - server auth
-
-  ## @param letsencrypt.duration Duration of the requested letsencrypt certificates (Defaults to 168h0m0s)
-  duration: "168h0m0s"
-  ## @param letsencrypt.renewBefore How long before expiration date should the certs be renewed (Defaults to 28h0m0s)
-  renewBefore: "28h0m0s"
-
-  # These two are needed because the DNS01 ACME solver needs outside DNS
-  # servers and won't really work with openshift's internal split-view DNS servers
-  # https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
-  ## @param letsencrypt.nameservers List of DNS server (ip:port strings) to be used when doing DNS01 challenges (Defaults to [8.8.8.8:53, 1.1.1.1:53])
-  nameservers:
-    - 8.8.8.8:53
-    - 1.1.1.1:53
-
-  ## @param letsencrypt.certmanagerChannel String the channel to install cert-manager from (Defaults to "stable-v1")
-  certmanagerChannel: "stable-v1"
diff --git a/common/operator-install/Chart.yaml b/common/operator-install/Chart.yaml
deleted file mode 100644
index 74adcf8f..00000000
--- a/common/operator-install/Chart.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-apiVersion: v2
-description: A Helm chart to build and deploy a Cloud Pattern via the patterns operator
-keywords:
-- pattern
-name: pattern-install
-version: 0.0.1
diff --git a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml b/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml
deleted file mode 100644
index c4563288..00000000
--- a/common/operator-install/crds/gitops.hybrid-cloud-patterns.io_patterns.yaml
+++ /dev/null
@@ -1,192 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
-  creationTimestamp: null
-  name: patterns.gitops.hybrid-cloud-patterns.io
-spec:
-  group: gitops.hybrid-cloud-patterns.io
-  names:
-    kind: Pattern
-    listKind: PatternList
-    plural: patterns
-    shortNames:
-    - patt
-    singular: pattern
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .status.lastStep
-      name: Step
-      priority: 1
-      type: string
-    - jsonPath: .status.lastError
-      name: Error
-      priority: 2
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: Pattern is the Schema for the patterns API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: PatternSpec defines the desired state of Pattern
-            properties:
-              clusterGroupName:
-                type: string
-              extraParameters:
-                description: '.Name is dot separated per the helm --set syntax, such
-                  as:   global.something.field'
-                items:
-                  properties:
-                    name:
-                      type: string
-                    value:
-                      type: string
-                  required:
-                  - name
-                  - value
-                  type: object
-                type: array
-              extraValueFiles:
-                description: URLs to additional Helm parameter files
-                items:
-                  type: string
-                type: array
-              gitOpsSpec:
-                properties:
-                  manualApproval:
-                    description: 'Require manual confirmation before installing and
-                      upgrading operators. Default: False'
-                    type: boolean
-                  manualSync:
-                    description: 'Require manual intervention before Argo will sync
-                      new content. Default: False'
-                    type: boolean
-                  operatorCSV:
-                    description: Specific version of openshift-gitops to deploy.  Requires
-                      UseCSV=True
-                    type: string
-                  operatorChannel:
-                    description: 'Channel to deploy openshift-gitops from. Default:
-                      gitops-1.8'
-                    type: string
-                  operatorSource:
-                    description: 'Source to deploy openshift-gitops from. Default:
-                      redhat-operators'
-                    type: string
-                  useCSV:
-                    description: 'Dangerous. Force a specific version to be installed.
-                      Default: False'
-                    type: boolean
-                type: object
-              gitSpec:
-                properties:
-                  hostname:
-                    description: Optional. FQDN of the git server if automatic parsing
-                      from TargetRepo is broken
-                    type: string
-                  originRepo:
-                    description: Upstream git repo containing the pattern to deploy.
-                      Used when in-cluster fork to point to the upstream pattern repository
-                    type: string
-                  originRevision:
-                    description: Branch, tag or commit in the upstream git repository.
-                      Does not support short-sha's. Default to HEAD
-                    type: string
-                  pollInterval:
-                    description: 'Interval in seconds to poll for drifts between origin
-                      and target repositories. Default: 180 seconds'
-                    type: integer
-                  targetRepo:
-                    description: Git repo containing the pattern to deploy. Must use
-                      https/http
-                    type: string
-                  targetRevision:
-                    description: 'Branch, tag, or commit to deploy.  Does not support
-                      short-sha''s. Default: HEAD'
-                    type: string
-                required:
-                - targetRepo
-                type: object
-            required:
-            - clusterGroupName
-            - gitSpec
-            type: object
-          status:
-            description: PatternStatus defines the observed state of Pattern
-            properties:
-              appClusterDomain:
-                type: string
-              clusterDomain:
-                type: string
-              clusterID:
-                type: string
-              clusterName:
-                type: string
-              clusterPlatform:
-                type: string
-              clusterVersion:
-                type: string
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      description: Last time the condition transitioned from one status
-                        to another.
-                      format: date-time
-                      type: string
-                    lastUpdateTime:
-                      description: The last time this condition was updated.
-                      format: date-time
-                      type: string
-                    message:
-                      description: A human readable message indicating details about
-                        the transition.
-                      type: string
-                    status:
-                      description: Status of the condition, one of True, False, Unknown.
-                      type: string
-                    type:
-                      description: Type of deployment condition.
-                      type: string
-                  required:
-                  - lastUpdateTime
-                  - status
-                  - type
-                  type: object
-                type: array
-              lastError:
-                description: Last error encountered by the pattern
-                type: string
-              lastStep:
-                description: Last action related to the pattern
-                type: string
-              version:
-                description: Number of updates to the pattern
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []
diff --git a/common/operator-install/templates/pattern.yaml b/common/operator-install/templates/pattern.yaml
deleted file mode 100644
index d8b3df81..00000000
--- a/common/operator-install/templates/pattern.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: {{ .Release.Name }}
-  namespace: openshift-operators
-spec:
-  clusterGroupName: {{ .Values.main.clusterGroupName }}
-  gitSpec:
-    targetRepo: {{ .Values.main.git.repoURL }}
-    targetRevision: {{ .Values.main.git.revision }}
-  gitOpsSpec:
-    operatorChannel: {{ default "gitops-1.8" .Values.main.gitops.channel }}
-    operatorSource: {{ default "redhat-operators" .Values.main.gitops.operatorSource }}
-{{- if .Values.main.extraParameters }}
-  extraParameters:
-{{- range .Values.main.extraParameters }}
-  - name: {{ .name }}
-    value: {{ .value }}
-{{- end }}
-{{- end }}
diff --git a/common/operator-install/templates/subscription.yaml b/common/operator-install/templates/subscription.yaml
deleted file mode 100644
index 41d0d211..00000000
--- a/common/operator-install/templates/subscription.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: {{ .Values.main.patternsOperator.channel }}
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: {{ .Values.main.patternsOperator.source }}
-  sourceNamespace: openshift-marketplace
diff --git a/common/operator-install/values.yaml b/common/operator-install/values.yaml
deleted file mode 100644
index d5b0b13f..00000000
--- a/common/operator-install/values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-main:
-  git:
-    repoURL: https://github.com/pattern-clone/mypattern
-    revision: main
-
-  gitops:
-    channel: "gitops-1.8"
-    operatorSource: redhat-operators
-
-  patternsOperator:
-    channel: fast
-    source: community-operators
-
-  clusterGroupName: default
diff --git a/common/reference-output.yaml b/common/reference-output.yaml
deleted file mode 100644
index dbb4c6dc..00000000
--- a/common/reference-output.yaml
+++ /dev/null
@@ -1,119 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: manuela-ci
-  labels:
-    manuela-role: pipeline
-    app.kubernetes.io/instance: manuela
----
-# Source: pattern-install/templates/pipeline/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pipeline
-  namespace: manuela-ci
-secrets:
-- name: git-repo-credentials
-- name: image-registry-credentials
----
-# Source: pattern-install/templates/secrets/s3-secret.yaml
-kind: Secret
-apiVersion: v1
-metadata:
-  name: s3-secret
-type: Opaque
-data:
-  # Pre-create as part of the initial 'helm install' chart
-  # Create a file with the following:
-  #  s3.accessKey: KEY
-  #  s3.secretKey: secret key
-  #application.properties: base64 encrypted value of the above file
-  # This should live in the values-secret.yaml file
-  application.properties: BASE64STRING
----
-# Source: pattern-install/templates/secrets/secret-git-repo-credentials.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: git-repo-credentials
-  namespace: manuela-ci
-  annotations:
-    # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/
-    tekton.dev/git-0: https://github.com/hybrid-cloud-patterns
-type: kubernetes.io/basic-auth
-stringData:
-  username: STRING
-  password: STRING
----
-# Source: pattern-install/templates/secrets/secret-image-registry-credentials.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: openshift-registry-credentials
-  namespace: manuela-ci
-  annotations:
-    # Tekton magic, see https://tekton.dev/vault/pipelines-v0.15.2/auth/
-    tekton.dev/docker-0: "https://"
-type: kubernetes.io/basic-auth
-stringData:
-  username: STRING
-  password: STRING
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: common-example
-  namespace: openshift-gitops
-spec:
-  destination:
-    name: in-cluster
-    namespace: common-example
-  project: default
-  source:
-    repoURL:  https://github.com/beekhof/common.git
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      valueFiles:
-      - "https://github.com/beekhof/patterns/raw/main/values-global.yaml"
-      - "https://github.com/beekhof/patterns/raw/main/values-example.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.valuesDirectoryURL
-          value: https://github.com/beekhof/patterns/raw/main
-        - name: global.pattern
-          value: common
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: gitops-1.8
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/scripts/lint.sh b/common/scripts/lint.sh
deleted file mode 100755
index 3a3d8e6f..00000000
--- a/common/scripts/lint.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# helm template (even with --dry-run) can interact with the cluster
-# This won't protect us if a user has ~/.kube
-# Also call helm template with a non existing --kubeconfig while we're at it
-unset KUBECONFIG
-target=$1
-shift
-name=$(echo $target | sed -e s@/@-@g -e s@charts-@@)
-
-# Test the charts as the pattern would drive them
-INPUTS=$(ls -1 common/examples/*.yaml | grep -v secret)
-for input in $INPUTS; do
-    helm lint $* -f $input $target
-    if [ $? != 0 ]; then exit 1; fi
-done
-
-exit 0
diff --git a/common/scripts/make_common_subtree.sh b/common/scripts/make_common_subtree.sh
deleted file mode 100755
index a5e406d8..00000000
--- a/common/scripts/make_common_subtree.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#!/bin/sh
-
-if [ "$1" = "-h" ]; then
-	echo "This script will convert common into a subtree and add a remote to help manage it."
-	echo "The script takes three positional arguments, as follows:"
-	echo
-	echo "$0 <subtree_repo> <subtree_branch> <subtree_remote_name>"
-	echo
-	echo "Run without arguments, the script would run as if these arguments had been passed:"
-	echo "$0 https://github.com/hybrid-cloud-patterns/common.git main common-subtree"
-	echo
-	echo "Please ensure the git subtree command is available. On RHEL/Fedora, the git subtree command"
-	echo "is in a separate package called git-subtree"
-	exit 1
-fi
-
-if [ -f '/etc/redhat-release' ]; then
-  rpm -qa | grep git-subtree 2>&1
-  if [ ! $? = 0 ]; then
-    echo "you need to install git-subtree"
-    echo "would you like to install it now?"
-    select ANS in yes no
-    do
-      case $ANS in
-        yes)
-          sudo dnf install git-subtree -y
-          break
-          ;;
-        no)
-          exit
-          break
-          ;;
-        *)
-          echo "You must enter yes or no"
-          ;;
-      esac
-    done
-  fi
-fi
-
-if [ "$1" ]; then
-	subtree_repo=$1
-else
-	subtree_repo=https://github.com/hybrid-cloud-patterns/common.git
-fi
-
-if [ "$2" ]; then
-	subtree_branch=$2
-else
-	subtree_branch=main
-fi
-
-if [ "$3" ]; then
-	subtree_remote=$3
-else
-	subtree_remote=common-subtree
-fi
-
-git diff --quiet || (echo "This script must be run on a clean working tree" && exit 1)
-
-echo "Changing directory to project root"
-cd `git rev-parse --show-toplevel`
-
-echo "Removing existing common and replacing it with subtree from $subtree_repo $subtree_remote"
-rm -rf common
-
-echo "Committing removal of common"
-(git add -A :/ && git commit -m "Removed previous version of common to convert to subtree from $subtree_repo $subtree_branch") || exit 1
-
-echo "Adding (possibly replacing) subtree remote $subtree_remote"
-git remote rm "$subtree_remote"
-git remote add -f "$subtree_remote" "$subtree_repo" || exit 1
-git subtree add --prefix=common "$subtree_remote" "$subtree_branch" || exit 1
-
-echo "Complete.  You may now push these results if you are satisfied"
-exit 0
diff --git a/common/scripts/pattern-util.sh b/common/scripts/pattern-util.sh
deleted file mode 100755
index f55bbdee..00000000
--- a/common/scripts/pattern-util.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
-if [ -z "$PATTERN_UTILITY_CONTAINER" ]; then
-	PATTERN_UTILITY_CONTAINER="quay.io/hybridcloudpatterns/utility-container"
-fi
-
-UNSUPPORTED_PODMAN_VERSIONS="1.6 1.5"
-for i in ${UNSUPPORTED_PODMAN_VERSIONS}; do
-	# We add a space
-	if podman --version | grep -q -E "\b${i}"; then
-		echo "Unsupported podman version. We recommend >= 4.2.0"
-		podman --version
-		exit 1
-	fi
-done
-
-if [ -n "$KUBECONFIG" ]; then
-    if [[ ! "${KUBECONFIG}" =~ ^$HOME* ]]; then
-        echo "${KUBECONFIG} is pointing outside of the HOME folder, this will make it unavailable from the container."
-        echo "Please move it somewhere inside your $HOME folder, as that is what gets bind-mounted inside the container"
-        exit 1
-    fi
-fi
-# Copy Kubeconfig from current environment. The utilities will pick up ~/.kube/config if set so it's not mandatory
-# $HOME is mounted as itself for any files that are referenced with absolute paths
-# $HOME is mounted to /root because the UID in the container is 0 and that's where SSH looks for credentials
-
-# We must pass -e KUBECONFIG *only* if it is set, otherwise we end up passing
-# KUBECONFIG="" which then will confuse ansible
-KUBECONF_ENV=""
-if [ -n "$KUBECONFIG" ]; then
-	KUBECONF_ENV="-e KUBECONFIG=${KUBECONFIG}"
-fi
-
-# Do not quote the ${KUBECONF_ENV} below, otherwise we will pass '' to podman
-# which will be confused
-podman run -it --rm \
-	--security-opt label=disable \
-	${KUBECONF_ENV} \
-	-v "${HOME}":"${HOME}" \
-	-v "${HOME}":/pattern-home \
-	-v "${HOME}":/root \
-	-w "$(pwd)" \
-	"$PATTERN_UTILITY_CONTAINER" \
-	$@
diff --git a/common/scripts/test.sh b/common/scripts/test.sh
deleted file mode 100755
index a2aae9f4..00000000
--- a/common/scripts/test.sh
+++ /dev/null
@@ -1,129 +0,0 @@
-#!/bin/bash
-
-# helm template (even with --dry-run) can interact with the cluster
-# This won't protect us if a user has ~/.kube
-# Also call helm template with a non existing --kubeconfig while we're at it
-unset KUBECONFIG
-target=$1
-name=$(echo $1 | sed -e s@/@-@g -e s@charts-@@)
-
-function doTest() {
-    TEST_VARIANT=$1
-    CHART_OPTS="$2"
-    TESTDIR=tests
-    TEST=${name}-${TEST_VARIANT}
-    FILENAME=${TEST}.expected.yaml
-    OUTPUT=${TESTDIR}/.${FILENAME}
-    REFERENCE=${TESTDIR}/${FILENAME}
-
-    echo -e "\nTesting $name chart (${TEST_VARIANT}) with opts [$CHART_OPTS]" >&2
-    helm template --kubeconfig /tmp/doesnotexistever $target --name-template $name ${CHART_OPTS} > ${OUTPUT}
-    rc=$?
-    if [ $rc -ne 0 ]; then
-	echo "FAIL on helm template $target --name-template $name ${CHART_OPTS}"  >&2
-	exit 1
-    fi
-    if [ ! -e ${REFERENCE} ]; then
-	cp ${OUTPUT} ${REFERENCE}
-	git add ${REFERENCE}
-	echo -e "\n\n#### Created test output\007\n\n\007"  >&2
-    fi
-    diff -u ${REFERENCE} ${OUTPUT}
-    rc=$?
-    if [ $rc = 0 ]; then
-	rm -f ${OUTPUT}
-	echo "PASS" >&2
-    elif [ -z $GITHUB_ACTIONS ]; then
-	read -p "Are these changes expected? [y/N]  " EXPECTED
-	case $EXPECTED in
-	    y*|Y*)
-		echo "Updating ${REFERENCE}"
-		cp ${OUTPUT} ${REFERENCE}
-		rm -f ${OUTPUT}
-		rc=0
-		;;
-	    *) ;;
-	esac
-    fi
-    if [ $rc != 0 ]; then
-	echo "FAIL" >&2
-	exit $rc
-    fi
-}
-
-function doTestCompare() {
-    TEST_VARIANT="differences"
-    TESTDIR=tests
-    TEST=${name}
-    FILENAME=${TEST}.expected.yaml
-    OUTPUT=${TESTDIR}/.${FILENAME}
-    REFERENCE=${TESTDIR}/${FILENAME}
-
-    echo -e "\nTesting $name chart (${TEST_VARIANT})" >&2
-    # Another method of finding variables missing from values.yaml, eg.
-    # -    name: -datacenter
-    # +    name: pattern-name-datacenter
-
-    TEST=${name}
-    FILENAME=${TEST}.expected.diff
-    OUTPUT=${TESTDIR}/.${FILENAME}
-    REFERENCE=${TESTDIR}/${FILENAME}
-
-    # Drop the date from the diff output, it will not be stable
-    diff -u ${TESTDIR}/${name}-naked.expected.yaml ${TESTDIR}/${name}-normal.expected.yaml | sed 's/\.yaml.*20[0-9][0-9].*/.yaml/g' > ${OUTPUT}
-
-    if [ ! -e ${REFERENCE} -a -z $GITHUB_ACTIONS ]; then
-	cp ${OUTPUT} ${REFERENCE}
-	git add ${REFERENCE}
-	echo -e "\n\n#### Created test output\007\n\n\007"  >&2
-    fi
-
-    diff -u ${REFERENCE} ${OUTPUT}
-    rc=$?
-
-    if [ $rc = 0 ]; then
-	rm -f ${OUTPUT}
-	echo "PASS" >&2
-    elif [ -z $GITHUB_ACTIONS ]; then
-	read -p "Are these changes expected? [y/N]  " EXPECTED
-	case $EXPECTED in
-	    y*|Y*)
-		echo "Updating ${REFERENCE}"
-		cp ${OUTPUT} ${REFERENCE}
-		rm -f ${OUTPUT}
-		rc=0
-		;;
-	    *) ;;
-	esac
-    fi
-    if [ $rc != 0 ]; then
-	echo "FAIL" >&2
-	exit $rc
-    fi
-}
-
-if [ $2 = "all" ]; then
-    echo -e "\n#####################" >&2
-    echo "### ${name}" >&2
-    echo "#####################" >&2
-
-    # Test that all values used by the chart are in values.yaml with the same defaults as the pattern
-    doTest naked
-
-    # Test the charts as the pattern would drive them
-    INPUTS=$(ls -1 common/examples/*.yaml | grep -v secret)
-    for input in $INPUTS; do
-	variant=normal
-	if [ "$input" != "common/examples/values-example.yaml" ]; then
-		variant=$(echo $input | sed -e 's@.*/@@' -e 's@\.yaml@@')
-        fi
-        doTest $variant "$3 -f $input"
-    done
-
-    # Ensure the differences between the two results are also stable
-    #doTestCompare
-else
-    doTest $2 "$3"
-fi
-
-exit 0
diff --git a/common/scripts/vault-utils.sh b/common/scripts/vault-utils.sh
deleted file mode 100755
index 310d76d6..00000000
--- a/common/scripts/vault-utils.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-get_abs_filename() {
-  # $1 : relative filename
-  echo "$(cd "$(dirname "$1")" && pwd)/$(basename "$1")"
-}
-
-SCRIPT=$(get_abs_filename "$0")
-SCRIPTPATH=$(dirname "${SCRIPT}")
-COMMONPATH=$(dirname "${SCRIPTPATH}")
-PATTERNPATH=$(dirname "${COMMONPATH}")
-ANSIBLEPATH="$(dirname ${SCRIPTPATH})/ansible"
-PLAYBOOKPATH="${ANSIBLEPATH}/playbooks"
-export ANSIBLE_CONFIG="${ANSIBLEPATH}/ansible.cfg"
-
-# Parse arguments
-if [ $# -lt 1 ]; then
-  echo "Specify at least the command ($#): $*"
-  exit 1
-fi
-
-TASK="${1}"
-PATTERN_NAME=${2:-$(basename "`pwd`")}
-
-if [ -z ${TASK} ]; then
-	echo "Task is unset"
-	exit 1
-fi
-
-ansible-playbook -t "${TASK}" -e pattern_name="${PATTERN_NAME}" -e pattern_dir="${PATTERNPATH}" "${PLAYBOOKPATH}/vault/vault.yaml"
diff --git a/common/tests/acm-industrial-edge-factory.expected.yaml b/common/tests/acm-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 86d7277d..00000000
--- a/common/tests/acm-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,102 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-spec: {}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.8
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
diff --git a/common/tests/acm-industrial-edge-hub.expected.yaml b/common/tests/acm-industrial-edge-hub.expected.yaml
deleted file mode 100644
index d54a8db6..00000000
--- a/common/tests/acm-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,307 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: factory-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: factory-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: factory-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: factory-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector: {
-  "matchExpressions": [
-    {
-      "key": "vendor",
-      "operator": "In",
-      "values": [
-        "OpenShift"
-      ]
-    }
-  ],
-  "matchLabels": {
-    "clusterGroup": "factory"
-  }
-}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: factory-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: factory-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-factory
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-factory.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: $ARGOCD_APP_SOURCE_REPO_URL
-                      - name: global.targetRevision
-                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      # Requires ACM 2.6 or higher
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-                      - name: global.clusterPlatform
-                        value: 
-                      - name: clusterGroup.name
-                        value: factory
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-factory
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.8
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
diff --git a/common/tests/acm-medical-diagnosis-hub.expected.yaml b/common/tests/acm-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 6e3eedff..00000000
--- a/common/tests/acm-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,298 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: region-one-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: region-one-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: region-one-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: region-one-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector: {
-  "matchLabels": {
-    "clusterGroup": "region-one"
-  }
-}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: region-one-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: region-one-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-region-one
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-region-one.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: $ARGOCD_APP_SOURCE_REPO_URL
-                      - name: global.targetRevision
-                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      # Requires ACM 2.6 or higher
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-                      - name: global.clusterPlatform
-                        value: 
-                      - name: clusterGroup.name
-                        value: region-one
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-region-one
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.8
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
diff --git a/common/tests/acm-naked.expected.yaml b/common/tests/acm-naked.expected.yaml
deleted file mode 100644
index cb73d733..00000000
--- a/common/tests/acm-naked.expected.yaml
+++ /dev/null
@@ -1,103 +0,0 @@
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.8
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
diff --git a/common/tests/acm-normal.expected.yaml b/common/tests/acm-normal.expected.yaml
deleted file mode 100644
index b2f0ac48..00000000
--- a/common/tests/acm-normal.expected.yaml
+++ /dev/null
@@ -1,795 +0,0 @@
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: aws-ap-acm-provision-edge-install-config
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAxCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDAKbmV0d29ya2luZzoKICBjbHVzdGVyTmV0d29yazoKICAtIGNpZHI6IDEwLjEyOC4wLjAvMTQKICAgIGhvc3RQcmVmaXg6IDIzCiAgbWFjaGluZU5ldHdvcms6CiAgLSBjaWRyOiAxMC4wLjAuMC8xNgogIG5ldHdvcmtUeXBlOiBPVk5LdWJlcm5ldGVzCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOgogIGF3czoKICAgIHJlZ2lvbjogYXAtc291dGhlYXN0LTIKcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz 
-type: Opaque
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: azure-us-acm-provision-edge-install-config
-data:
-  # Base64 encoding of install-config yaml
-  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT1ZOS3ViZXJuZXRlcwogIHNlcnZpY2VOZXR3b3JrOgogIC0gMTcyLjMwLjAuMC8xNgpwbGF0Zm9ybToKICBhenVyZToKICAgIGJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZTogZG9qby1kbnMtem9uZXMKICAgIHJlZ2lvbjogZWFzdHVzCnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== 
-type: Opaque
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-# This pushes out the HUB's Certificate Authorities on to the imported clusters
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterClaim
-metadata:
-  name: 'two-acm-provision-edge'
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    cluster.open-cluster-management.io/createmanagedcluster: "true"
-  labels:
-    clusterClaimName: two-acm-provision-edge
-    clusterGroup: region
-spec:
-  clusterPoolName: azure-us-acm-provision-edge
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterClaim
-metadata:
-  name: 'three-acm-provision-edge'
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    cluster.open-cluster-management.io/createmanagedcluster: "true"
-  labels:
-    clusterClaimName: three-acm-provision-edge
-    clusterGroup: region
-spec:
-  clusterPoolName: azure-us-acm-provision-edge
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterPool
-metadata:
-  name: "aws-ap-acm-provision-edge"
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  labels:
-    cloud: aws
-    region: 'ap-southeast-2'
-    vendor: OpenShift
-    cluster.open-cluster-management.io/clusterset: aws-ap
-spec:
-  size: 3
-  runningCount: 0
-  baseDomain: blueprints.rhecoeng.com
-  installConfigSecretTemplateRef:
-    name: aws-ap-acm-provision-edge-install-config 
-  imageSetRef:
-    name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: aws-ap-acm-provision-edge-pull-secret
-  skipMachinePools: true # Disable MachinePool as using custom install-config
-  platform:
-    aws:
-      credentialsSecretRef:
-        name: aws-ap-acm-provision-edge-creds
-      region: ap-southeast-2
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: hive.openshift.io/v1
-kind: ClusterPool
-metadata:
-  name: "azure-us-acm-provision-edge"
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  labels:
-    cloud: azure
-    region: 'eastus'
-    vendor: OpenShift
-    cluster.open-cluster-management.io/clusterset: azure-us
-spec:
-  size: 2
-  runningCount: 2
-  baseDomain: blueprints.rhecoeng.com
-  installConfigSecretTemplateRef:
-    name: azure-us-acm-provision-edge-install-config 
-  imageSetRef:
-    name: img4.10.18-multi-appsub
-  pullSecretRef:
-    name: azure-us-acm-provision-edge-pull-secret
-  skipMachinePools: true # Disable MachinePool as using custom install-config
-  platform:
-    azure:
-      credentialsSecretRef:
-        name: azure-us-acm-provision-edge-creds
-      region: eastus
----
-# Source: acm/templates/provision/secrets-aws.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-creds
-spec:
-  dataFrom:
-  - extract:
-      # Expects entries called: aws_access_key_id and aws_secret_access_key
-      key: secret/data/hub/aws
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
----
-# Source: acm/templates/provision/secrets-aws.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-infra-creds
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: awsKeyId
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_access_key_id
-  - secretKey: awsAccessKey
-    remoteRef:
-      key: secret/data/hub/aws
-      property: aws_secret_access_key
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef: 
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        baseDomain: "blueprints.rhecoeng.com"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        aws_access_key_id: |-
-          {{ .awsKeyId | toString }}
-        aws_secret_access_key: |-
-          {{ .awsAccessKey | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-azure.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-creds
-spec:
-  data:
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: secret/data/hub/azureOsServicePrincipal
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        osServicePrincipal.json: |-
-          {{ .azureOsServicePrincipal | toString }}
----
-# Source: acm/templates/provision/secrets-azure.yaml
-# For use when manually creating clusters with ACM
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-infra-creds
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  - secretKey: sshPublicKey
-    remoteRef:
-      key: secret/data/hub/publickey
-      property: content
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  - secretKey: azureOsServicePrincipal
-    remoteRef:
-      key: secret/data/hub/azureOsServicePrincipal
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef: 
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-infra-creds
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      metadata:
-        labels:
-          cluster.open-cluster-management.io/credentials: ""
-          cluster.open-cluster-management.io/type: aws
-      data:
-        cloudName: AzurePublicCloud
-        osServicePrincipal.json: |-
-          {{ .azureOsServicePrincipal | toString }}
-        baseDomain: "blueprints.rhecoeng.com"
-        baseDomainResourceGroupName: "dojo-dns-zones"
-        pullSecret: |-
-          {{ .openshiftPullSecret | toString }}
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
-        ssh-publickey: |-
-          {{ .sshPublicKey | toString }}
-        httpProxy: ""
-        httpsProxy: ""
-        noProxy: ""
-        additionalTrustBundle: ""
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-pull-secret
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: aws-ap-acm-provision-edge-ssh-private-key
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: aws-ap-acm-provision-edge-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-pull-secret
-spec: 
-  data:
-  - secretKey: openshiftPullSecret
-    remoteRef:
-      key: secret/data/hub/openshiftPullSecret
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-pull-secret
-    creationPolicy: Owner
-    template:
-      type: kubernetes.io/dockerconfigjson
-      data:
-        .dockerconfigjson: |-
-          {{ .openshiftPullSecret | toString }}
----
-# Source: acm/templates/provision/secrets-common.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: azure-us-acm-provision-edge-ssh-private-key
-spec:
-  data:
-  - secretKey: sshPrivateKey
-    remoteRef:
-      key: secret/data/hub/privatekey
-      property: content
-  refreshInterval: 24h0m0s
-  secretStoreRef:
-    name: vault-backend
-    kind: ClusterSecretStore
-  target:
-    name: azure-us-acm-provision-edge-ssh-private-key
-    creationPolicy: Owner
-    template:
-      type: Opaque
-      data:
-        ssh-privatekey: |-
-          {{ .sshPrivateKey | toString }}
----
-# Source: acm/templates/provision/clusterpool.yaml
-apiVersion: cluster.open-cluster-management.io/v1beta1
-kind: ManagedClusterSet
-metadata:
-  annotations:
-    cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  name: acm-provision-edge
-spec:
-  clusterSelector:
-    selectorType: LegacyClusterSetLabel
----
-# Source: acm/templates/multiclusterhub.yaml
-apiVersion: operator.open-cluster-management.io/v1
-kind: MultiClusterHub
-metadata:
-  name: multiclusterhub
-  namespace: open-cluster-management
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
-    installer.open-cluster-management.io/mce-subscription-spec: '{"source": "redhat-operators" }'
-spec: {}
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-hub-ca-policy-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-hub-ca-policy-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-hub-ca-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-edge-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: acm-provision-edge-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: acm-provision-edge-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: acm-provision-edge-clustergroup-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: PlacementBinding
-metadata:
-  name: openshift-gitops-placement-binding
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-placementRef:
-  name: openshift-gitops-placement
-  kind: PlacementRule
-  apiGroup: apps.open-cluster-management.io
-subjects:
-  - name: openshift-gitops-policy
-    kind: Policy
-    apiGroup: policy.open-cluster-management.io
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-hub-ca-policy-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchLabels:
-      clusterGroup: acm-region
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: acm-provision-edge-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchLabels:
-      clusterGroup: region
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: apps.open-cluster-management.io/v1
-kind: PlacementRule
-metadata:
-  name: openshift-gitops-placement
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  clusterConditions:
-    - status: 'True'
-      type: ManagedClusterConditionAvailable
-  clusterSelector:
-    matchExpressions:
-      - key: vendor
-        operator: In
-        values:
-          - OpenShift
-      - key: local-cluster
-        operator: NotIn
-        values:
-          - 'true'
----
-# Source: acm/templates/policies/acm-hub-ca-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-hub-ca-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-hub-ca-config-policy
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                kind: Secret
-                apiVersion: v1
-                type: Opaque
-                metadata:
-                  name: hub-ca
-                  namespace: imperative
-                data:
-                  hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | base64enc hub}}'
-                  hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | base64enc hub}}'
----
-# Source: acm/templates/policies/application-policies.yaml
-# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-edge-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-edge-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-acm-edge
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: $ARGOCD_APP_SOURCE_REPO_URL
-                      - name: global.targetRevision
-                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      # Requires ACM 2.6 or higher
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-                      - name: global.clusterPlatform
-                        value: 
-                      - name: clusterGroup.name
-                        value: acm-edge
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-acm-edge
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/application-policies.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: acm-provision-edge-clustergroup-policy
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: acm-provision-edge-clustergroup-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                apiVersion: argoproj.io/v1alpha1
-                kind: Application
-                metadata:
-                  name: mypattern-acm-provision-edge
-                  namespace: openshift-gitops
-                  finalizers:
-                  - resources-finalizer.argocd.argoproj.io/foreground
-                spec:
-                  project: default
-                  source:
-                    repoURL: https://github.com/pattern-clone/mypattern
-                    targetRevision: main
-                    path: common/clustergroup
-                    helm:
-                      ignoreMissingValueFiles: true
-                      valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-provision-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
-                      parameters:
-                      - name: global.repoURL
-                        value: $ARGOCD_APP_SOURCE_REPO_URL
-                      - name: global.targetRevision
-                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-                      - name: global.namespace
-                        value: $ARGOCD_APP_NAMESPACE
-                      - name: global.pattern
-                        value: mypattern
-                      - name: global.hubClusterDomain
-                        value: apps.hub.example.com
-                      - name: global.localClusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-                      # Requires ACM 2.6 or higher
-                      - name: global.clusterDomain
-                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-                      - name: global.clusterVersion
-                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-                      - name: global.clusterPlatform
-                        value: 
-                      - name: clusterGroup.name
-                        value: acm-provision-edge
-                      - name: clusterGroup.isHubCluster
-                        value: "false"
-                  destination:
-                    server: https://kubernetes.default.svc
-                    namespace: mypattern-acm-provision-edge
-                  syncPolicy:
-                    automated:
-                      prune: false
-                      selfHeal: true
-                    retry:
-                      limit: 20
-                  ignoreDifferences:
-                  - group: apps
-                    kind: Deployment
-                    jsonPointers:
-                    - /spec/replicas
-                  - group: route.openshift.io
-                    kind: Route
-                    jsonPointers:
-                    - /status
----
-# Source: acm/templates/policies/ocp-gitops-policy.yaml
-apiVersion: policy.open-cluster-management.io/v1
-kind: Policy
-metadata:
-  name: openshift-gitops-policy
-  annotations:
-    policy.open-cluster-management.io/standards: NIST-CSF
-    policy.open-cluster-management.io/categories: PR.DS Data Security
-    policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  remediationAction: enforce
-  disabled: false
-  policy-templates:
-    - objectDefinition:
-        apiVersion: policy.open-cluster-management.io/v1
-        kind: ConfigurationPolicy
-        metadata:
-          name: openshift-gitops-config
-        spec:
-          remediationAction: enforce
-          severity: medium
-          namespaceSelector:
-            include:
-              - default
-          object-templates:
-            - complianceType: mustonlyhave
-              objectDefinition:
-                # This is an auto-generated file. DO NOT EDIT
-                apiVersion: operators.coreos.com/v1alpha1
-                kind: Subscription
-                metadata:
-                  name: openshift-gitops-operator
-                  namespace: openshift-operators
-                  labels:
-                    operators.coreos.com/openshift-gitops-operator.openshift-operators: ''
-                spec:
-                  channel: gitops-1.8
-                  installPlanApproval: Automatic
-                  name: openshift-gitops-operator
-                  source: redhat-operators
-                  sourceNamespace: openshift-marketplace
-                  config:
-                    env:
-                      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-                        value: "*"
diff --git a/common/tests/acm.expected.diff b/common/tests/acm.expected.diff
deleted file mode 100644
index 25b35645..00000000
--- a/common/tests/acm.expected.diff
+++ /dev/null
@@ -1,651 +0,0 @@
---- tests/acm-naked.expected.yaml
-+++ tests/acm-normal.expected.yaml
-@@ -1,6 +1,386 @@
- ---
--# Source: acm/templates/policies/application-policies.yaml
--# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: v1
-+kind: Secret
-+metadata:
-+  name: aws-ap-acm-provision-edge-install-config
-+data:
-+  # Base64 encoding of install-config yaml
-+  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXdzLWFwJyAKYmFzZURvbWFpbjogYmx1ZXByaW50cy5yaGVjb2VuZy5jb20KY29udHJvbFBsYW5lOgogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIG5hbWU6IGNvbnRyb2xQbGFuZQogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhd3M6CiAgICAgIHR5cGU6IG01LnhsYXJnZQpjb21wdXRlOgotIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIG5hbWU6ICd3b3JrZXInCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF3czoKICAgICAgdHlwZTogbTUueGxhcmdlCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF3cyI6IHsKICAgICJyZWdpb24iOiAiYXAtc291dGhlYXN0LTIiCiAgfQp9CnB1bGxTZWNyZXQ6ICIiICMgc2tpcCwgaGl2ZSB3aWxsIGluamVjdCBiYXNlZCBvbiBpdCdzIHNlY3JldHMKc3NoS2V5OiAiIiAgICAgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cw== 
-+type: Opaque
-+---
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: v1
-+kind: Secret
-+metadata:
-+  name: azure-us-acm-provision-edge-install-config
-+data:
-+  # Base64 encoding of install-config yaml
-+  install-config.yaml: CgphcGlWZXJzaW9uOiB2MQptZXRhZGF0YToKICBuYW1lOiAnYXp1cmUtdXMnIApiYXNlRG9tYWluOiBibHVlcHJpbnRzLnJoZWNvZW5nLmNvbQpjb250cm9sUGxhbmU6CiAgYXJjaGl0ZWN0dXJlOiBhbWQ2NAogIGh5cGVydGhyZWFkaW5nOiBFbmFibGVkCiAgbmFtZTogY29udHJvbFBsYW5lCiAgcmVwbGljYXM6IDMKICBwbGF0Zm9ybToKICAgIGF6dXJlOgogICAgICB0eXBlOiBTdGFuZGFyZF9EOHNfdjMKY29tcHV0ZToKLSBoeXBlcnRocmVhZGluZzogRW5hYmxlZAogIGFyY2hpdGVjdHVyZTogYW1kNjQKICBuYW1lOiAnd29ya2VyJwogIHJlcGxpY2FzOiAzCiAgcGxhdGZvcm06CiAgICBhenVyZToKICAgICAgdHlwZTogU3RhbmRhcmRfRDhzX3YzCm5ldHdvcmtpbmc6CiAgY2x1c3Rlck5ldHdvcms6CiAgLSBjaWRyOiAxMC4xMjguMC4wLzE0CiAgICBob3N0UHJlZml4OiAyMwogIG1hY2hpbmVOZXR3b3JrOgogIC0gY2lkcjogMTAuMC4wLjAvMTYKICBuZXR3b3JrVHlwZTogT3BlblNoaWZ0U0ROCiAgc2VydmljZU5ldHdvcms6CiAgLSAxNzIuMzAuMC4wLzE2CnBsYXRmb3JtOiB7CiAgImF6dXJlIjogewogICAgImJhc2VEb21haW5SZXNvdXJjZUdyb3VwTmFtZSI6ICJkb2pvLWRucy16b25lcyIsCiAgICAicmVnaW9uIjogImVhc3R1cyIKICB9Cn0KcHVsbFNlY3JldDogIiIgIyBza2lwLCBoaXZlIHdpbGwgaW5qZWN0IGJhc2VkIG9uIGl0J3Mgc2VjcmV0cwpzc2hLZXk6ICIiICAgICAjIHNraXAsIGhpdmUgd2lsbCBpbmplY3QgYmFzZWQgb24gaXQncyBzZWNyZXRz 
-+type: Opaque
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: hive.openshift.io/v1
-+kind: ClusterClaim
-+metadata:
-+  name: 'one-acm-provision-edge'
-+  annotations:
-+    argocd.argoproj.io/sync-wave: "20"
-+    cluster.open-cluster-management.io/createmanagedcluster: "true"
-+  labels:
-+    clusterClaimName: one-acm-provision-edge
-+    clusterGroup: region
-+spec:
-+  clusterPoolName: aws-ap
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: hive.openshift.io/v1
-+kind: ClusterClaim
-+metadata:
-+  name: 'two-acm-provision-edge'
-+  annotations:
-+    argocd.argoproj.io/sync-wave: "20"
-+    cluster.open-cluster-management.io/createmanagedcluster: "true"
-+  labels:
-+    clusterClaimName: two-acm-provision-edge
-+    clusterGroup: region
-+spec:
-+  clusterPoolName: azure-us
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: hive.openshift.io/v1
-+kind: ClusterClaim
-+metadata:
-+  name: 'three-acm-provision-edge'
-+  annotations:
-+    argocd.argoproj.io/sync-wave: "20"
-+    cluster.open-cluster-management.io/createmanagedcluster: "true"
-+  labels:
-+    clusterClaimName: three-acm-provision-edge
-+    clusterGroup: region
-+spec:
-+  clusterPoolName: azure-us
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: hive.openshift.io/v1
-+kind: ClusterPool
-+metadata:
-+  name: "aws-ap-acm-provision-edge"
-+  annotations:
-+    argocd.argoproj.io/sync-wave: "10"
-+  labels:
-+    cloud: aws
-+    region: 'ap-southeast-2'
-+    vendor: OpenShift
-+    cluster.open-cluster-management.io/clusterset: aws-ap
-+spec:
-+  size: 3
-+  runningCount: 1
-+  baseDomain: blueprints.rhecoeng.com
-+  installConfigSecretTemplateRef:
-+    name: aws-ap-acm-provision-edge-install-config 
-+  imageSetRef:
-+    name: img4.10.18-x86-64-appsub
-+  pullSecretRef:
-+    name: aws-ap-acm-provision-edge-pull-secret
-+  skipMachinePools: true # Disable MachinePool as using custom install-config
-+  platform:
-+    aws:
-+      credentialsSecretRef:
-+        name: aws-ap-acm-provision-edge-creds
-+      region: ap-southeast-2
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: hive.openshift.io/v1
-+kind: ClusterPool
-+metadata:
-+  name: "azure-us-acm-provision-edge"
-+  annotations:
-+    argocd.argoproj.io/sync-wave: "10"
-+  labels:
-+    cloud: azure
-+    region: 'eastus'
-+    vendor: OpenShift
-+    cluster.open-cluster-management.io/clusterset: azure-us
-+spec:
-+  size: 2
-+  runningCount: 2
-+  baseDomain: blueprints.rhecoeng.com
-+  installConfigSecretTemplateRef:
-+    name: azure-us-acm-provision-edge-install-config 
-+  imageSetRef:
-+    name: img4.10.18-x86-64-appsub
-+  pullSecretRef:
-+    name: azure-us-acm-provision-edge-pull-secret
-+  skipMachinePools: true # Disable MachinePool as using custom install-config
-+  platform:
-+    azure:
-+      credentialsSecretRef:
-+        name: azure-us-acm-provision-edge-creds
-+      region: eastus
-+---
-+# Source: acm/templates/provision/secrets-aws.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: aws-ap-acm-provision-edge-creds
-+spec:
-+  dataFrom:
-+  - extract:
-+      # Expects entries called: aws_access_key_id and aws_secret_access_key
-+      key: secret/data/hub/aws
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: aws-ap-acm-provision-edge-creds
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+---
-+# Source: acm/templates/provision/secrets-aws.yaml
-+# For use when manually creating clusters with ACM
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: aws-ap-acm-provision-edge-infra-creds
-+spec: 
-+  data:
-+  - secretKey: openshiftPullSecret
-+    remoteRef:
-+      key: secret/data/hub/openshiftPullSecret
-+      property: content
-+  - secretKey: awsKeyId
-+    remoteRef:
-+      key: secret/data/hub/aws
-+      property: aws_access_key_id
-+  - secretKey: awsAccessKey
-+    remoteRef:
-+      key: secret/data/hub/aws
-+      property: aws_secret_access_key
-+  - secretKey: sshPublicKey
-+    remoteRef:
-+      key: secret/data/hub/publickey
-+      property: content
-+  - secretKey: sshPrivateKey
-+    remoteRef:
-+      key: secret/data/hub/privatekey
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef: 
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: aws-ap-acm-provision-edge-infra-creds
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+      metadata:
-+        labels:
-+          cluster.open-cluster-management.io/credentials: ""
-+          cluster.open-cluster-management.io/type: aws
-+      data:
-+        baseDomain: "blueprints.rhecoeng.com"
-+        pullSecret: |-
-+          {{ .openshiftPullSecret | toString }}
-+        aws_access_key_id: |-
-+          {{ .awsKeyId | toString }}
-+        aws_secret_access_key: |-
-+          {{ .awsAccessKey | toString }}
-+        ssh-privatekey: |-
-+          {{ .sshPrivateKey | toString }}
-+        ssh-publickey: |-
-+          {{ .sshPublicKey | toString }}
-+        httpProxy: ""
-+        httpsProxy: ""
-+        noProxy: ""
-+        additionalTrustBundle: ""
-+---
-+# Source: acm/templates/provision/secrets-azure.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: azure-us-acm-provision-edge-creds
-+spec:
-+  data:
-+  - secretKey: azureOsServicePrincipal
-+    remoteRef:
-+      key: secret/data/hub/azureOsServicePrincipal
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: azure-us-acm-provision-edge-creds
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+      data:
-+        osServicePrincipal.json: |-
-+          {{ .azureOsServicePrincipal | toString }}
-+---
-+# Source: acm/templates/provision/secrets-azure.yaml
-+# For use when manually creating clusters with ACM
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: azure-us-acm-provision-edge-infra-creds
-+spec: 
-+  data:
-+  - secretKey: openshiftPullSecret
-+    remoteRef:
-+      key: secret/data/hub/openshiftPullSecret
-+      property: content
-+  - secretKey: sshPublicKey
-+    remoteRef:
-+      key: secret/data/hub/publickey
-+      property: content
-+  - secretKey: sshPrivateKey
-+    remoteRef:
-+      key: secret/data/hub/privatekey
-+      property: content
-+  - secretKey: azureOsServicePrincipal
-+    remoteRef:
-+      key: secret/data/hub/azureOsServicePrincipal
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef: 
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: azure-us-acm-provision-edge-infra-creds
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+      metadata:
-+        labels:
-+          cluster.open-cluster-management.io/credentials: ""
-+          cluster.open-cluster-management.io/type: aws
-+      data:
-+        cloudName: AzurePublicCloud
-+        osServicePrincipal.json: |-
-+          {{ .azureOsServicePrincipal | toString }}
-+        baseDomain: "blueprints.rhecoeng.com"
-+        baseDomainResourceGroupName: "dojo-dns-zones"
-+        pullSecret: |-
-+          {{ .openshiftPullSecret | toString }}
-+        ssh-privatekey: |-
-+          {{ .sshPrivateKey | toString }}
-+        ssh-publickey: |-
-+          {{ .sshPublicKey | toString }}
-+        httpProxy: ""
-+        httpsProxy: ""
-+        noProxy: ""
-+        additionalTrustBundle: ""
-+---
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: aws-ap-acm-provision-edge-pull-secret
-+spec: 
-+  data:
-+  - secretKey: openshiftPullSecret
-+    remoteRef:
-+      key: secret/data/hub/openshiftPullSecret
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: aws-ap-acm-provision-edge-pull-secret
-+    creationPolicy: Owner
-+    template:
-+      type: kubernetes.io/dockerconfigjson
-+      data:
-+        .dockerconfigjson: |-
-+          {{ .openshiftPullSecret | toString }}
-+---
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: aws-ap-acm-provision-edge-ssh-private-key
-+spec:
-+  data:
-+  - secretKey: sshPrivateKey
-+    remoteRef:
-+      key: secret/data/hub/privatekey
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: aws-ap-acm-provision-edge-ssh-private-key
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+      data:
-+        ssh-privatekey: |-
-+          {{ .sshPrivateKey | toString }}
-+---
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: azure-us-acm-provision-edge-pull-secret
-+spec: 
-+  data:
-+  - secretKey: openshiftPullSecret
-+    remoteRef:
-+      key: secret/data/hub/openshiftPullSecret
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: azure-us-acm-provision-edge-pull-secret
-+    creationPolicy: Owner
-+    template:
-+      type: kubernetes.io/dockerconfigjson
-+      data:
-+        .dockerconfigjson: |-
-+          {{ .openshiftPullSecret | toString }}
-+---
-+# Source: acm/templates/provision/secrets-common.yaml
-+apiVersion: external-secrets.io/v1beta1
-+kind: ExternalSecret
-+metadata:
-+  name: azure-us-acm-provision-edge-ssh-private-key
-+spec:
-+  data:
-+  - secretKey: sshPrivateKey
-+    remoteRef:
-+      key: secret/data/hub/privatekey
-+      property: content
-+  refreshInterval: 24h0m0s
-+  secretStoreRef:
-+    name: vault-backend
-+    kind: ClusterSecretStore
-+  target:
-+    name: azure-us-acm-provision-edge-ssh-private-key
-+    creationPolicy: Owner
-+    template:
-+      type: Opaque
-+      data:
-+        ssh-privatekey: |-
-+          {{ .sshPrivateKey | toString }}
-+---
-+# Source: acm/templates/provision/clusterpool.yaml
-+apiVersion: cluster.open-cluster-management.io/v1beta1
-+kind: ManagedClusterSet
-+metadata:
-+  annotations:
-+    cluster.open-cluster-management.io/submariner-broker-ns: acm-provision-edge-broker
-+  name: acm-provision-edge
-+spec:
-+  clusterSelector:
-+    selectorType: LegacyClusterSetLabel
- ---
- # Source: acm/templates/multiclusterhub.yaml
- apiVersion: operator.open-cluster-management.io/v1
-@@ -12,6 +392,38 @@
-     argocd.argoproj.io/sync-wave: "-1"
- spec: {}
- ---
-+# Source: acm/templates/policies/application-policies.yaml
-+apiVersion: policy.open-cluster-management.io/v1
-+kind: PlacementBinding
-+metadata:
-+  name: acm-edge-placement-binding
-+  annotations:
-+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-+placementRef:
-+  name: acm-edge-placement
-+  kind: PlacementRule
-+  apiGroup: apps.open-cluster-management.io
-+subjects:
-+  - name: acm-edge-clustergroup-policy
-+    kind: Policy
-+    apiGroup: policy.open-cluster-management.io
-+---
-+# Source: acm/templates/policies/application-policies.yaml
-+apiVersion: policy.open-cluster-management.io/v1
-+kind: PlacementBinding
-+metadata:
-+  name: acm-provision-edge-placement-binding
-+  annotations:
-+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-+placementRef:
-+  name: acm-provision-edge-placement
-+  kind: PlacementRule
-+  apiGroup: apps.open-cluster-management.io
-+subjects:
-+  - name: acm-provision-edge-clustergroup-policy
-+    kind: Policy
-+    apiGroup: policy.open-cluster-management.io
-+---
- # Source: acm/templates/policies/ocp-gitops-policy.yaml
- apiVersion: policy.open-cluster-management.io/v1
- kind: PlacementBinding
-@@ -28,6 +440,32 @@
-     kind: Policy
-     apiGroup: policy.open-cluster-management.io
- ---
-+# Source: acm/templates/policies/application-policies.yaml
-+apiVersion: apps.open-cluster-management.io/v1
-+kind: PlacementRule
-+metadata:
-+  name: acm-edge-placement
-+spec:
-+  clusterConditions:
-+    - status: 'True'
-+      type: ManagedClusterConditionAvailable
-+  clusterSelector:
-+    matchLabels:
-+      clusterGroup: acm-region
-+---
-+# Source: acm/templates/policies/application-policies.yaml
-+apiVersion: apps.open-cluster-management.io/v1
-+kind: PlacementRule
-+metadata:
-+  name: acm-provision-edge-placement
-+spec:
-+  clusterConditions:
-+    - status: 'True'
-+      type: ManagedClusterConditionAvailable
-+  clusterSelector:
-+    matchLabels:
-+      clusterGroup: region
-+---
- # Source: acm/templates/policies/ocp-gitops-policy.yaml
- apiVersion: apps.open-cluster-management.io/v1
- kind: PlacementRule
-@@ -44,6 +482,187 @@
-         values:
-           - OpenShift
- ---
-+# Source: acm/templates/policies/application-policies.yaml
-+# TODO: Also create a GitOpsCluster.apps.open-cluster-management.io
-+apiVersion: policy.open-cluster-management.io/v1
-+kind: Policy
-+metadata:
-+  name: acm-edge-clustergroup-policy
-+  annotations:
-+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-+    argocd.argoproj.io/compare-options: IgnoreExtraneous
-+spec:
-+  remediationAction: enforce
-+  disabled: false
-+  policy-templates:
-+    - objectDefinition:
-+        apiVersion: policy.open-cluster-management.io/v1
-+        kind: ConfigurationPolicy
-+        metadata:
-+          name: acm-edge-clustergroup-config
-+        spec:
-+          remediationAction: enforce
-+          severity: medium
-+          namespaceSelector:
-+            include:
-+              - default
-+          object-templates:
-+            - complianceType: mustonlyhave
-+              objectDefinition:
-+                apiVersion: argoproj.io/v1alpha1
-+                kind: Application
-+                metadata:
-+                  name: mypattern-acm-edge
-+                  namespace: openshift-gitops
-+                  finalizers:
-+                  - resources-finalizer.argocd.argoproj.io/foreground
-+                spec:
-+                  project: default
-+                  source:
-+                    repoURL: https://github.com/pattern-clone/mypattern
-+                    targetRevision: main
-+                    path: common/clustergroup
-+                    helm:
-+                      ignoreMissingValueFiles: true
-+                      valueFiles:
-+                      - "/values-global.yaml"
-+                      - "/values-acm-edge.yaml"
-+                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
-+                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-+                      # hub's cluster version, whereas we want to include the spoke cluster version
-+                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
-+                      parameters:
-+                      - name: global.repoURL
-+                        value: $ARGOCD_APP_SOURCE_REPO_URL
-+                      - name: global.targetRevision
-+                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-+                      - name: global.namespace
-+                        value: $ARGOCD_APP_NAMESPACE
-+                      - name: global.pattern
-+                        value: mypattern
-+                      - name: global.hubClusterDomain
-+                        value: apps.hub.example.com
-+                      - name: global.localClusterDomain
-+                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-+                      # Requires ACM 2.6 or higher
-+                      - name: global.clusterDomain
-+                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-+                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-+                      - name: global.clusterVersion
-+                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-+                      - name: global.clusterPlatform
-+                        value: 
-+                      - name: clusterGroup.name
-+                        value: acm-edge
-+                      - name: clusterGroup.isHubCluster
-+                        value: "false"
-+                  destination:
-+                    server: https://kubernetes.default.svc
-+                    namespace: mypattern-acm-edge
-+                  syncPolicy:
-+                    automated:
-+                      prune: false
-+                      selfHeal: true
-+                  ignoreDifferences:
-+                  - group: apps
-+                    kind: Deployment
-+                    jsonPointers:
-+                    - /spec/replicas
-+                  - group: route.openshift.io
-+                    kind: Route
-+                    jsonPointers:
-+                    - /status
-+---
-+# Source: acm/templates/policies/application-policies.yaml
-+apiVersion: policy.open-cluster-management.io/v1
-+kind: Policy
-+metadata:
-+  name: acm-provision-edge-clustergroup-policy
-+  annotations:
-+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-+    argocd.argoproj.io/compare-options: IgnoreExtraneous
-+spec:
-+  remediationAction: enforce
-+  disabled: false
-+  policy-templates:
-+    - objectDefinition:
-+        apiVersion: policy.open-cluster-management.io/v1
-+        kind: ConfigurationPolicy
-+        metadata:
-+          name: acm-provision-edge-clustergroup-config
-+        spec:
-+          remediationAction: enforce
-+          severity: medium
-+          namespaceSelector:
-+            include:
-+              - default
-+          object-templates:
-+            - complianceType: mustonlyhave
-+              objectDefinition:
-+                apiVersion: argoproj.io/v1alpha1
-+                kind: Application
-+                metadata:
-+                  name: mypattern-acm-provision-edge
-+                  namespace: openshift-gitops
-+                  finalizers:
-+                  - resources-finalizer.argocd.argoproj.io/foreground
-+                spec:
-+                  project: default
-+                  source:
-+                    repoURL: https://github.com/pattern-clone/mypattern
-+                    targetRevision: main
-+                    path: common/clustergroup
-+                    helm:
-+                      ignoreMissingValueFiles: true
-+                      valueFiles:
-+                      - "/values-global.yaml"
-+                      - "/values-acm-provision-edge.yaml"
-+                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
-+                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-+                      # hub's cluster version, whereas we want to include the spoke cluster version
-+                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
-+                      parameters:
-+                      - name: global.repoURL
-+                        value: $ARGOCD_APP_SOURCE_REPO_URL
-+                      - name: global.targetRevision
-+                        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-+                      - name: global.namespace
-+                        value: $ARGOCD_APP_NAMESPACE
-+                      - name: global.pattern
-+                        value: mypattern
-+                      - name: global.hubClusterDomain
-+                        value: apps.hub.example.com
-+                      - name: global.localClusterDomain
-+                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain }}'
-+                      # Requires ACM 2.6 or higher
-+                      - name: global.clusterDomain
-+                        value: '{{ (lookup "config.openshift.io/v1" "Ingress" "" "cluster").spec.domain | replace "apps." "" }}'
-+                      # Requires ACM 2.6 or higher (I could not come up with something less terrible to get maj.min)
-+                      - name: global.clusterVersion
-+                        value: '{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}'
-+                      - name: global.clusterPlatform
-+                        value: 
-+                      - name: clusterGroup.name
-+                        value: acm-provision-edge
-+                      - name: clusterGroup.isHubCluster
-+                        value: "false"
-+                  destination:
-+                    server: https://kubernetes.default.svc
-+                    namespace: mypattern-acm-provision-edge
-+                  syncPolicy:
-+                    automated:
-+                      prune: false
-+                      selfHeal: true
-+                  ignoreDifferences:
-+                  - group: apps
-+                    kind: Deployment
-+                    jsonPointers:
-+                    - /spec/replicas
-+                  - group: route.openshift.io
-+                    kind: Route
-+                    jsonPointers:
-+                    - /status
-+---
- # Source: acm/templates/policies/ocp-gitops-policy.yaml
- apiVersion: policy.open-cluster-management.io/v1
- kind: Policy
diff --git a/common/tests/clustergroup-industrial-edge-factory.expected.yaml b/common/tests/clustergroup-industrial-edge-factory.expected.yaml
deleted file mode 100644
index be93aa88..00000000
--- a/common/tests/clustergroup-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,684 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-line-dashboard
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-machine-sensor
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-stormshift-messaging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: manuela-factory-ml-workspace
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-factory
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-factory
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-factory
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-factory
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-      - name: stormshift
-        path: charts/factory/manuela-stormshift
-        plugin:
-          name: helm-with-kustomize
-        project: factory
-      - name: odh
-        namespace: manuela-factory-ml-workspace
-        path: charts/datacenter/opendatahub
-        project: factory
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: false
-      managedClusterGroups: {}
-      name: factory
-      namespaces:
-      - manuela-stormshift-line-dashboard
-      - manuela-stormshift-machine-sensor
-      - manuela-stormshift-messaging
-      - manuela-factory-ml-workspace
-      operatorgroupExcludes:
-      - manuela-factory-ml-workspace
-      projects:
-      - factory
-      subscriptions:
-      - channel: stable
-        name: opendatahub-operator
-        source: community-operators
-      - channel: stable
-        name: seldon-operator
-        namespace: manuela-stormshift-messaging
-        source: community-operators
-      - channel: stable
-        name: amq-streams
-        namespace: manuela-stormshift-messaging
-      - channel: 7.x
-        name: amq-broker-rhel8
-        namespace: manuela-stormshift-messaging
-      - channel: stable
-        name: red-hat-camel-k
-        namespace: manuela-stormshift-messaging
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      git:
-        account: hybrid-cloud-patterns
-        dev_revision: main
-        email: someone@somewhere.com
-        hostname: github.com
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Manual
-        useCSV: true
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      targetRevision: main
-    main:
-      clusterGroupName: example
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-factory-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: factory-gitops-argocd-application-controller
-    namespace: mypattern-factory
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: factory-gitops-argocd-server
-    namespace: mypattern-factory
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: factory-gitops-argocd-dex-server
-    namespace: mypattern-factory
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-factory
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: factory
-  namespace: mypattern-factory
-spec:
-  description: "Pattern factory"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: stormshift
-  namespace: mypattern-factory
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: mypattern-factory
-  project: factory
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/factory/manuela-stormshift
-    plugin: {
-  "name": "helm-with-kustomize"
-}
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-factory
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-factory-ml-workspace
-  project: factory
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-factory.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: factory-gitops
-  namespace: mypattern-factory
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-factory.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=mypattern
-            --set global.clusterDomain=region.example.com
-            --set global.hubClusterDomain=apps.hub.example.com
-            --set global.localClusterDomain=apps.region.example.com
-            --set clusterGroup.name=factory
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: factory-gitops-link
-  namespace: mypattern-factory
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://factory-gitops-server-mypattern-factory.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Factory ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-line-dashboard-operator-group
-  namespace: manuela-stormshift-line-dashboard
-spec:
-  targetNamespaces:
-  - manuela-stormshift-line-dashboard
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-machine-sensor-operator-group
-  namespace: manuela-stormshift-machine-sensor
-spec:
-  targetNamespaces:
-  - manuela-stormshift-machine-sensor
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-stormshift-messaging-operator-group
-  namespace: manuela-stormshift-messaging
-spec:
-  targetNamespaces:
-  - manuela-stormshift-messaging
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-stormshift-messaging
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-stormshift-messaging
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-broker-rhel8
-  namespace: manuela-stormshift-messaging
-spec:
-  name: amq-broker-rhel8
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: 7.x
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-stormshift-messaging
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
diff --git a/common/tests/clustergroup-industrial-edge-hub.expected.yaml b/common/tests/clustergroup-industrial-edge-hub.expected.yaml
deleted file mode 100644
index a759bdde..00000000
--- a/common/tests/clustergroup-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,1437 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: golang-external-secrets
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: external-secrets
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: open-cluster-management
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-ml-workspace
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-tst-all
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-ci
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: manuela-data-lake
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: staging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: vault
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-datacenter
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-datacenter
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-datacenter
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-datacenter
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        acm:
-          ignoreDifferences:
-          - group: internal.open-cluster-management.io
-            jsonPointers:
-            - /spec/loggingCA
-            kind: ManagedClusterInfo
-          name: acm
-          namespace: open-cluster-management
-          path: common/acm
-          project: datacenter
-        odh:
-          name: odh
-          namespace: manuela-ml-workspace
-          path: charts/datacenter/opendatahub
-          project: datacenter
-        pipelines:
-          name: pipelines
-          namespace: manuela-ci
-          path: charts/datacenter/pipelines
-          project: datacenter
-        production-data-lake:
-          ignoreDifferences:
-          - group: apps
-            jsonPointers:
-            - /spec/replicas
-            kind: Deployment
-          - group: route.openshift.io
-            jsonPointers:
-            - /status
-            kind: Route
-          - group: image.openshift.io
-            jsonPointers:
-            - /spec/tags
-            kind: ImageStream
-          - group: apps.openshift.io
-            jsonPointers:
-            - /spec/template/spec/containers/0/image
-            kind: DeploymentConfig
-          name: production-data-lake
-          namespace: manuela-data-lake
-          path: charts/datacenter/manuela-data-lake
-          project: production-datalake
-        secrets:
-          name: external-secrets
-          namespace: external-secrets
-          path: charts/datacenter/external-secrets
-          project: golang-external-secrets
-        secrets-operator:
-          name: golang-external-secrets
-          namespace: golang-external-secrets
-          path: common/golang-external-secrets
-          project: golang-external-secrets
-        test:
-          name: manuela-test
-          namespace: manuela-tst-all
-          path: charts/datacenter/manuela-tst
-          plugin:
-            name: helm-with-kustomize
-          project: datacenter
-        vault:
-          chart: vault
-          name: vault
-          namespace: vault
-          overrides:
-          - name: global.openshift
-            value: "true"
-          - name: injector.enabled
-            value: "false"
-          - name: ui.enabled
-            value: "true"
-          - name: ui.serviceType
-            value: LoadBalancer
-          - name: server.route.enabled
-            value: "true"
-          - name: server.route.host
-            value: null
-          - name: server.route.tls.termination
-            value: edge
-          - name: server.image.repository
-            value: registry.connect.redhat.com/hashicorp/vault
-          - name: server.image.tag
-            value: 1.10.3-ubi
-          project: datacenter
-          repoURL: https://helm.releases.hashicorp.com
-          targetRevision: v0.20.1
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-        factory:
-          clusterSelector:
-            matchExpressions:
-            - key: vendor
-              operator: In
-              values:
-              - OpenShift
-            matchLabels:
-              clusterGroup: factory
-          helmOverrides:
-          - name: clusterGroup.isHubCluster
-            value: "false"
-          name: factory
-      name: datacenter
-      namespaces:
-      - golang-external-secrets
-      - external-secrets
-      - open-cluster-management
-      - manuela-ml-workspace
-      - manuela-tst-all
-      - manuela-ci
-      - manuela-data-lake
-      - staging
-      - vault
-      operatorgroupExcludes:
-      - manuela-ml-workspace
-      projects:
-      - datacenter
-      - production-datalake
-      - golang-external-secrets
-      - vault
-      subscriptions:
-        acm:
-          channel: release-2.6
-          name: advanced-cluster-management
-          namespace: open-cluster-management
-        amqbroker-prod:
-          channel: 7.x
-          name: amq-broker-rhel8
-          namespace: manuela-tst-all
-        amqstreams-prod-dev:
-          channel: stable
-          name: amq-streams
-          namespaces:
-          - manuela-data-lake
-          - manuela-tst-all
-        camelk-prod-dev:
-          channel: stable
-          name: red-hat-camel-k
-          namespaces:
-          - manuela-data-lake
-          - manuela-tst-all
-        odh:
-          channel: stable
-          name: opendatahub-operator
-          source: community-operators
-        pipelines:
-          channel: latest
-          name: openshift-pipelines-operator-rh
-          source: redhat-operators
-        seldon-prod-dev:
-          channel: stable
-          name: seldon-operator
-          namespaces:
-          - manuela-ml-workspace
-          - manuela-tst-all
-          source: community-operators
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      git:
-        account: hybrid-cloud-patterns
-        dev_revision: main
-        email: someone@somewhere.com
-        hostname: github.com
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Manual
-        useCSV: true
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      targetRevision: main
-    main:
-      clusterGroupName: example
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-datacenter-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: datacenter-gitops-argocd-application-controller
-    namespace: mypattern-datacenter
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: datacenter-gitops-argocd-server
-    namespace: mypattern-datacenter
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: datacenter-gitops-argocd-dex-server
-    namespace: mypattern-datacenter
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-datacenter
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-datacenter
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: datacenter
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern datacenter"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: production-datalake
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern production-datalake"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern golang-external-secrets"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: vault
-  namespace: mypattern-datacenter
-spec:
-  description: "Pattern vault"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: acm
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: open-cluster-management
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/acm
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  ignoreDifferences: [
-  {
-    "group": "internal.open-cluster-management.io",
-    "jsonPointers": [
-      "/spec/loggingCA"
-    ],
-    "kind": "ManagedClusterInfo"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-ml-workspace
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: pipelines
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-ci
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/pipelines
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: production-data-lake
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-data-lake
-  project: production-datalake
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/manuela-data-lake
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  ignoreDifferences: [
-  {
-    "group": "apps",
-    "jsonPointers": [
-      "/spec/replicas"
-    ],
-    "kind": "Deployment"
-  },
-  {
-    "group": "route.openshift.io",
-    "jsonPointers": [
-      "/status"
-    ],
-    "kind": "Route"
-  },
-  {
-    "group": "image.openshift.io",
-    "jsonPointers": [
-      "/spec/tags"
-    ],
-    "kind": "ImageStream"
-  },
-  {
-    "group": "apps.openshift.io",
-    "jsonPointers": [
-      "/spec/template/spec/containers/0/image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: external-secrets
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: external-secrets
-  project: golang-external-secrets
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: golang-external-secrets
-  project: golang-external-secrets
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/golang-external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: manuela-test
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: manuela-tst-all
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/manuela-tst
-    plugin: {
-  "name": "helm-with-kustomize"
-}
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: mypattern-datacenter
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: vault
-  project: datacenter
-  source:
-    repoURL: https://helm.releases.hashicorp.com
-    targetRevision: v0.20.1
-    chart: vault
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-datacenter.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.openshift
-          value: "true"
-        - name: injector.enabled
-          value: "false"
-        - name: ui.enabled
-          value: "true"
-        - name: ui.serviceType
-          value: "LoadBalancer"
-        - name: server.route.enabled
-          value: "true"
-        - name: server.route.host
-          value: 
-        - name: server.route.tls.termination
-          value: "edge"
-        - name: server.image.repository
-          value: "registry.connect.redhat.com/hashicorp/vault"
-        - name: server.image.tag
-          value: "1.10.3-ubi"
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: datacenter-gitops
-  namespace: mypattern-datacenter
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-datacenter.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=mypattern
-            --set global.clusterDomain=region.example.com
-            --set global.hubClusterDomain=apps.hub.example.com
-            --set global.localClusterDomain=apps.region.example.com
-            --set clusterGroup.name=datacenter
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: datacenter-gitops-link
-  namespace: mypattern-datacenter
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://datacenter-gitops-server-mypattern-datacenter.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Datacenter ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: golang-external-secrets-operator-group
-  namespace: golang-external-secrets
-spec:
-  targetNamespaces:
-  - golang-external-secrets
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: external-secrets-operator-group
-  namespace: external-secrets
-spec:
-  targetNamespaces:
-  - external-secrets
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: open-cluster-management-operator-group
-  namespace: open-cluster-management
-spec:
-  targetNamespaces:
-  - open-cluster-management
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-tst-all-operator-group
-  namespace: manuela-tst-all
-spec:
-  targetNamespaces:
-  - manuela-tst-all
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-ci-operator-group
-  namespace: manuela-ci
-spec:
-  targetNamespaces:
-  - manuela-ci
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: manuela-data-lake-operator-group
-  namespace: manuela-data-lake
-spec:
-  targetNamespaces:
-  - manuela-data-lake
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: staging-operator-group
-  namespace: staging
-spec:
-  targetNamespaces:
-  - staging
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: vault-operator-group
-  namespace: vault
-spec:
-  targetNamespaces:
-  - vault
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: advanced-cluster-management
-  namespace: open-cluster-management
-spec:
-  name: advanced-cluster-management
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: release-2.6
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-broker-rhel8
-  namespace: manuela-tst-all
-spec:
-  name: amq-broker-rhel8
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: 7.x
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-data-lake
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: manuela-tst-all
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-data-lake
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: red-hat-camel-k
-  namespace: manuela-tst-all
-spec:
-  name: red-hat-camel-k
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-pipelines-operator-rh
-  namespace: openshift-operators
-spec:
-  name: openshift-pipelines-operator-rh
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: latest
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-ml-workspace
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: seldon-operator
-  namespace: manuela-tst-all
-spec:
-  name: seldon-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
diff --git a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml b/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 175f134b..00000000
--- a/common/tests/clustergroup-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,1551 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: open-cluster-management
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: openshift-serverless
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: opendatahub
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: openshift-storage
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: xraylab-1
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: knative-serving
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: staging
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: vault
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: golang-external-secrets
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-hub
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-hub
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-hub
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-hub
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        golang-external-secrets:
-          name: golang-external-secrets
-          namespace: golang-external-secrets
-          path: common/golang-external-secrets
-          project: hub
-        kafdrop:
-          name: kafdrop
-          namespace: xraylab-1
-          path: charts/all/kafdrop
-          project: medical-diagnosis
-        kafka:
-          name: kafka
-          namespace: xraylab-1
-          path: charts/all/kafka
-          project: medical-diagnosis
-        opendatahub:
-          name: odh
-          namespace: opendatahub
-          path: charts/all/opendatahub
-          project: medical-diagnosis
-        openshift-data-foundations:
-          name: odf
-          namespace: openshift-storage
-          path: charts/all/openshift-data-foundations
-          project: medical-diagnosis
-        openshift-serverless:
-          name: serverless
-          namespace: xraylab-1
-          path: charts/all/openshift-serverless
-          project: medical-diagnosis
-        service-account:
-          name: xraylab-service-account
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/service-account
-          project: medical-diagnosis
-        vault:
-          chart: vault
-          name: vault
-          namespace: vault
-          overrides:
-          - name: global.openshift
-            value: "true"
-          - name: injector.enabled
-            value: "false"
-          - name: ui.enabled
-            value: "true"
-          - name: ui.serviceType
-            value: LoadBalancer
-          - name: server.route.enabled
-            value: "true"
-          - name: server.route.host
-            value: null
-          - name: server.route.tls.termination
-            value: edge
-          - name: server.image.repository
-            value: registry.connect.redhat.com/hashicorp/vault
-          - name: server.image.tag
-            value: 1.10.3-ubi
-          project: hub
-          repoURL: https://helm.releases.hashicorp.com
-          targetRevision: v0.20.1
-        xraylab-database:
-          name: xraylab-database
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/database
-          project: medical-diagnosis
-        xraylab-grafana-dashboards:
-          name: xraylab-grafana-dashboards
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/grafana
-          project: medical-diagnosis
-        xraylab-image-generator:
-          ignoreDifferences:
-          - group: apps.openshift.io
-            jqPathExpressions:
-            - .spec.template.spec.containers[].image
-            kind: DeploymentConfig
-          name: xraylab-image-generator
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/image-generator
-          project: medical-diagnosis
-        xraylab-image-server:
-          ignoreDifferences:
-          - group: apps.openshift.io
-            jqPathExpressions:
-            - .spec.template.spec.containers[].image
-            kind: DeploymentConfig
-          name: xraylab-image-server
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/image-server
-          project: medical-diagnosis
-        xraylab-init:
-          name: xraylab-init
-          namespace: xraylab-1
-          path: charts/all/medical-diagnosis/xray-init
-          project: medical-diagnosis
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-          timeout: 234
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-        region-one:
-          clusterSelector:
-            matchLabels:
-              clusterGroup: region-one
-          helmOverrides:
-          - name: clusterGroup.isHubCluster
-            value: false
-          name: region-one
-      name: hub
-      namespaces:
-      - open-cluster-management
-      - openshift-serverless
-      - opendatahub
-      - openshift-storage
-      - xraylab-1
-      - knative-serving
-      - staging
-      - vault
-      - golang-external-secrets
-      projects:
-      - hub
-      - medical-diagnosis
-      subscriptions:
-        amq-streams:
-          channel: stable
-          name: amq-streams
-          namespace: xraylab-1
-        grafana:
-          channel: v4
-          name: grafana-operator
-          namespace: xraylab-1
-          source: community-operators
-        odf:
-          channel: stable-4.11
-          name: odf-operator
-          namespace: openshift-storage
-        opendatahub:
-          name: opendatahub-operator
-          source: community-operators
-        severless:
-          channel: stable
-          name: serverless-operator
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      git:
-        account: hybrid-cloud-patterns
-        dev_revision: main
-        email: someone@somewhere.com
-        hostname: github.com
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Manual
-        useCSV: true
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      targetRevision: main
-    main:
-      clusterGroupName: example
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-hub-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: hub-gitops-argocd-application-controller
-    namespace: mypattern-hub
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: hub-gitops-argocd-server
-    namespace: mypattern-hub
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: hub-gitops-argocd-dex-server
-    namespace: mypattern-hub
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "234"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-hub
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-hub
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: hub
-  namespace: mypattern-hub
-spec:
-  description: "Pattern hub"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: medical-diagnosis
-  namespace: mypattern-hub
-spec:
-  description: "Pattern medical-diagnosis"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: golang-external-secrets
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: golang-external-secrets
-  project: hub
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/golang-external-secrets
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kafdrop
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/kafdrop
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kafka
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/kafka
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odh
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: opendatahub
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/opendatahub
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: odf
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: openshift-storage
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/openshift-data-foundations
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: serverless
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/openshift-serverless
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-service-account
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/service-account
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: vault
-  project: hub
-  source:
-    repoURL: https://helm.releases.hashicorp.com
-    targetRevision: v0.20.1
-    chart: vault
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-        - name: global.openshift
-          value: "true"
-        - name: injector.enabled
-          value: "false"
-        - name: ui.enabled
-          value: "true"
-        - name: ui.serviceType
-          value: "LoadBalancer"
-        - name: server.route.enabled
-          value: "true"
-        - name: server.route.host
-          value: 
-        - name: server.route.tls.termination
-          value: "edge"
-        - name: server.image.repository
-          value: "registry.connect.redhat.com/hashicorp/vault"
-        - name: server.image.tag
-          value: "1.10.3-ubi"
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-database
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/database
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-grafana-dashboards
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/grafana
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-image-generator
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/image-generator
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  ignoreDifferences: [
-  {
-    "group": "apps.openshift.io",
-    "jqPathExpressions": [
-      ".spec.template.spec.containers[].image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-image-server
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/image-server
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  ignoreDifferences: [
-  {
-    "group": "apps.openshift.io",
-    "jqPathExpressions": [
-      ".spec.template.spec.containers[].image"
-    ],
-    "kind": "DeploymentConfig"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: xraylab-init
-  namespace: mypattern-hub
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: xraylab-1
-  project: medical-diagnosis
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/all/medical-diagnosis/xray-init
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-hub.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: hub-gitops
-  namespace: mypattern-hub
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-hub.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=mypattern
-            --set global.clusterDomain=region.example.com
-            --set global.hubClusterDomain=apps.hub.example.com
-            --set global.localClusterDomain=apps.region.example.com
-            --set clusterGroup.name=hub
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: hub-gitops-link
-  namespace: mypattern-hub
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://hub-gitops-server-mypattern-hub.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Hub ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: open-cluster-management-operator-group
-  namespace: open-cluster-management
-spec:
-  targetNamespaces:
-  - open-cluster-management
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: openshift-serverless-operator-group
-  namespace: openshift-serverless
-spec:
-  targetNamespaces:
-  - openshift-serverless
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: opendatahub-operator-group
-  namespace: opendatahub
-spec:
-  targetNamespaces:
-  - opendatahub
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: openshift-storage-operator-group
-  namespace: openshift-storage
-spec:
-  targetNamespaces:
-  - openshift-storage
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: xraylab-1-operator-group
-  namespace: xraylab-1
-spec:
-  targetNamespaces:
-  - xraylab-1
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: knative-serving-operator-group
-  namespace: knative-serving
-spec:
-  targetNamespaces:
-  - knative-serving
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: staging-operator-group
-  namespace: staging
-spec:
-  targetNamespaces:
-  - staging
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: vault-operator-group
-  namespace: vault
-spec:
-  targetNamespaces:
-  - vault
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: golang-external-secrets-operator-group
-  namespace: golang-external-secrets
-spec:
-  targetNamespaces:
-  - golang-external-secrets
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: amq-streams
-  namespace: xraylab-1
-spec:
-  name: amq-streams
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: grafana-operator
-  namespace: xraylab-1
-spec:
-  name: grafana-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  channel: v4
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: odf-operator
-  namespace: openshift-storage
-spec:
-  name: odf-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable-4.11
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: opendatahub-operator
-  namespace: openshift-operators
-spec:
-  name: opendatahub-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
-  installPlanApproval: Automatic
-  startingCSV:
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: serverless-operator
-  namespace: openshift-operators
-spec:
-  name: serverless-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: stable
-  installPlanApproval: Automatic
-  startingCSV:
diff --git a/common/tests/clustergroup-naked.expected.yaml b/common/tests/clustergroup-naked.expected.yaml
deleted file mode 100644
index e15566b0..00000000
--- a/common/tests/clustergroup-naked.expected.yaml
+++ /dev/null
@@ -1,406 +0,0 @@
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: common-example
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: common-example
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: common-example
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-example
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications: {}
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs: []
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups: {}
-      name: example
-      namespaces: []
-      projects: []
-      subscriptions: {}
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: true
-      pattern: common
-      targetRevision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-example-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: example-gitops-argocd-application-controller
-    namespace: common-example
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: example-gitops-argocd-server
-    namespace: common-example
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: example-gitops-argocd-dex-server
-    namespace: common-example
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 --  /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-example
-          restartPolicy: Never
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: example-gitops
-  namespace: common-example
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-example.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=common
-            --set global.clusterDomain=
-            --set global.hubClusterDomain=
-            --set global.localClusterDomain=
-            --set clusterGroup.name=example
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: example-gitops-link
-  namespace: common-example
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://example-gitops-server-common-example.'
-  location: ApplicationMenu
-  text: 'Example ArgoCD'
diff --git a/common/tests/clustergroup-normal.expected.yaml b/common/tests/clustergroup-normal.expected.yaml
deleted file mode 100644
index ab4d4d08..00000000
--- a/common/tests/clustergroup-normal.expected.yaml
+++ /dev/null
@@ -1,1056 +0,0 @@
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: open-cluster-management
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-    kubernetes.io/os: "linux"
-    openshift.io/node-selector: ""
-  annotations:
-    openshift.io/cluster-monitoring: "true"
-    owner: "namespace owner"
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: application-ci
-spec:
----
-# Source: clustergroup/templates/core/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: excludes-ci
-spec:
----
-# Source: clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: mypattern-example
-  name: imperative
----
-# Source: clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: mypattern-example
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: mypattern-example
-spec: {}
----
-# Source: clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-example
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications:
-        acm:
-          ignoreDifferences:
-          - group: internal.open-cluster-management.io
-            jsonPointers:
-            - /spec/loggingCA
-            kind: ManagedClusterInfo
-          name: acm
-          namespace: open-cluster-management
-          path: common/acm
-          project: datacenter
-        pipe:
-          name: pipelines
-          namespace: application-ci
-          path: charts/datacenter/pipelines
-          project: datacenter
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs:
-        - name: test
-          playbook: ansible/test.yml
-          timeout: 234
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups:
-      - acmlabels:
-        - name: clusterGroup
-          value: acm-region
-        helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        name: acm-edge
-        targetRevision: main
-      - acmlabels:
-        - name: clusterGroup
-          value: region
-        clusterPools:
-          exampleAWSPool:
-            baseDomain: blueprints.rhecoeng.com
-            controlPlane:
-              count: 1
-              platform:
-                aws:
-                  type: m5.xlarge
-            name: aws-ap
-            openshiftVersion: 4.10.18
-            platform:
-              aws:
-                region: ap-southeast-2
-            size: 3
-            workers:
-              count: 0
-          exampleAzurePool:
-            baseDomain: blueprints.rhecoeng.com
-            clusters:
-            - Two
-            - three
-            name: azure-us
-            openshiftVersion: 4.10.18
-            platform:
-              azure:
-                baseDomainResourceGroupName: dojo-dns-zones
-                region: eastus
-        helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        name: acm-provision-edge
-        targetRevision: main
-      - helmOverrides:
-        - name: clusterGroup.isHubCluster
-          value: "false"
-        hostedArgoSites:
-        - domain: perth1.beekhof.net
-          name: perth
-        - domain: syd.beekhof.net
-          name: sydney
-        name: argo-edge
-      name: example
-      namespaces:
-      - open-cluster-management:
-          annotations:
-            openshift.io/cluster-monitoring: "true"
-            owner: namespace owner
-          labels:
-            kubernetes.io/os: linux
-            openshift.io/node-selector: ""
-      - application-ci
-      - excludes-ci
-      operatorgroupExcludes:
-      - excludes-ci
-      projects:
-      - datacenter
-      subscriptions:
-        acm:
-          channel: release-2.4
-          csv: advanced-cluster-management.v2.4.1
-          name: advanced-cluster-management
-          namespace: open-cluster-management
-        odh:
-          csv: opendatahub-operator.v1.1.0
-          disabled: true
-          name: opendatahub-operator
-          source: community-operators
-        pipelines:
-          csv: redhat-openshift-pipelines.v1.5.2
-          name: openshift-pipelines-operator-rh
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      clusterDomain: region.example.com
-      git:
-        account: hybrid-cloud-patterns
-        dev_revision: main
-        email: someone@somewhere.com
-        hostname: github.com
-      hubClusterDomain: apps.hub.example.com
-      localClusterDomain: apps.region.example.com
-      multiClusterTarget: all
-      namespace: pattern-namespace
-      options:
-        applicationRetryLimit: 20
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: false
-      pattern: mypattern
-      repoURL: https://github.com/pattern-clone/mypattern
-      targetRevision: main
-    main:
-      clusterGroupName: example
-      git:
-        repoURL: https://github.com/pattern-clone/mypattern
-        revision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: mypattern-example-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: example-gitops-argocd-application-controller
-    namespace: mypattern-example
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: example-gitops-argocd-server
-    namespace: mypattern-example
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: example-gitops-argocd-dex-server
-    namespace: mypattern-example
----
-# Source: clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: clustergroup/templates/imperative/job.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: imperative-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/10 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: imperative-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: test
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "234"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - ansible/test.yml
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-example
-          restartPolicy: Never
----
-# Source: clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 -- https://github.com/pattern-clone/mypattern /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init,vault_spokes_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-23/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-example
-          restartPolicy: Never
----
-# Source: clustergroup/templates/core/subscriptions.yaml
----
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: argo-edge
-  namespace: openshift-gitops
-spec:
-  description: "Cluster Group argo-edge"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/projects.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: datacenter
-  namespace: mypattern-example
-spec:
-  description: "Pattern datacenter"
-  destinations:
-  - namespace: '*'
-    server: '*'
-  clusterResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  namespaceResourceWhitelist:
-  - group: '*'
-    kind: '*'
-  sourceRepos:
-  - '*'
-status: {}
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: acm
-  namespace: mypattern-example
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: open-cluster-management
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/acm
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  ignoreDifferences: [
-  {
-    "group": "internal.open-cluster-management.io",
-    "jsonPointers": [
-      "/spec/loggingCA"
-    ],
-    "kind": "ManagedClusterInfo"
-  }
-]
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/applications.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: pipelines
-  namespace: mypattern-example
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: application-ci
-  project: datacenter
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: charts/datacenter/pipelines
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: mypattern
-        - name: global.clusterDomain
-          value: region.example.com
-        - name: global.clusterVersion
-          value: ""
-        - name: global.clusterPlatform
-          value: ""
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.localClusterDomain
-          value: apps.region.example.com
-  syncPolicy:
-    automated: {}
-    retry:
-      limit: 20
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-perth
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.perth1.beekhof.net
-      - name: global.clusterDomain
-        value: perth1.beekhof.net
-      - name: enabled
-        value: core
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: perth
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_perth
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: perth
-    namespace: mypattern-argo-edge
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-perth-plumbing
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.perth1.beekhof.net
-      - name: global.clusterDomain
-        value: perth1.beekhof.net
-      - name: enabled
-        value: plumbing
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: perth
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_perth
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: in-cluster
-    namespace: openshift-gitops
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-sydney
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.syd.beekhof.net
-      - name: global.clusterDomain
-        value: syd.beekhof.net
-      - name: enabled
-        value: core
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: sydney
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_sydney
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: sydney
-    namespace: mypattern-argo-edge
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/hosted-sites.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: mypattern-argo-edge-sydney-plumbing
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  project: argo-edge
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-argo-edge.yaml"
-      parameters:
-      - name: global.repoURL
-        value: $ARGOCD_APP_SOURCE_REPO_URL
-      - name: global.targetRevision
-        value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-      - name: global.namespace
-        value: $ARGOCD_APP_NAMESPACE
-      - name: global.pattern
-        value: mypattern
-      - name: global.hubClusterDomain
-        value: apps.hub.example.com
-      - name: global.localClusterDomain
-        value: apps.syd.beekhof.net
-      - name: global.clusterDomain
-        value: syd.beekhof.net
-      - name: enabled
-        value: plumbing
-      - name: clusterGroup.name
-        value: argo-edge
-      - name: clusterGroup.targetCluster
-        value: sydney
-      - name: clusterGroup.hostedSite.secretsPath
-        value: secret/data/hub/cluster_sydney
-      - name: clusterGroup.isHubCluster
-        value: "false"
-  destination:
-    name: in-cluster
-    namespace: openshift-gitops
-  syncPolicy:
-    automated:
-      selfHeal: true
-  ignoreDifferences:
-  - group: apps
-    kind: Deployment
-    jsonPointers:
-    - /spec/replicas
-  - group: route.openshift.io
-    kind: Route
-    jsonPointers:
-    - /status
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: example-gitops
-  namespace: mypattern-example
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-# Adding health checks to argocd to prevent pvc resources
-# that aren't bound state from blocking deployments
-  resourceCustomizations: |
-    PersistentVolumeClaim:
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.phase ~= nil then
-            if obj.status.phase == "Pending" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            elseif obj.status.phase == "Bound" then
-              hs.status = "Healthy"
-              hs.message = obj.status.phase
-              return hs
-            end
-          end
-        end
-        hs.status = "Progressing"
-        hs.message = "Waiting for PVC"
-        return hs
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-example.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=mypattern
-            --set global.clusterDomain=region.example.com
-            --set global.hubClusterDomain=apps.hub.example.com
-            --set global.localClusterDomain=apps.region.example.com
-            --set clusterGroup.name=example
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-      resources:
-        limits:
-          cpu: 500m
-          memory: 256Mi
-        requests:
-          cpu: 250m
-          memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: example-gitops-link
-  namespace: mypattern-example
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://example-gitops-server-mypattern-example.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Example ArgoCD'
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: open-cluster-management-operator-group
-  namespace: open-cluster-management
-spec:
-  targetNamespaces:
-  - open-cluster-management
----
-# Source: clustergroup/templates/core/operatorgroup.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: application-ci-operator-group
-  namespace: application-ci
-spec:
-  targetNamespaces:
-  - application-ci
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: advanced-cluster-management
-  namespace: open-cluster-management
-spec:
-  name: advanced-cluster-management
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  channel: release-2.4
-  installPlanApproval: Automatic
-  startingCSV: advanced-cluster-management.v2.4.1
----
-# Source: clustergroup/templates/core/subscriptions.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-pipelines-operator-rh
-  namespace: openshift-operators
-spec:
-  name: openshift-pipelines-operator-rh
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  installPlanApproval: Automatic
-  startingCSV: redhat-openshift-pipelines.v1.5.2
diff --git a/common/tests/clustergroup.expected.diff b/common/tests/clustergroup.expected.diff
deleted file mode 100644
index c2fba541..00000000
--- a/common/tests/clustergroup.expected.diff
+++ /dev/null
@@ -1,381 +0,0 @@
----
-# Source: pattern-clustergroup/templates/imperative/namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: imperative
-    argocd.argoproj.io/managed-by: common-example
-  name: imperative
----
-# Source: pattern-clustergroup/templates/plumbing/gitops-namespace.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    name: common-example
-  # The name here needs to be consistent with
-  # - acm/templates/policies/application-policies.yaml
-  # - clustergroup/templates/applications.yaml
-  # - any references to secrets and route URLs in documentation
-  name: common-example
-spec: {}
----
-# Source: pattern-clustergroup/templates/imperative/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: imperative-sa
-  namespace: imperative
----
-# Source: pattern-clustergroup/templates/imperative/configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: helm-values-configmap-example
-  namespace: imperative
-data:
-  values.yaml: |
-    clusterGroup:
-      applications: []
-      imperative:
-        activeDeadlineSeconds: 3600
-        clusterRoleName: imperative-cluster-role
-        clusterRoleYaml: ""
-        cronJobName: imperative-cronjob
-        image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest
-        imagePullPolicy: Always
-        insecureUnsealVaultInsideClusterSchedule: '*/5 * * * *'
-        jobName: imperative-job
-        jobs: []
-        namespace: imperative
-        roleName: imperative-role
-        roleYaml: ""
-        schedule: '*/10 * * * *'
-        serviceAccountCreate: true
-        serviceAccountName: imperative-sa
-        valuesConfigMap: helm-values-configmap
-        verbosity: ""
-      isHubCluster: true
-      managedClusterGroups: []
-      name: example
-      namespaces: []
-      projects: []
-      subscriptions: []
-      targetCluster: in-cluster
-    enabled: all
-    global:
-      options:
-        installPlanApproval: Automatic
-        syncPolicy: Automatic
-        useCSV: true
-      pattern: common
-      targetRevision: main
-    secretStore:
-      kind: ClusterSecretStore
-      name: vault-backend
----
-# Source: pattern-clustergroup/templates/imperative/clusterrole.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: imperative-cluster-role
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - get
-    - list
-    - watch
----
-# Source: pattern-clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: imperative-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: imperative-cluster-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: openshift-gitops-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-application-controller
-    namespace: openshift-gitops
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    name: openshift-gitops-argocd-server
-    namespace: openshift-gitops
----
-# Source: pattern-clustergroup/templates/plumbing/argocd-super-role.yaml
-# WARNING: ONLY USE THIS FOR MANAGING CLUSTERS NOT FOR REGULAR USERS
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: common-example-cluster-admin-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-application-controller
-    name: example-gitops-argocd-application-controller
-    namespace: common-example
-  # NOTE: THIS MUST BE FIXED FOR MULTITENANT SETUP
-  - kind: ServiceAccount
-    # This is the {ArgoCD.name}-argocd-server
-    name: example-gitops-argocd-server
-    namespace: common-example
-  # NOTE: This is needed starting with gitops-1.5.0 (see issue common#76)
-  - kind: ServiceAccount
-    name: example-gitops-argocd-dex-server
-    namespace: common-example
----
-# Source: pattern-clustergroup/templates/imperative/role.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: imperative-role
-  namespace: imperative
-rules:
-  - apiGroups:
-    - '*'
-    resources:
-    - '*'
-    verbs:
-    - '*'
----
-# Source: pattern-clustergroup/templates/imperative/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: imperative-admin-rolebinding
-  namespace: imperative
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: imperative-role
-subjects:
-  - kind: ServiceAccount
-    name: imperative-sa
-    namespace: imperative
----
-# Source: pattern-clustergroup/templates/imperative/unsealjob.yaml
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: unsealvault-cronjob
-  namespace: imperative
-spec:
-  schedule: "*/5 * * * *"
-  # if previous Job is still running, skip execution of a new Job
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      activeDeadlineSeconds: 3600
-      template:
-        metadata:
-          name: unsealvault-job
-        spec:
-          serviceAccountName: imperative-sa
-          initContainers:
-            # git init happens in /git/repo so that we can set the folder to 0770 permissions
-            # reason for that is ansible refuses to create temporary folders in there            
-            - name: git-init
-              image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              command:
-              - 'sh'
-              - '-c'
-              - "mkdir /git/{repo,home};git clone --single-branch --branch main --depth 1 --  /git/repo;chmod 0770 /git/{repo,home}"
-              volumeMounts:
-              - name: git
-                mountPath: "/git"
-            - name: unseal-playbook
-              image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              env:
-                - name: HOME
-                  value: /git/home
-              workingDir: /git/repo
-              # We have a default timeout of 600s for each playbook. Can be overridden
-              # on a per-job basis
-              command:
-                - timeout
-                - "600"
-                - ansible-playbook
-                - -e
-                - "@/values/values.yaml"
-                - -t
-                - 'vault_init,vault_unseal,vault_secrets_init'
-                - "common/ansible/playbooks/vault/vault.yaml"
-              volumeMounts:                
-                - name: git
-                  mountPath: "/git"
-                - name: values-volume
-                  mountPath: /values/values.yaml
-                  subPath: values.yaml
-          containers:            
-            - name: "done"
-              image: registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest
-              imagePullPolicy: Always
-              command:
-                - 'sh'
-                - '-c'
-                - 'echo'
-                - 'done'
-                - '\n'
-          volumes:
-          - name: git
-            emptyDir: {}
-          - name: values-volume
-            configMap:
-              name: helm-values-configmap-example
-          restartPolicy: Never
----
-# Source: pattern-clustergroup/templates/plumbing/argocd.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  finalizers:
-  - argoproj.io/finalizer
-  # Changing the name affects the ClusterRoleBinding, the generated secret,
-  # route URL, and argocd.argoproj.io/managed-by annotations
-  name: example-gitops
-  namespace: common-example
-  annotations:
-    argocd.argoproj.io/compare-options: IgnoreExtraneous
-spec:
-  applicationInstanceLabelKey: argocd.argoproj.io/instance
-  # Not the greatest way to pass git/quay info to sub-applications, but it will do until
-  # we can support helmChart with kustomize
-  # The other option is to pass them in as environment variables eg. BLUEPRINT_VERSION
-  configManagementPlugins: |
-    - name: kustomize-version
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize version 1>&2 && exit 1"]
-    - name: kustomize-with-helm
-      generate:
-        command: ["kustomize"]
-        args: ["build", "--enable-helm"]
-    - name: helm-with-kustomize
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: ["/bin/bash", "-c"]
-        args: ["helm template . --name-template ${ARGOCD_APP_NAME:0:52}
-            -f $(git rev-parse --show-toplevel)/values-global.yaml
-            -f $(git rev-parse --show-toplevel)/values-example.yaml
-            --set global.repoURL=$ARGOCD_APP_SOURCE_REPO_URL
-            --set global.targetRevision=$ARGOCD_APP_SOURCE_TARGET_REVISION
-            --set global.namespace=$ARGOCD_APP_NAMESPACE
-            --set global.pattern=common
-            --set global.clusterDomain=
-            --set global.hubClusterDomain=
-            --set global.localClusterDomain=
-            --set clusterGroup.name=example
-            --post-renderer ./kustomize"]
-  applicationSet:
-    resources:
-      limits:
-        cpu: "2"
-        memory: 1Gi
-      requests:
-        cpu: 250m
-        memory: 512Mi
-  controller:
-    processors: {}
-    resources:
-      limits:
-        cpu: "4"
-        memory: 4Gi
-      requests:
-        cpu: 500m
-        memory: 2Gi
-  dex:
-    openShiftOAuth: true
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 250m
-        memory: 128Mi
-  initialSSHKnownHosts: {}
-  rbac:
-    defaultPolicy: role:admin
-  repo:
-    resources:
-      limits:
-        cpu: "1"
-        memory: 512Mi
-      requests:
-        cpu: 250m
-        memory: 256Mi
-  resourceExclusions: |
-    - apiGroups:
-      - tekton.dev
-      kinds:
-      - TaskRun
-      - PipelineRun
-  server:
-    autoscale:
-      enabled: false
-    grpc:
-      ingress:
-        enabled: false
-    ingress:
-      enabled: false
-    resources:
-      limits:
-        cpu: 500m
-        memory: 256Mi
-      requests:
-        cpu: 125m
-        memory: 128Mi
-    route:
-      enabled: true
-      tls:
-        insecureEdgeTerminationPolicy: Redirect
-        termination: reencrypt
-    service:
-      type: ""
-  tls:
-    ca: {}
-status:
----
-# Source: pattern-clustergroup/templates/plumbing/argocd.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: example-gitops-link
-  namespace: common-example
-spec:
-  applicationMenu:
-    section: OpenShift GitOps
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQwAAAEMCAYAAAAxjIiTAABtCklEQVR4nOy9B5gkx30f+qvqMHHj5RwA3OGAQwaIQ86JYBJFUgyiRJHm06Msy7QtPkkkre9ZFml9T5ItW6YtySZNijkiA0Q85EM6AAfgIu4Ol/Pepokd6v++qu7Zm9udmZ3QPTML9I/fcHE7O9011VW/+uc/R4QIESLUiYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA3IsKIECFC3YgII0KECHUjIowIESLUjYgwIkSIUDciwogQIULdiAgjQoQIdSMijAgRItSNiDAiRIhQNyLCiBAhQt2ICCNChAh1IyKMCBEi1I2IMCJEiFA39E4PIEK4uPduQnzVCDRiIOIQjMDAAJA6LggAo1M/S2AT/1cGOvU7kv8jBsbkdcn7tfw3995jROqCrutgDWZj6XmTLxZhJiJ6iu8y/HDDBswaOBu6yyH3rEtFMIfDYRx6UWeWUdQ1xnXOSbc1YRK0mO5S3AXFGbEYgBgHmRzQAGYAjHk8IWmBbDDmcIIlOCxBKALIOy4VdWIFMGZpGhwXwo05wnE0jbjG4QoHBo/B4QyCGI4sjuPz/UanpypCE4gIYwbiVy8dgx5jSHAd4Jp39MsnKQg3n9uHe986Eou5RpoIAwAGGKPZAJtHDHMBzGHALACDYOgjIA1CEkCcATFf6tT8taFNrBBP+nDlXbyf5BCYJAz5yjJgnAijjGEYwBBAxwCoFyMcJ2LDNuMjNljmxl0566U1aUlC4IqK5OUZNMHw/No0vs6iZdmtiJ7MDMJTb2dgFQVcYSNl6Bgby2lIxOIQop8YLdQJywWjlYyxFYywRJKEJAwAvQBS8AihXXYrt0QmAMYAnARwlED7wPg7JGi3YLSHEzukA2OOqxeEbglT0lA8DodiuOPcmBRw2jTcCPUgehpdigf3ONCzOXW0M9/kQKKgua4+QKDFYOIMRmwNY2wNAWcxYCGAPikpzADblA2gANAIAztAwE4CthBhK4F2c7BDI+gdXkCjwjYNtUiZYMi6PfjQhZGdvpOICKOL8K1rCCv+5zg0JsCtIrJunMMspHXwxZpgaxnDxWA4D4QzAMwH0FOvxEAT/zcJPhlVOsjLf0cVPktlRtAp12YNLy5BwCgDDoNhFwibiOg1AbxlAIfZsMiwOZwcMlEQWXzkgoWNXT1CIIgIo8NY/04WTtZWOjyLWRgb1vV4zJnHGFvNCJcBeB8DzgOwAFC2hmkJopwc5KbncvMyBo0zcM6gaVD/Xfr3xEv9redDUWThf04yA/meFPWTSO1uVxCEfBHBdcn/t/d7+SLh/V052TSgYbieOkMHQXgTjL8gBNsoSOw4kjlwfNnslS6Ts+YCKZ7EunMjI2o7EBFGh3DXGwWktDzcvAOXyNC4NodrdCEB14DhcgCrAWWkrKpeTGxE/zSXm13TGHSNwdA5TIPB1Dl0Xf6OeyShMfV3vJwQGtvI/s1PCRUlEpE/FXkowgAcR8BxBWybYDkCtnrRBNFMJrZpINWYIwC2AdgggGeInDdN2zhRSFpukhKw+lO4Y3FEHGEiIow24tEdeTDHUv/99F6NXbEwNw9g5zGwGwi4lgFrAPTXkiKITkkNmiZJgSMmX6b3U/5b88mBsSobkSprJ0Gg0v3IlzIkSSgCcQSKNqFouSjaApYticUnkSrq0SS4BJxkwGYQnmSMnmYCb26+cPbQeZtHldGHx5K48cyIPIJGRBhtwN07c0gWbMSdHPIsnnTJWa0x3CjAbmHA+QDmVSKJiRPYJwgpNUhSSMQ0xGOa+m/5u5I6MRFUFRYbBICJgDCftCRJeAQiUCy6yBddFCyPVMrVmRokIlWXwwBeg8CjxOkJAtut28U8j/cgbzn44MWDbft+73ZEhBESHt6TBc/YKtrxNV2wtTlawDitA9idDLgOwBIAZqXPlk5ZqVoogojrSMY1xM1TBMHKjI1dzA91ofy7SJVGqi1S+sgVXOSKLoqWUOqNmF76KALYA+AJIjwAwV65/aLBo49uHlVLXaTjuH15rC3f6d2KiDBCwBM7crDzOeRhGRqMFTqx2xjwQTBcDC9o6jSUJIkSSUgJIp3QkfBJQqoYvu3xPYPS93UFKZUll3eQlQRScOA4njEVtSWPYwBeIsHuFZweExb2mZrraskUbj473b4v8i5DRBgB4bHNNohyakZtx4mD03ncxYfA6AMAO9uPjzgNJa/kBEkkdaQTGkxDUzaIctH9vYwSKQifPLJ5F5m8g3zBVcbUaeweOYA2E9jdBHrAFWJr3IxbBEImlsRHz6wo5EWogogwAsBj2/JwrTG4jpEApws46BNgeD+g4iVO83KUpAlJCPEYR48kiaShJImSqvFekiQaRYkYlORhCUUc41lH2T7c2kZTm4BtINxPhF/mdXpzrk2WlUzipkjiqBsRYTSJB3cRYoVxCBAKtpvQiS5mjD5JDB9gwNLJRszSQjZ1jlRSQ2/KUHYJ/T2obgSFUgSsI0hJG2NZWxGIJBJRfXG7AHYR4W4CfkEkNsWMmEXE4FAP7jg/2hK1EM1OE3jknTzY6CgsGAYHzuMcnyGiDwFYWYkoOAdipoa+lI6e1ClpIiKJ4CDJQwjAsl2M5xyMZmwUVN4NVZM4JHHsIKJfMmI/Fba2VY/ZLtPjuOXc3raPf6YgIowG8MiOLLjtYtR0eCpLq8DokwB+C8BZfobnBCQZaBpDMqahP20gndKVhyOSJsLFhNThEjI5GyMZB9mCo/5dZbE7ALaA8EMi9suhkeHd8+bMI8OI4frVkX1jMiLCqBNPbilini2wV+TmgdNHAfwugIsmu0ZLRJGKaxjoMZBK6jA0T+iIeKK9YL6tI5t3MJKxleRRgzgKAF4Ese+Qyx/gsfyQafbjhlXJdg+7qxERRi3QX+DxLV/2KkflKeXq7o0M9EUAN/rp4qf+1CeKdEKfIApdqh2dG30EH566QsotOzxmTUcco0TsEcbwj8TwvK7reUPTcf3qVLuH3ZWICKMGntmcw2ExwvqFeY4g9gUw+gSAReV/o4iCA8mEjsEeQ3k8dC0iim6EJI6SxDE85kkcrlvVxrEHYD9yGL5jFrHb6EnSDWcn2j7mbkNEGBWwfnsWju2gAGvQcNlHGMMfEOHCcjsF+QswGdMw2Gsqr0dEFDMDijiUjcPByTFLeVYEVdwMtlJTQP+DhPaAHuNjOo/hvUwcEWFMwtPb8jhycjtPJRZeqHH+hwA+4letOg2mwRVR9KcN9d8RUcw8yMVvuwJjGRtDYzYKRbe8znE5jgP4KZH4h0R2zhZ7MEe3rHlvqigRYfh4ansejmPBtZx+wfFxEP2hKlZTNkdyMemcoS9tYFafqRLAWGTMnPGQz7BoCyVtjIxbsJyK9g1BDK9AiP/quuy+WMIcJ8Zx65qeTgy5Y4gIA8AT2zLoORbDyf7Rc4jwr3xX6YRUUTp1UnENs/pjKjpTiwya7yr4NZSVfWNotKjsG5XVFDpGjP0AwLdu75+1+6mxPK5f+97xpLynCWPDdgsZkYddKCY457cB+AqAdeXBV0RQ4VmDPQYG+0wVqRkRxbsXjEElt0lJY2jMUpmyFWBL7dUV9Demw59gSd2Sf3fnRVM013cd3rOEcf9OQj5zBGnNmAPBvshAXwKwuPR+SapIJ3TMGYipn+/d2XpvIl9wcWKkqELO3cpG0V1E+G+c0fc1XR9maQM3LXt356W8J0swP7k1i/s0oBfG+RD4zwz0tclkYWgMcwdjWDIvoVSQiCzee0gmNCyam8D82XFVl6SCZHkGY/iPBPZXdtE96++W3oXHt+c7MdS24T23DZ7cnsdQLq8nubgJwNcZcMXksO5kXMNcKVUkDVXJKmwVRHUM4gx+SyK4ROpEi9A9yOUdHBspqszYCpAqynqN2DfGdPZsWmPitjXvTvXkPUMYv9i4FX2xhXBdN80gPkOeveKM0vvkb9r+Hh1z+mOIGVpbbBUGZ0jpDDGNqS5gEg4R8i4h51eZaiem5rlMdTS+F3sLMVXnhDA0UlS2jSqRolsE6BuWW7wrFU/nIdK4ZW23t4hpDO+JR//jLW9gCT8PY7mTc7km/iXA/gDA7NL7ckuYOlNEMdBrqkzSdkCSRb/J1c9KkIQxZgdDGl6LgFK7gFL5f1Jp4Or3pWK901XsUXV9/ALD8KqO89JPvwp56ffvxsUl52gsY+HocFHVHq3Qr/oQIP6rzdg/9SXNkevO7OvQSMPBu/GZnoaHdo1jtZXGlvzRlZqmf40Bn/T7e0xAqiDzBj0VpF2Qm6vf1BDXqj8CuW/HLYGMU9FSXxXC7xvi/SSl4oiJl0cQCDh+pPQtSsThtTJg0Bib+O/S798NyBddHDtZwFhlFWUMDN9hTPtbztiBmBHDtavfHdGh746nVwWP7y7ixsdM/PryoQsY2P8L0J3yYJ/4Awb0pQxFFnGzPSpICTHOMBDTMJ0wU3QJw5ZbVcooSQ6SFBzVD0Qo+4dQ0gR1hQuY+VKJRyBS9eMqAE6SyUyVROR3smyB48NFlZci53/S9yiA6BfE6D/kkNuZzC3BHVdonRpuYJiJz6ouPLZtDBaBk128QiP2DQDXln9fqXbM6jOVGqLr7S9mk9I5+szpnVRyIZ4sCthljCHKCMIRXpEY0SXkUC9KjZcUcZQRyEySQJj/LIZGLUUczlRLtQvCr4m0P7/9wnWvPrzjddw+wyWNmfN0GsCj28cwUjjJepC+GcBfAqrloPquKhBLZ8oLMthnqgXaiY3WCGEMFV0labg+QdjilIrxbkFJbTG4JBGPQGYKeXh2DRtHTxZQsKfYNaQ++bQQ2p/tjw2/uNSZTXecP3Mres2MJ9IAntyWw2hhVDdIu4Nz/k0Aa8vfjxkc82fF0ZvubFesmMYwYE6vkuRdgcNZGwXXPdVe8F2OkpvZ4Fy9tBlCHtm8gyNDBVV3o4Ix9GUC/mxkvLh+4ax+cf0MTV7r/qfQAJ7cmkMxm9dIFx8Gk5IFW1N6T260ZExTZJFOdt7VJYlCEkZsGqPn0ZyN43mrrWPrJqg2DJI4NA7TJ49uBfONoYeHCip1vgJeg8CfuIX842Zvn5iJtUO7d/YbxFPbcsjncgZxfIQxSMnizNJ7pEK8NSyYlVAekW45pSVZSLVEr3J6jsrFlyueZr94L0NKGaZPHgZnE42kuwle5quLI0NFVYi4At4gwp8ULfuRVH9a3LJqZmW7dt+MN4GHNmdg5jLcNrTfAGP/yS/KOwEpUSycHW+bJ6QkUnM/A9KpYWvQGZDQGRI6h+Y/DkkQY7aDE3kHtmjMpfpeQEnqiGkeeXSjumI7QqknI+MVSWMTCXxlXIw+tii5lK5aM3OaRnffTDeIJ3YUMDw6qqdM/f0A/TWAVeXv96Z0LFC5AO2O3OQTVvS8S8jY4rT7u0SwXIGi6yoRSP697ovbRVeo92r01ogwQcwecZhdRhxecR7C0aEChsetSl64112Irww4vY8X0kQ3zhDvSffMcBN4/u1R7M/FWS/GbmVgfzPZwNmb1pUaUiVxKFDIvZ7UOZI6m6JilAdgiTKicMpUjfLxzeiH0iHoXUocjksqwOvkqDVlDRLwEhG+nEmmNgwIC7ec3f1Rod0zsw3ivjfzGGAnWEYkrgaxvwPo4vL3lWQxJ4FYyPUrmG+LSOm8pgHTEqS8HTnHOY0oIgQLSRxxnzi6wcbBfNKQksbJsamkAeAZIvZvDE3bWDQ03Hl2d9s0Zmx6+4p5Qxh3kxeB8JcAXVT6vXwgvUmphoRPFpIfegyuQrxrkUUJUqqIDJjhwhECWdtBxnaUJNfp2VZJjRrD3Flx9PdWbIx0FWP0F7ZwzlrT/uE1jM5TcIO4fwfBdEZRKNpnmlxKFqrpsReUBaAnoWPRnLhqTRjmYpEEIcnCrNPNl7UF9o0XahpAIwQLKWDENE299A67Y0s2jcMn8pUMoS4BPyMSfxoz4vs2bn8e/89Hb+/MQKfBjJMw4sUhFB1nvs7xNQC3lpNFKq55Bs4QyUKuu7QvVdRLFlKoGLWciCzaDDndBcdFxrLVT+rg/KsC0hrzggZTU7wiUj79DQ3831lFZ+Cy867szCDrwIwijPXbx2A51KMR/i0H+2R5IlnC5IosErHwyMLgDH2mpiSLOjQQhaJLOJKzMFys6F6L0Aa4RJ6aIkm7w25qU+dYMCum4oImrdM4Mfwe4+L/zhdyyce2jXVqiDUxYwjjV5sc2IWsyTn9Dge+ICcY/ikiH4Jk7mRcD40s4ppXuyKh1ZddqZLGCg72ZQoYKthtL4QTYSosITBuOcg7TsekDXlXKQHPnx1HMsYnu1t7wPBH3NV/czw7zp/a3X3l/mYEYTz9dg5HR10moL8f4F8BMFh6T9cZ5s2KoWeqmBcIVCFgXwWpVuhmMrKOwIGMhUO5IvIN1rKIEC4EEXK2q4yinZI2vDQF3+U/NQFxPoCvxrl5neMW2XO7u0vSmBGEcfL4OFb2jl0AsD8DsKz0e8a8Kll96XDa8ku1o9fkSgWphyscQTiet3FgvKhsFlS50nSELoDlCqWiFN3OkUYqqataLNrkFpsMqxljXyvm7NUjue6KAu16wli/PYdESltCjH3NT1OfwGCv14EsDHe77tsrUjqva9PnHIGDWQtHcxaKYmrptpkJVvZ690HZNiwbOdvpWKkAedjJQ2/SgST13usZ8BVOuVlP7Mh2ZGyV0NWE8cTWHEat8QQBvw/gzvKV25P0+oWEkb1o+rU2a5XPK0EVUCk42J/xpYqZsr0ky3IO4pp6Qb04qMS+RGDkggnHe5HwzkVV+YZ7f6/ppz7L+IysDiyfV95xlVHU7YChSS5feegN9FTynLCPw6XPZfPZ2DO7c20fWyV07RN+9BULNh/XOKdPgOHvAMyF/4ATpobFcxOqb0TQB0NMY+g1qhfmLYflqyAjRadSibbugqqTJ0VfpjY/s4vghSx4bhxabhQ8NwYtPw5eyIAV8kCxAOY4YK6jVjVxHWSYICMGiifhJnogUr3eK9kLN9kDMpMg3fDvQX4J8plj7ZVSZVLXVUJbOyHXjWULHDiWVy0aJ/HuXgH8YSqtP0DjBl1/YWfraHS+MEQVaEszEAfpAmL4tyWygO/LnjsY89LUA16LUqLorZFuXo6sI3AsZyFju+rf3UcWzDu+5E/hKnLQxk7AGDoI4/h+GEOHoY0PgWdHwYs5RSBMJcIJ+BWEQVK/91V8mnxdKY1IcjDjoEQabk8/nIG5cGYvhj13CZxZC+Gm+xXBqM8oAuluA7AjSBlDk6Qhprev/qaqWm9wZc+wHKEaQ5etp2Uc+OPMeHE7UrG32zaoKui+dQ5g/bY88vn8bM7dvwPYp0vjlPt47kAMcwbigUu/CUUW2rTxFaTqVDg4mreVwazrJlBJEhxwbejjJ2Ec24fYwR0wDu/ySCI/Dji22rxe53lWmt2pKoXa45I4PAI5/T0q+0meRCElGE1TJOL2DcKZtxTFxWfBXngm7DmLIeJpb2ySOLo4iE3OQkLXEde1tmpZ8lYnxywcPlGYrB5JXfcfXcG/lk6lR69bHY6Rv94xdhWefyGH8WTRcMn9EvfqcapsHDl9/WkDC+cklJQRJBK6VEOmJ4uSvUKqIU5XqSDeiS83olQtzMO7EH/nDcQObId+8ognQRB59gnWhBGTCMIh1N2OzVdHpAJEmg7R0wd7/jIUl5+D4srzYc9aBDITXS11yBmShJFQpNG+Jy2El6h2YnRKlbUhAP8uyXq+f+35sY5NWveseR8/y55A7w52LTj9r/LaFjGTY+m8JBIBqyL1ShZSXD2Wt3Gy6AVhdcfE+UTh2jCGDiG++3Ukdm6EeXQfWCHnbdgAjZHk+GpKo/OvvEakpA/RO4DisjUonH0ZikvXwO0Z9HsldCdxxDWOhKG3LWVe2TMcgf1Hc8jkJ9cGZa8R4fPxROr1G1bH2zKeSuPrGjy2Iw9nPDuHdPwPBvxmaXycM1Uxa6Bytl/TiGue63Q6srBcUu7Skhek8/CIgjk2jON7kNyyAfGdr8EYPgK4TqgeC6mekNMEaUxcQChpRySSsBedgfy565A/6xK4fXO897uwwlhM40i2mTTGczb2H82rhLWyu7pE+A4Y+xPu9A3fdkn7TZBdQxgP7RiFm3cNjdw/YEz1EZkwBw/2mipPJMgWhjEV6j09WRRdgUPZU8bNjkMShevCOLoHqc1PI7H9ZWhjJ70TmvP2PFIhVZRTBtGmoNy2Qnle7IXLkDv/WuTPfh/c3tkTKk03od2kIXFsuICjJ4uTyXmYiP3b/HD8n5ckkuKyde3dwl3jJel3NIwy6yKA/YsSWSgXaoxjdr8XbxHUEjK55zqdjiwKqsR/l5AF81x9+vARpN58CsnNz0EfPubHRkiJoo1dtTgD17ln12g2doExkByz68DYuxN9h/ciseVFZC+5GfmzLgbF07600R3E4UWEOm0jDXmHwR4TubyrXK1lGGCMvpTsL7ywb3B4W+gDqTCujmP9tjwK1ngfU5Wz2O+WxiVJYuGcOPp7glNFvIzT6etY5B2fLJypPSbaDs7BCzkktr+I9MZHYB7d420m3uG4Oylp2AFJAyWJI55E/uyLkHnf+2EtPMsLCusi+0Y7JQ15i0zOUfYMyzlNNZGz/vfksD/n6b7s7avbd+53hYRRyKlONXeAsQ+U17foTeuVagc0jVKFrGnJQkoWOQvZTpOF79Ewj7yD9MsPIrnjZWXMLEVldhzysRnwSaPFa5UkjmIByU3PwzywC9nLbkH2ghtVcFi32DaUK525SLbBeyJ5OJXQlUquVJNTkJviE0Lnj99h/4cHQx3EJHT88Hx6SxY5O7cSxL4Nhuvhk0Xc4Fg6PxlYfQv5RXtVbkjtr1wos1l0liw4mJ1HcusL6HnxfhgnDlSOlegCtGwIrQThAoaJwqoLkbn6Iygu8h1mXWLbSCiXq96Wx2FX9ZrgPpf4F1OJ2NHrV7cnArTjx5Rj2TojfAIMV5R+JwWAwT4T8QCL4aT8it61YLmEI1kL2U6TBecqCrPvqZ+i/7F/hnH8QFfnajCNgekBLyUpRTkOEltexsA9/xPJN59SXqGSLafTKDiual/ZDpg6x6y+WKUyg9drTHyk4Ii2TUpHV+AT28Zh5YsXg+EHYFA1UEtFfJfMS6q03yCQ8N2ntTQRW1X19lynHQXnMA+9jb5nfo747jc9/b1LNsl0IFt4UaEBgwkXIplG9n23YHzdByFSfV2hokj+Thm6qhkaNogIh44XMDRmTd60LzKw3zNjia03nJ0MfRwdW4m/fJtg5wopMPZZsFMBWpJFZ/WZgUVzGpypAji1yMIlLyiro2ThSw/xna9i8KH/jfjOTac8IDMESsoIIXuYuAaWzyL93P3of+R7KnpVSSAdhtSO8rYLuw01NThjSuo2p/bYuUiAPmHbblsKZ3RsNV6YewmuhnVg9FEAE0+/L22o1oZBnFMlI2etzFP50E8UnM7W3GRegljqracx+PC3YRx5p30xFUGCyX3Mwhm2JE7HRfL1Z9D/4P+CcWR3V5CpPGxyjpetHCa8EANNuVonTa/JgE8JUTz/8e2FUMeAThHGl39F2MrOTDOw3wawBKWMPZ1joNcILEArqU9f02LEcjCU72DNTcZUCnl60xPoW/8jaCMnuuL0bBoaAwurpL+fnh/fsQkDD34b5sEdXTFXjiBVhCdse6yc1f4ew3MEnH6vM0D4tGNZoeskHSGM//IbDIz0axlwB07lSqKvx1C1DoOY+LjfjawWMrbAsVwHE8lKZPHqI+h76ifQMqPd4S5tEUo1CXFCiXGY72xF/0PfQWz/tq6QNCxXqOLCYUIVEDa4crNOWiY6GH5DuNYlT20Lt3Bw22f6nh153P/a2ACH86mJojjkTcRAjxGII0Bn09stSvkhHSunJ8lCqiGbnkDvc78Cz2ffFWShILWSkIvQENdg7t+Jvoe/q4zE3SBpFF1XEUeYUE6BlFGpQv4yBvoE2SLUrLS2r9DdAtA0+yoGuqW8zkV/rxlIAyJ5wZTBagZneUbOTgZmMfXkk289g75nfgGezzR+SpbnW5RqYKB74hSYFn7MiJI09u1QhlDj2J6OSxpSrc23wZ5h6EzVs51UnpKD4YMFN3/pE9vDK+fX9hk+3y2mOfAJAPPgr++4qaEvHUwQTExjSExzug0XHWW76JhJkTHEd21E77O/AM+ONbXQmWmCz5oFfelS6CvPgL5yJfSly8BnzwYMo/PEwXzSCBnENJh7tqPviR9BHz3WcUnDEYR8yPYM8mvapqaUemCLieFjjm2HZstoa2j4kzuyyOez6xj4zaXfKemix0DMaL3Ohea3MaylimRtFyfyHaxpIUXpg9vR/+RPoI8cb3yBMwbePwBt/nzwZFKKa6e9rQkBkc3CPXoUYni4o3kYkjDIZaGTlzKEbnsVvck+jNzyWa+yVwcJU6olOndVAZ6woGtc7Zts3ik32MstcKdw7R8/sbXw4o1rgtdO2iphOHYuxcA+Wi5dxEyO3lQw0kVSr50nYvtFey3RKSMnhzZ6TAVlGcf2NUUW2ty50JcvB+/p8ats0ekvSSg9PTCWLYc2b15no0NZ+5JoJS8m3ngW6Y0Pe4WLO/i9yY8EDbNRkrxHOmkgMdWWsQKED7mOFUpcRtsI48mtGbgOPw9gt5buK59pX8rwbBctHgimxhRhVIO8/MmCg/FOhX3LjWzl0fvCPYi/82bjBk4i8P5+aAsXgU2ncsj3DB3aggXgAwOdTRHnIcVlTIZcTJaF9IaHkNjxUsfD6F0irwF0iPfQNaYcBZMyZzUwfMh17TMf2xG8x6RthGHbri6I7gSwHGWVkvvSrXtGVIiuzmrWt8jaQpXX69zWYUhueQ6pN5/192+DX9owlMQwLVmUQKT+Vp83H8yIdUxEZ6yNCXOMg4+PoufZu2Ec29txr5NUTSwnvHwTpqQMXdWMmfR4zwTo9iEKXr5ry4w+9vY4HNdezqAIY+JL9CR1xKYGoTSMOGeI11gcjiCcyFtKJemM3YLDPPy2yjplxVzjG0hKFz094KkGdXNJGqkUWE9Pw0MODMqB075ZJ8ZhHNyDnufvbc77FORYVPazG1qDJFIek4qHbhwMH+wtZhY+viVYj0lbZtN2MgycbgJjq0u/U60I00bLA5BrMWnwmntwpOh0Ll1dnnq5cfS89AD0k4ebs+IzBpZMNXdicg6eSnVURGdtjnKXnJrY8hKSW5/veHS9PKyKIWa1ysfak9K9HJPTeekiDXTFz3YEK2SEThgPbBaArc9mjEnpQrl7lMEmoQdS6yKh1TZ0FlypijgtlZ9sFXLhJnZsbH7XMAYuVZFmN73ZwmeDAG9zHQ9JsIUc0i895KkmHY7PKLoiNAOoF/SoVXIc9AvBPvhbZ+YDLZQR+kwuOsoBMi8EnWqkzBlT1bRa7YuqSelCZ1W3oZQETxaczjUcYhz60EGkX39cdRbr2Kbtgliudu9Zqb5rRw4i/epjYE4H597vZ1NwRGiPQX613pQxNcOb4eqi45zzzNbxwO4V+mPcO3DcAJzbTw/U4qr0WKu7WEoXtTJRc46rupR1BCpPxFZJZU25UMtBBGHbzRsuLavzgVzt8paUQxASbz2P2N7NHZcyLBFeGrxSwWJapfahiwDc4tp2YHpJqLP4g82vI8axhIGuLw8D70nqyljTyhqWZJqoUUGrJF3YndoojKsOZMmtG1rfrESgbAZoRhd2XRXI1WnCaGf3sLKbgo+NIv3a46rJdEdjM8iLzQjrMWgaU1LGpPPTAMNNlmDzz3j404HcJ1TCOG7tBQO/sryDmfxiPQEEasWnkS7GbbdzMRdgSgVJvfEktNETrZ9ujEGMj0NkGlz08nOZDEQmOJG0abDOkAaBIbbrTcR3vd7x2AxHCFgh2jKk1G6apxfYYcD5DtkX7bz8h4HcJ1TCWK1fkRYkbpzoM0JAMqap3JEwpQuXCMMFO/QkoKpQbtSdwS5Sx4F79AhIqhf1XJMxkGWrEHHU+5mw0YkhSNUwl0PyzadV39lOu1mLUuILaV2aBlfOhEmYxRi/4b59I4FEfoY2e49uHQe5fCUYu3yi5aGvjrRq7IxNJ11YAlmng2nrdhHJzc9CywwHt0CltDA6Cmf/flBxGiNeiSwOHoAYHekOsgBCKd9XD5SUsWerb8vosJThChUPFAbkV0sn9cnFghlj7FounIXffeNoy/cIjTC0jJAXv4wBKzARrdy6sVNOSlyr7hmRUsWIFX6KcVUwDuPEftU9PQyIoRNw9rwDMTICKCOa77IsvYRQJOG8sxvuieMdt12chk7t1ZKUsfUFMKvQ8TwTy3VVUd8wLi4l+Jg52T5IZ3JiF//ueXNbvkVo2arFJJKw6TqAJUq/S8YrfZnGYPLatS6ytuhsmwASSLz9CvSRAGwXVSDJgjIZsFQaLJ1Wqe4KtgWRyUJkM4Btd/w0nQxJ88Q64+ZV1ar2bIF5ZBeKS88FqHPtL20pZWik8p+ChPyOujyU4zqy+dO+Xy9n7Lr73hp+UG7NVu4RGmFoYEsEY5eW/q3yPRK6qtfZLGEwv/ReNb6Qkt6oL110LBt1/IRnu1DtAUJK1ZQqhzylpLoxNuoTg999zM9Y7TayUGA+aXSCMRgHGxtB/O1XvaZI6tl0RvoqSRmGxgNfp15+iYahMQZxSvXhYHRZgusLAOxp5fqhHIFP73bhOsVLSwV+4VcJSia0lp6RxpkqkFMNeUd0tnEyY6rGpHHiYHuMayVSoLJWhd1IFOXoZLa9KxDf/Qb0saGO2VNKsAXBDcFjoroGmpoqeTlpq61ybPuc9Ttaq44fyqq28rkYgzJ2eqHgfmCJqU/5Eg0hxr16ndUwZjmdSzDzjZ3xPW+CWZ2NLOxasM4SBjEO/fgh5cHqdJKJIAqt/qdSSxJTpNtBxvA+x7FaEntDIIx/A5ec+QAuLq97IfWqVrwjnHmxF9VguaTiLjoGvzhO7MCOzo0hQm2oHJOC11HO7WAfGh+WEKG4WOV+S8r9dvqhxRlhHSPqa+XagRPGq4f/QurXZ6heCSVDjMaQiGstkbrOWU1XqlRFrE7ljPgwj7wDbfR4x8XdrkaHp0Z56w7shD5+suPh4kJQaC7WhMlhGKfbC4nhbMspLH9px2tNXzfwGRs6Ns4IJKWL2eoXfguBVr0jMV7d2OkSMGa7Hc1Iheso+wWzrc7viq5Gh+eGMegjx2AcfafjaiP5HpOgKUORosGVLWMS5migC9YfvrDpawdOGLrWm2BgF5V7YOIxTRUtbRaSKGq5UouqiUwHXamMQcuPw5SLMEJ3Q6kleZiHdqv2lJ0mMEeIUArscMZUGMMkTkwQ2MXr+kdjTV83iMGVw4E7D4S1EzdgXjBJK2Sus9rqyLjlqkIlnYIypp085FUBj4yd3Q9XqP61vJjt+PNyicKplcE8R8Mku6H8x1qL89nNXjZQwrh/I8FxrDPBsLD0O01jSsJoBWaN2As54dmQi61OBzk04/h+8EKu4ydW16MLpoekWjJ0GFqmO8LmbSECD8iV1zMNPiUrnIDltmstfviVI01dt6HArce2ZCpHyHmNvDB0jFjfADsXQC/KWiC2ksrOfPtFNRQcrzhJJ9URuLYiDGV574KWfRGmA4M2PgJ9+AjsOUs7PRglHcuDr1bIQDPQ1WHNkS+e2rNM1aWh1UgmXnxs8yjK3xCq+76Om1dVL9JVN2E8usPGtrffxhmL585nhAu9gjjEAeaC0WGH2Ka+3uFxBpyr8vD9QUjpQmshBFbnbHIyzWmQ0kXH8kYUGHgxB334KDoU9Tyj0BVzxJiKlVE1VrsAwldL9IAPG8YYEqaGEXaaCznOGHsf2fYeF1hCRKafnzdsc/5W3iq+88z2vLhmdaLiNesijB/nx5DfUeRnLpp7E4A/BlPl9uKn5EuW0xmeB6cfM2A1lWWnxk3e0iIxeHUvpSSKnK+OdE7CgKpOrY0NoUMhYxGagSuUWgLhdIWeJAmDVEuR4CAFlpjJlR2jzLAqb/FJAn5TaQKnipTYOtGOHvC/LxbyP39wt5V//0pzyjXrIoxF6wWyi+zzwfCfAFxS4U8kHX0QDBcSoGrak6pbwWAaWtPHirIN8OqZqZZLSiXpLBh4bhQ8P9YV+nCEekHQR08oNzgZ8Y7LPVItkZKGFvAaMg2uVBPHpfLlOavCXRKMcCmAv3Qhxk4Qv7vS9eoyep48gwxAfAzAdA7cJQD61X+Rlz8iB9wspGRRyzuSd7xqzJ3cpiowLTMCrtKmOziQCA2BiIGPjyh1shuIXpJF0O5VqanrmmdDbABLBPDZ+Xa2t9KbdV0pZfMUA84pb0JUD+RAJbs1a2KQbFvLEJR3RWeDtXzw7AiY23mf/oxAt0yRVCULWd+12unBeAdPGO5VTWOqbF8jYMAqLjCr0nt1XcmFK/WKxkp8MU8c4i2ESes1ojsdv3R7p8GkGJkdVYVrIswsMKuo7E/dYnuSazpoxUjZMaZp9DUZUjlwBatorqiLMKiJCgbKHdrgQCejljZjuaSSdzr+qEmoRcc6b/uP0BAY4NhKyugWCEHlNSwCQzP7UK+iFoSWfcN9CaNZMNROZS+6osPuVB8kwKzgu2RHCB9SjZTPruOHjg9lxwg8gsszDbRaR7eE8AiDM8/Y0rT9AjW7sRfc4KPjmgETAlwlnDUAKnuJslf579/N6JodKsm+wWcXIsgPFQj6mprGlfEziEuHUqLPS2nnyuDS7Bg1Zb+ovLLkpBb9LL/Orj3mSRiuVf17kletTxKC/KkCZQU7VQR2UhMJlJr+cPKyrzUvC7vdDY27AqUpIubPI5vy3gQm5o7UMegtHao9Z0RgTufrYpTDDSEeQ+OexzLfUjVPD+HU9CQvLLVZg2cphqOaRuIKz4bRNZhM3eQRAzn+T9cnDSr7g1qXK3+/VJ5T88pQcsMvR/luJQ/yCUJ4BDFBEnU+bgI7nTw076dHuJOfE4GJDrXSrAJ5GMrDJMimT560H8z1QisCLAfYrNrk2S+q7wmbSFmUu2fPeCNREoQkCauMJFoF+Xwkr20DoggwHeC657cKq85w2yHJwWXeHIoWn2y5ZCJ8ElFSGoFp5BHJBA91zyqCX8iaQhCdDb01B0QJoRCGHJiuBtjcCJkvYVSD7YpQrMkNQ6kOmlqYciMLX6II1QZBHnG4NsAsjzS4OZOI4/TnSiWicFm48yZO3csjDqFOJdLMrgjcKkFKFyriM2DGkBK//Jqt2jFCkzCmtJ5vAGof1vi4JTpSqP50cA5WyCG+5RWwvYfg5tvfnXxC3bF90jA7XnWufghAuDx8opgMpS5K4uBgLgMfHlLNjcgwuyKWpmT4DKSvoQ91gGveAd5qA6XQJAytBUZjqK3O2D5hdKo6uIR+eC9SzzyI+JsvqQpOje9UqrxRmjjtJGm4cggOoMUaDrFrK1RHBIdD2F6Ryc6BgRxC4vknwLJ5ZK+6De7cRf4AO3schVEYWPO7Bba6b0IiDNZySb5qHhLhE0ZHwJiyqsfeeAHpJ++Ffnh//U2DSgux1GhI08B0Tf30WhySKhlHjuOddOUNieokESlpyI/zGKDFu88wSg7gFuQ4GxzYhEdp8maetPwn5gv1fXnGwLNjSD7/CIy9O5C94UMonnsZSNM7ShphxBcpr6PcWO40nqNpEDhhkL/hW+kCx2tI9yKskmbTgWtg2TGknnsIyeceUQtt2mI5pY2v66qtoTZ7LrR5C6HNmQ/ePwieSoOZMU86IaGaLIvsOMTwENzjR+AeOQT35HFQLgu4rq+rTUPEkncKHrPyRPeoKMLyxlV3h8Iy0mSmCZZMg/f0gvX2gyVT4GbcWyhCQBQLoMw4xPioelE+57WKlJ/nfJrG1d4EGQd2o/eu/4Pc8UPIXXkbRLLXr/nZfpSfK0GBK8Jo/TrBSxjkSRit5JDwGi5VdRC3RpJNDIhDGz2B9CM/Q2Ljs/4xXoMsfEKTpKAvPxPG6rUwVq6GNneBWuxM12ufgEQgxwblMnCPHoK9cxvsHW/B3rsLNDY6MaZakBuUBKAlPK9Kx0CeZ0dKFnXZKuTcyQOjtw/6omXQV5wJfclK6PMXgfcNgMUTgKZPGNSp9BnHARVycCXZHjkAe89OOHt2wj18wCNcTDNnXAPPjCH92F3QTh5H5taPw+2f3RG7hvCTMaoXdmgctaT2RhDKUuJ1HIQ1P19jO7kihPDZmoPRoJ08ip4Hf4T4Gy+eOrUqwV/s2tz5MC98H8yL1sFYvFydjg1BEqZhgvUNgvcNwli1FnTtrbD37ULx1RdgbXoZ4uQJf3zVJ1qpADlAS3aINMgjCkkY05KFlKB0HdrCpTDPvwTm2osVYfDe/pofU+tEcrecr0QSfGC2Iuf4uhsgRk8qkrXeeAXW5tcgho7Xfn7y966LxCtPK7vU+J2fgTtrftslDQrYtVqSVlo5xEsIzejZSuBJre/lBbY0fenGwDi0kRPoeeAHHlmgij3Bf8J8YBZil12F+JU3qcUeiAxYGkq6F+Y5F8FcfT7sq25C4bnHYW3cADE2XFPaUQbRTpBGiSwK0/2d8OZ56QrEL78WsUuuhDZ7futzx7kij5h8nXcJnIN7UXz5GRRefhbi+LHqtiHfUh9/80WVazL24d+BOzivrZIGTQTvBSdhKKm/W+MwJJO1Iv3U+qhSSZq/dP2QCy47hvSjP0f8zZerk4VcSJoOY835SN72YZirzlMnZWjQNBgrVkFfvBzW2ouRf+Qe2G9vmdh4lVDyoijSaFO8hopLmS4UWbhgPX2Ir7se8Wtvhb5wSTiWWk2HvvQMNWfmhZcjv/4hWK++ACoWKhOT/5xjWzeix4xh/IOfhds70D7SULEYwV5yRkgYTVcKn0bCCN1xrxorW0g+/QASG5+pboESAizdg8QN71cvqWO3C1JliV14OYylK5F79B4UnnnMM/ZVOZmleiJ80ggv5dDDtDYLf2HoZ6xG8v0fR2ztxYDeBl8w12CcsQb6ouUorjoXuUfuhnv4YJU58yWNTRsgUmmM3/EpkBlvm/ckhMoY3hJukTPCkTDk4Fr4vtPkC7XlmcXeeAHJDY+pFogVT27XBZ8zD6kPfRKxy68Da8eCrwA+OAepj/w2+Jz5yD/wc4iRk1VVFBX7UAzX5arC16cjC84Ru/gKJD/0SegL21/mn8UTSqLR5i9G9u4fwN6xxX9j0qT46kni5afgzFmA3Lrb/L8JdwFShfSkltGimaCEcM6aFpms1hcLPQRDnkIHdyO9/h7w3HhlshAC2sLF6PnM7yN+1c0dI4sSWCyO5A13Iv1bXwCfPbem6KxUhZASNKVWpOIsqt3edzEnbrgd6c/8fkfI4hQYjFXnoud3/xVil1zhr9cKi0tKm8UCUk/eD3P35kDtUrUQAl8E4qYN5du3ar+oKWGEye6q72YOyWcehH7kQOWT2nWhzVuA9Ce+APP8y8IbS6NgDLHLrkb6Y59Txteqln1qMB6iAVDRU30qv+mTxfV3IPWhT4P39AU/gCagzVuI1G99XhlbFSod7ZxDGz6O1FP3gY8Ptym4Jfh1Xo0TG0FI37w1D3JtwggX8bdeQvytV6raLPjAIFK/+Tswz7805JE0AcYRu+waJD/yabBUT9WjXpKFCLhujEqIq3pNzwYUv/ompcKpsXURtMG5SH/897xnWk0XYBzmzs1IvPKUz7bhRgKFoXZ3r0oyE8E9F2rixcfBivmphEGkRP/ErR9B7KJ1nRplXYivux6JG+8ENKPqylOBXUGVgiCfLKqpIoJgnncJknd+ovGYlDaBz5qrbEH6spWVVTo/LUAShn5kf9tUk25DSN+647mkTSH25osw9+2svBiIVIxF4rrbur5/KtMNJG7+oAqAqmpQEHUGVNUBYXsSRuU3XWiLliH14U9DG2i6aXhboC9ZgeSHP6UidCuSBtegHzuIxManPWP4DEOrmaoIizCoSiJm10IFaA0hsWmDvxAmSRdCQFu0FIlbPgwWT3ZqlA2Bp3uRvO0jyntSzQiqNnqrtgzyCgZVfOBSKosnkLz1g9CXndHijdqD2NpLEb/65uoSBEGprPqRfTNOylCPqEWtpCu/cS2yCUVzZIC5YxP0Q/umGrTkojdjylinL14e6G1HRkawb98+7NmzB8ePH4fjBHtqGSvPRvyam71AskqnC7VuyxCO3560EohUiHzs0qtbu0kFjI6Oqrl7J+i50zQlRRpnrK4iZXgG0PhbL/mG5S5LCa6Fri0C3EJs1XQfDTIhx7sgA8tnEdvyKphdnKpuCAH9jFWIXXplILdzXRevvvYaHnzwQbyycSOOHj2qftff349zzzkHt912G6675lqkewLQ9TlH/PLrYb36Ipw9b1cM8yzVHW0qArSWdKEMxLPU5gtKKpPz9PqmTXjggQfw8iuv4OixY3AdR83dOWvW4NZbbsH111+Pnp7WjKp8cI6K03D27/GiQSfbs4SL2LbXkb/0eriz5rXB1986vPil1scZCmEIOpVt18wQqUbmTUDtFU6BcWXEMva9XcEz4kkX8StuBO9tPYrz2LFj+Id//Ed857vfxf79+yHc0/WBJ9avxw9++CN88AN34it//MdYu3Zty/fUZs9DbN21cPa/U1HKKBUrboYwSjVMq8G84DIVWRkEhoaG1Nx9+zvfwb79+xVRlEPN3Y9+hDvvuEPN3QUXXNDS/WLnX4bCS8/AfmOjV7OkHGrNHFA1NFRy2oyAH27eYopKeDaMkEpiNVBPpk4QzD3boY2PTlVHhIC2ZDnMc6brQT09pNj89X//7/HNv/orJUpzzqEbxukvXcfo2Ci+/8Mf4kv/8l/i1Vdfbfm+ErHzLoM2f2FVW4ba9E0wu5JOKl1SqnG9fYhfdrXK42gVkiy+/ud/jr/85jexZ+9er0BThbkbGxvDD3/8YzV3r7zySkv3ZOleb/ymWeFNpqTR2M63VPe0MBBk1XAEKGGEQhiixeSZWp/lQQTET4ApF6r5zraqVnHz/Es9q3kLKBaL+G9///f43ve/D9u2oU0+scpvKXVkTcOzzz6rNsmhQ4daureENmc+zHMvqvp+1Y0/DapKF0LAOGtNIIZOx3Hw37/1LXznO9+BZVl1zd2GDRvwta9/XRFzKzDXXOAlxFUkWgZj305oYydDCeQKwzISRO5caBJGK3UJa31SYwEOmjPlHdGPHaygpwrw3j6Yq9e2LNK8/PLL+O4//7MiC16nZV3TdSVm/+SnPwW1+qQ1DcbZ54OlUpXVElV5trFLTjRlqnQx01RSGUukmh+zj5dfeQXf/d73YNU5d/JklnO3/qmn1Ny1AnlQyHmrciNooyf9mIzgt3eQV/QqQFIgtUJDocZWm8rW+mitBkcNQ4q2xw+qSkuVArW0+YtVQZdWIMXAu+65BwcOHKh5Ok4dGkOxUMBdd9+tjHutwli6EtqceZVFCWri9KnWd4XIK/oTgO1CShf33nuvslk0One2ZeFXd92Fw4cPNz8Arql8E5ZMTf2yfo6Jfmhv4EZPFoZKIhBIa47ACYOVJIwWDsVaH5WEUatnSUOQpHD8sGr7PzVTEdCXrlDxDK1geHhYSRjNxPpyTcP27duxa/fulsagrtU3AG3R8uriW4P9VE7v5Fb+BkFb4NUtbRWjo6N46eWXlXG40Q0k52737t3Ytm1bS2PQFy6FNji78vNzXXXgKO9awBs8aJnFFcHU2AjNhuG2JGFQVdKQUikPopWFH+qrDx2rnKilGyryr1WcOHFCuU5ZE0E+UgQfz2SUdNIyuOZ9n2r1MqoRQBVUDfiSUtviFV7tzRYxNj6Ow0eONDV3kmCyuVzLNiBVrHnewqpzow2fUAmLQRIGU1J0sJThlqT+rgzcIsBxRdO7WtSoecHlggwkws4rkqOyDyffy88bCeKUtG27paAiIYQy9gUBfe4CVYG74uSKBoQgqiEGapoq2BsEpGTR6tzJ+W8FzIypjNZq5fykOsvyuWDL6YWwMUsSRqujDMfoqfTP5hPRyW9IWwlywHoQRiZ5CasInh2vNADwZDqQ2Iu+vj4VSNSMS0t+xjRNzBpszUtTAu8fUIVyKzJ5g8F2Fb+OHxXLZ81paZwlxOPxlueuf6D1Z6jNnuu1QJ8MBvB8Vr2CROChAyS1p+p7qhGE5iVREkaTENPYMcyArNJSJWHFYgXaJa8dQDze8j1mz56NM888sykbhjwh58+bhxUrWleNJFgi5UVdVuOLejukqz+uXAxZzhlPB5O+3t/fj9VnndXU3MnNMXvWLJx5RuuuXXlwsIrxJEz1P/Gym1u+zan7Vasf2wLkfgwiZT60XBLbad5TIr+YW+OjkjBaHzjz+otUSjaT95Y6eACVtOQpecdttyGeSDTM8PLvr7nmGixfFlAOi2GCxWJV80oaQ+UPMDOuXkEglUrh1ltvRSqdVuTZ0OiIcOWVV3pk3SKUl6RKNzQmXM9oHiBUEe0Ar0f+fgzClxMaYThu835f8nWuajA4D6Qpi9/Su+I7rNTCMADcfvvtuPqqK6eEM9eC1N2XLFmCz37mM0gkWzcgQkU082AqmtcMlNECTf+//bbbcM1VV00Jo68Fx3WxcMEC/M5v/7Yi7FahGk9Vc+uSAFNt+1u+zQSCWdunIPeh7TRvUyxHaCX6pAgk9aZmv7pTI0Xe4EzZMVr//kFGjVbHokWL8NU/+ypWr14Npw4jnOu6Snf/8h/9Ea699trgBjKd3tGFOVTz58/Hn/3pn+Lss89WJDqdlCbnrjedxr/58pdx3XXXtW2cQSJwwhCehBEEQpMwXOEZPpvdj7UaFmk8IDsG95shV9gp5NiBBuRcf911+Ju//mtcdNFFE9Z/KWaXDLzyJRe7JJQF8+fj61/9Kn7/i19sKGBpOpC8n11FymmEO2s2jqkutTULqZb957/9W1x6ySVqzirNnePP3by5cxXB/MGXvqSMnoFANciuIuEwDtKMwKRR1T8kQL5gikSFkviDGGJoHXeEIBRtgWaTtD2vbOUMNsnApmQNu5XqLwQYBsgwp/IFY6BCHrCDK3zJGMMH7rwTK1euVBmXDz/yiMpYzeXz6tQ3DEMt9nXr1uHzn/scbrjhBpVQFSisQuV07YkxNnKxyuX2ySqqV5CQc3fH7bdj+bJl+D/f/S5+/fDD2Lt3L/KFgiILOXdz5szBussvV3N34403qt8FBbUWSs2wJ7+naSAzFph4xsGClTCYJ120EhdVjtAIQ0oHlt28ZdZVXdorq45yOuMab02ZkCqPYYJUvkOFhZ/NQOSzXgXuAHHOmjX4q29+A1/8whdUFOLBw4cgXIHBwUGsXrVKqS2t1nOoBpHLAPlsxYXfSE6f97eVS/JTMa/mLgysWbMG3/zGN/CFz38eW7dtU0FZruNgcNYsrDrrLDV3vb2tReZWghgfAVWyP0npxoiBAqzCJsmixZU9BXIfBhEWjjAJQ6Jou2qgzbRoU7EcRIhVmbyYzqFx1gJzeg9bqHL3UxvYUC7rNQUKoXeGYZhKJ5evdkKcPAFRqFDgGI2bcxivQLOKMIpwh08grE4tUuqSxCBf7YI7dNyTMKYEDBIokYRIVHZVNwOtxTajkyEP7KJ/cHdtX5ISSqJQs+O0a6jCMc6UHaPp5yRPB92A0z97qtKoFn4B7tHWU8u7Ce6RgypuoCJ4AwuqViii48A98i6aN8f21kG1Eoc9faB4ZSm1GQSWJ+XDMw0E14QmPMJQupPwrLNNzoFTI2FG5wzxVg2CmgZ3zgKQXiFc2nXh7Nvd1q7docKxYVepugVfYmhUwqgIqUoe2BO4HaNTcMdGqhMgg+rsTvFEII1E5LkVSBSzD89bSbBrnbwNIjTCYH4sRdFqnt1cKjVfroyE3rodw5mzUImVlU4IZ/87EKMnW7lD18AdOgb34L7qBs8GuVf9faVLMQb38H6Ik8ebG2iXwT18AK78LhXKN4LrsOcurHzgNIHADZ4ALHlou40f2tW+TV2Ewb1A4IZnREoHRat5w6cKOKlho0jqvLV4DBKqJqMzOHfqA+cM7rHDsPe1nlreDbDfeVvZMCoaPHkThMGrSBmMQQwPwd69o/nBdgvk+nt7MygzPtV+IdWReALuwuWBuVQ1HjBhqP3n2REbvapV5QN1EYbhcilf1nPUyl2Xm0gFIaDgD7gZqJBWUT2k1VBqSQtCEhFEMg17aYV8A8ZBuQzsLZs8g9cMhlQP7M2vKQ9GxcXdBGGoz1RMr/DsP/bWTTNeLRHjI7C3vVWl6JCAOzgb9rxFgfU1DCYL+xTkqApF0YxWPUIaq+jqqpMwjBwx8bi80DR/egxEvwQwqv7FgIItlC2jWd60aqRdS+kiaWitqSWaBuuMcz3X2OQbEWBtfhXOsRaqNnUBnIN7YW17s6qRQm38JiaxImF478Da/hacQ63V1Ow07Le3enasKgYbe9lqiHR/IIFqQdsvAC9DtdC4ScAG8JhOOFHpzboIg5mcOMQDAP4ZQIV8cAVJEt8WjH1LEYe/Bh1HeHaMFiI+p1NLWrIsE8FZuALOvMVTDZycwz16GNamF5u/fqdBAsWNzys1oWLxHAbwJn2gkjAqSiacK/VH3jeUrsJtgJTGCi8/4wVtVSjfKA+Y4llrg8nNUd6RoPKjPDA//kK+Jl1WHvoVyUB+BMADxPE9GGZFd1pd3/bqtUk8+MaRk4LjLwzB3yASt4FjjhoXKfvGEU3Dr/NW/m5dS0hK2w5AOcrlHswVBXqbDPmUXGEJQkyrPJkJjSOmcWQdtzlOEgS3bxDF1RfA2L9r6vuui8ILT8G88HLo8xc3c4eOQp6QVmnjVliQvNqmrwPKjmFULwYs7+tcdjX0Sipfl8Paugn21jcqx2kLAXvhMthLmitbUAl60PYLBuQtV3lJyiBH+6Cu4Veuy24HaCUYvKdPGAPYc4LhJ2u3D+1d+rHKfXDrVppm9Q0grsWHfvXU738bXPuiS/g0EX1KEH2aC/q/bv4vqe+lEulRjXgewGvlhtZ80VXiUbOwpnGvplpSS0idiMVzLobbP6uylHFoH4rPPz7jGvCSVUThmUfhHj9aVbpgZouNbYwqn5fzdvwICs8+BgowxL4dEJkxFJ5+xDN2VmidKaWK4jmXQPQOBOJ2Z2HYLwSQLziT+czSdbxwy9pZv9TA/zUj+jTz9vCnBOFzFud/Y2r63l3nV6+YVvcoL18Ww83npHHHVf8RmqaN6oZxWL4M3TjMNGP8l/8auHHNADbtzbnEaOOEvYN5npIKolHdcASpVzX0GLw1/U+eGAuWobjm4qnvqRrtAoXnnoC1/c3m79EBWG+8rLp3VYOULJpVR+q6BhEKLz0N661gGjK1BUQoblgPa8umygZiqcLOXYjCuZcG6h0JOv7CdgXyxSlkNuw6eP3B14R8aDndMI+qfayrvXwyGU+4N5/bhxtWVW8P0bAC9pFLaoczX3jmIBwnK1WSPQAGmF/tR4pHyXhzsq/rqyVmFbUkrnOlmoyJJtUSCc1A/uKrENu6EdrJE6efyIxDDJ9E7td3KbWEDwZTgi5MuEcPIvfI3d4pWSXAjbcoXSgw7zrCruC8Zxw0Nobcw3epRtZB1EgNG/aurcivf9BLPKxU14Nz5C+4Au7sBYEF9emB1Xc5hYLlVjqkd2q6/vbt5zYf8Bh44NYt5yblxj4EwqbSElJ2jLzTUiOVYg21RGMMabNFbwkJ2IvPQOGiq32ymByXwZVOm33wF6BCrpU7hQ4pUmfv+ymc3W9XJQtm+IQRAJhe41oah7NzG3IP/Ey5qbsZ7omjyN7zY2XorkgWwoW9aAUKF14VaDq7EbQ6QkA+707Os5K/ftkGDbVy7VAiPdOHZ2XB2IuS6NQvGJArui0V8bCnUUvShqZS3lvJLYGmI3fZ9bAXr/Dy68shn6wUV59/wjuBWqhmHSbIKiL/yN0ovvJc9T9igBYLtOMkeKya99G7SeHFp5F77F6vzkgXQpJs7v6f+obOCl+ECBSLI7/uJr9jezDShcaCVUfgR1hnC+5k+0WGAS+OpvtbegDhVNxKqeTxlwAcRZmLJ190myZmyRWFGobTmMYVabQEIZSomb32/aBUeqoF3M/GzD30K+SeerDrFj9ZBaWG5B9/wGsSXGWyJVmwgNNJlS0jVu1NBlgW8o/ei/zj93WdEVRKPrn7foLChidr/BGhcO5lSh0JEsGVm/TAmBfdmbem7LXdBGxKtpgkFwphvO9KBo3FdvpqiYIk5EzOaYmYpVpSLbdEzk2fqbXO1lKKWHMpcpdeNyFVnAbuRYDm7v0p8k880DXRjFJNyv36V8j/+i6/SE7lR6tiJ6pt7BYhCaOqaiLnLZ9D7v6fIy8ljS6ZNzE+guw9P0T+qYerFsmRqoizYAly197pZaYG5EqVS9VsJVK5EgjI5it5JelVXdMOfHhZa/cLLfmMZ90MGJ72I8cUcgXHi/pswVtSrCFlJHSOtK61xqG+6Jm77gMqNqPi4mBcGRNz9/4Y2Xt+BDE23ModW4YYOobML76nJB+5KWslmGmJUJqN+zcAeLxGXIcKt88id//PkL3rBx1P7HOPHEDmR/+E/PpfeypmRbIQEOk+ZG76qLJfVC3V1wR0zlXAVpCQeySbn+JOzRKxZ5b05ls2IoVWQIcl4gKU2wAmDgJYrqRSmxRpxJqstahi411CokpBb6kPSilj3HZb61QtVZO+2cjc+jFo4yPQD+yeagSTJ2ahoMRs9/gRpN7/MejLz2r+ns2ACPbOrcg98FNYmzd55FbNgMb9zRxqyaRTpOTkqjSXkfNWLCL/+P1q3pJ3fhzGilXhDmoyhIvi5teQe/DncN72e69WcaGSYSB39e0orn1f4EWSpXQRaKwWAwpFV6n+p9unaL8Ae/Gk1WzBzFMIrsLsJHzvH/4Sn/vDr+YEicsAqFbewu+50JPUm+4dKfy+JNVUD4Mz5Byh1JfWvCYE0T8Lzqx5MA7sBs+MTj2afZXFPbQf9va3QCRUlywWC6YtQC2I4RPIrX9AndTOnp1+FFaVb8y8TVzVxhAwmE/oVM0uXJq3wwe8eROu6izfjnlzjx1WRuHcPT9Wz00RbBWygKYhd9WtyF7/4UDrdsKXLhK6FngP1eFxC+M557S1T8B9RZg/vPWcvpYt9aERhsS/+PzXiw535oDhRjlHzDdeppM6jCZ1N/LrHsarxGSUDEiZFupwnLoZqfR3t38WzIPvgGfHKpMGY6DMGOwdb8HZu0v1NNH6BlTbwKAhxkZQfPlZpXcXNzzlp17X6KEiySLuk0X4HRVO3VavgzT8eXO2b4a9d5dywfL+WeHM2/AJFF5Yj+zdP0Rx4wYvR6Ra/xRfUstdfgOyt3zMq/sacE5MXNcCt184rsDx4aKS5MuWQ4aB/Xe3SK/95H//fy3fI1QBVTMNQaLwNIB9AJTcadlCGT8TZvNcVXAFkoIpaaISegxNhYtL1aTlPUKkwoBHDRO99/8A+qE9VQN6YNuw33oNzq7t0FechdglV8BYvRbanAVgRvNBD6pc4LHDsLa+AevVDXD27lRivdfKvsai4z5ZBBGg1QRKEo1bqNH7UqooTmnetkFfuRqxi7150+fMV93amoUkBffIARW1WZTzdmCP8taoPhXV5o2EKoiTX3cjMjf9JkSqL1C7BXzV2Qw49kISRC7vqujOSWfHVsbEC0YsHgjjhb6MHn0rkxSi8C0ifA4+efekdCydn1Qhsc0ibXD0GtUnfbjo4FC2GFxrEc5h7tmG9K9/CnPXVu931U51+SVJALqpRG19+Zkwzjgb+tIV0GbN9Xqc6vpUyUB+TriqQjVlM3BPHFFl9ZydW5Xk4p445hnnqonRZVBuznhwwVmtQFiAyNeRBa6+v1AkoeZthZy3NdCXLIc2a55qJM10Y+r3l5tcdeuxIbLjat6cvbth79qm1DUpXXgekGnmTc59IoXsVbcje90HfI9I8CUapSqSNII9q4kIh47lMTRul29qF6C/c3Xja3ee2x+IWyp0wti2+wT2jNPHAfZPAPrhx84vmZdAb9poWtLTGcNgrHoOiUuE/ZkixqwApIwSOIc2dBSpJ+5C4vUNYMVC7RO+RBykyl2rjvCsvx/awGzwvkHVtJjFExP5KlTMQ2TG4Y6c9Cp8jw57Xg9lwcf0C94HMzzJImwDZyOQqombr6GinPbH5fNmgKdS4H0D4INl8xaLn5o3KUlkxiBGhvx5G/HmreQmne409+/nzFmA7I2/gcKFV/pl94InC6ky95hG4Lkj+YKLvYdzqkJ42RI5CuCzMXH00RsuOjeYewVylRp4ekcBmczoMq5p3wdwDXw7xKxeEwvnJFqyEvcYXL2qQZLFgUyxZl3QhsE5WD6LxGvPIvnsQ9CPHT61maeDWph0Sh9mZVIK+f9XGmqp538jE+RHXFaPuuws5P4TBU/iaMh+WGnelJG3/H3/vxudN6lu6AaKq85Txk1rxdmnrhkC4rpUl4Nn8uPDRRwZKpz2OwIeZOCfddMDJ+88I5itHvoZdO2qOB5+deQgwfk1gMsBKCF5POeoiLREXGv62eRdQlyjqraMtKGh19SUehIY5IkWTyF3xa2wl56F5IZHEHtrI3hufPpFWmsht/I8mZ/PEWs9+zRMSBJTcSA6IIp1ShuYZt7Q5Nz5a86ZuxD5992A/KXXq3iLMKvEa4whFmDryxIcR2AsY08ueZJnhPvStjZ8dUBkgbD7kpSgxXWHET0MYD/852vLL5m1WyJyRxDyNfJTJI8Mxg1FKIGeF+TVDbQXr8TYh38Pmds/BqSCdbvVC7n55CbUUt1NFhPws1vleBV5hOqnqwGNoXDRFRj59B8he+0HfONmuC0lTK3FMgwVIK+WyTtTQsEJ2EagpygdjLGzhLYQxs3npJFnsc0EPDohfBMwlnVaqpMBX8qwpinhJ0kjFN1LCIhYAs6KVeADCegpUpshdHWA+XaKpE8UscCSJ9sG5geSTRBHk3VFG76vynkhaP0GCu+7BvayVd6NQ7BXlENJF3oI0oVLGBm3J3OdlN0eEpq265o1wbqo26bpfvj8noJLdO9EvU/m5eyP5+yWDmaXCDmnemVxiYGYrtysYZz/jAjEuYoI5GWbWG0CI0DyKKkdcUBPea9utVU0gpI3R81ZEuEQLj+dYOWzQUxXwVisTRXhJVkE3dVMXi5bcJArTE40o4Mc9P+z9yVQclTnud+ttbfZRyONdoSYRUIImc2WhYUWsEViHib4OAbs45N4g2MH85I8h9gJNjbmxA7BwHNYEoixXjACO/HDBssGIctgErMaSSCBJCQQQpq1Z6ant+qq+nPurapRa6ZnNEtVd8+ov3OaQV3dXcu997v//v9cVzXfs/yKZkd/4JXX0SzNeZ5Av2XAlfx+uWDA2bEmqkJRJj9LMpaNkDV6MBdXSRpDKrKWPWaK/ORAjkVdUd2oMjdoiS9uz9hvun8tNx6BhtnUhjWpH2qMzNyoybxXKeIpigHhANIcCxd/Tvkv/szIHqfG55k7pDGeHSd5WXXGrQhQJafurN+wbEe6ME+MaiYi9mtbrX71w23+31/RCOPP37cct790sLddrvopGC4GUMvcep+JlIn6am3SEgDngKRpQ5PkgjVbOao0GbWmgu60/ynpxyff8HT4vMmKPKKwh/37+MePN0VmE29fOFMw4pnZJ/6FfdyphHyClfLIgo0hP/PfUlTxCvxemOMZ8builgjUSlnCfjHslztsSf3PS7u1tK8ndFFUT32jHiPLYk/LoP8CsAlu2ns8kRP5JVORMgyLkLZsREf5Df5QG3QV6ZyNwclWGC8Ecnqb2OOJSGQjJ/IpyAcTAztOHj7W+xESISf6oME3scmmQYwFLl3EE4awYZwY+seelmD990+bKZDZVVQN+FNnzuKyejeBHvH6mzhBJyYGUlNzffLHkzTH7mGiyQyzwuqobthJn5tLGGqoFE6SCiYFR410JIzgBk1mTEgXfi9bLwx8cOSa6QHhkRfS/xa/siWYrajoJjNNVYmBPQngOe89i4D4gCH8yVO5Ta7LDZr2mOHgMU1Gg69eEwJJMkgtUipoBb7A5iqkrAbGF8wN0vLbjQq3o1nvgCGaLJ9o68R2yWK/ba3a6Ps5PRSdMC5uj6BKo6ME/HhIyoBT87M/mZvy+GVMGrOUHz9Xva6gWvNRGxNeEr2iX0wXEECqJog+KKiiwZb/v+/FXQxPYQfQZYMeshQ5/ollK30/r4eSOOWYotlkS79kwFDTDLKB3oEcjClmmDqqiT2masJZf1ZEFZZrf1L4ZNiqXtFIphFIC4FkJRCVhKsiYUUJJDbGdKWLYSX4bID9GjLboanB2mVKQhirz6iBoutdNrDZ6wrvVQuKD0xdyuBkMZgbvS0B3BaLUy4aDHe3kpiYgBURY5qAwZEIfU4xR8CqCP/FgWQOydSIAr8dJNPmTX/fEN+4LOL7efNRsrAfRVHIluwnAfzKczQSHI/JyECUiSNj2UgNbxUw/Bok5sMSJ6fRkRaafuGWpyiEZ1YNJupNV+RAIjpFNfCcjZ5+Y3gypc3A/r+VTj7zr1uCry1bMsJY36Lj0lWzemyZHgRwDF47AtN2RK4pBlgJ1SQ3etFgcnu2+lT/2fGSCMKoKCblDybGi7iE4eNwKZIUiFcEbipFPGE4rTpOPHSACJujsfrU57T6AM58IkoaWPzi8zaytvlbEH7qFPtwxa7BHBLJEUadCYMzcSJnwyyQ4ZbK2Rg0pn4OAS7iaq6IW+GL8ofEYIt6GgU63E0SMmOIBBD+Dc8pkDbRN1JdN8DYQ7KivLSuvcr38xZCSQnjvPfJqNGr0mBCytjjvW/ahJ7+rJA2pgouRfQbtvCccGGDk0jatEXKu19h4kLE1ULTP7HjlAANSRi+tTt0q2gFEaAFN0iLqyLGyLCDVxiZD8mKVrQmLyWf4etbY0jJyk4C+zdOpHAHIJm2hGriB7haEjcs9GT4y0afYYMxyVdd0xFxS5WrXcG4QQAxyVcjtSjoG4DdwkP/YA79yRFBWn0g3KdC27e+Lfhq6x5KThgc1aqSY8zeAhKNjwSEAXTAEE1Z/NgIuFbCVRP+IteIFPaxcjOpuqMTV1D2YJLkmxtcl4OzW3htD7v7jeF9dvgk3moy/FwOKUVVgstihm9srcLL/z54hGT8AMARDBlASZQey00xAnQ0SFzvVBVhrJoqbE0XzZwrRozyh4jM1aa+K6uSM3/8TizzYFmE7r6sCDcYdoa3iPCDJWc1dK1tLY7twkNZEAbHBZ9pgpKj7cREBKhIKeUPKZE2haQR1DIUxip16sYqUriEUQZVdwOqRTmT4NQvmVrqtyzIQg2MLLyYi77BEapIhoh+OCjj+WMHit/UumwIY0N7FMbsZNKycB/Afu+9z+d/T78hEm2CinJQJUkUZp3s4DMuIXIRVy4tYRBjhdPsK8gDifYOthqa9C/wzSUqJNPgyCKdtdAVHxHRyf/xNDE82KA3GOuXFj9/qWwIg2POW4uQaIjsJ6K7hipzuapJZzxbyErsG1RZEpLGpEjDbSPgFNEp0WJ1i8Jg1YcgzV7ge/MdX+D1fi2xrYcT+2STBT01Vg3wHiyb0MVVEWNEAONhEO5sjpnvrn+jLrDzj4WyIoxzLmSoZhoZdu4JG/SjfNUkmTaFPjelJssngS7LLmlM9JsEW9acDMgSgmwb0qJ2hC/7LOQ5iwIvajsh2DZYrBryuetBsdrAa2iOCU6sqoaJloaWhGThf4vD4egdMNA/UhVJA/QvhiJvz7II4bK+QK9hNJQVYXD80QIFkUjVIBjuAfC7/GPxgRz6T+zs5DsEaSjKxElD7FqlIwzGGGwzh8G+OOQzzkb4ii9AXniGK2mUWEWxLbCaeoQ/cg1wzkbkiJXukrgkpihuo6Lxf01ybV1aABmoHkQmasos5BXh+JUF9mCVGjLev6QmsGs4GcqOMDgubovByDUeIOB7AA5575s2oSOeFYVPAyUNt5XduNUTkYA2eTHXL9iWhe6Oo8jlTChLViDy8S9BXX6+E1BWClXJbX0oz1+KyJ9cB+2CDyOZSsPIpEuadsMlQVsef/EcjyyCSFf3wB9HNmejozfjVNI/8fAek+F7lx5qOLyutXgxF4VQloTBUVWVhUzSNiLikkYS3kM1bHT2BmvPwAnqyXjOQqLBr62GSpqvKoHQ+c4hpJLicUFuPg3hK66FvvpSMD1cXLuG6CimQF35QYe4lp0v3u7p7EAunS5pop6QBMdpoC4GWcC1W3TGs07i5YmH4jZwZ5ZZzz/TWrSAzlFRtoSxoSUEPRTO5oD7AfzHUK4Jc7qm8Yc71QS1k4FPkqiqjMvl6kQPllbCUGQZx94+iK7OjqH3pJpGhC79NMIf+xzkuacNNWEKDK5UITXORXjTp4RkIc87XRzK2TYOH3wLOSMjVKhSwYnKVU4qYHjekKDJgj+y7v4s+hIj3KQ5Am2WGB6OhKLmh9om79nxC2VLGBxr28KI6OFugN0G4Pn8Y/EBQxiHgha0NVkaH2kIwiiduEguYaR6OrFr56snXpqqQztnAyKfvAHa+y8Bi8ScRsV+EgcnIssCC0WgnXsRolfdAP3Cy8AixwOLEolB7N/zGmRh8CwNYTDk18IYu8hSVFMCN3DCjbfo6TMKDcdvJJvdqYYifZvOiAV+HeNBWRMGx8b2GCLM2knALfn2DC5cdMWzGEj43zZgOFRZQkxTx3alMSYkjFKaF0VncJjY8fQ2ZLIjg3qEivK/Po/In14P9az3i8UtVIepeCxs2zFqhmNQV64WpBS+4jrIC9tGJOO9/fYhHNyzG6EAmhFPBLY2dt6PJkmIqScZbx/gef86ejLIjWz5+RqzpVu+c/bLBza0BFsUZyIog9DEk4P0KCnZ5JMmSd9nwDe8niamRcJIpCgMsbAS6GL1dpx0zhQNkUaAsZIX0SEQ5sRCePm/n8Ou3btx3jnvG/EZpmhQ28+Hsqgd5oFdMHb+DuZbr4ESfYBl5jU+LtAAeXgXdVWFVDcLyukroK54P5TFywRxjIYdO3Yg3dOJUHstqIQRqU791cLjpIt4nODCvT3wX88YFjp6ssiMbBfaScB3SbJ/d8vrF2JNoFcyMUwLwljbGsWONwcNK515EIQFYPgSH1t+jD/sYz0ZzJ8VRkgPph2iB0+nlZiFjGnhxOZlDLYeKSlhcKmruSqMROfreHjLFqxaeRYUpfAQc1VBXbEaats5sI69jdyB3bAO7YXVdQQ02AfKpl3pw/2CxABFE1KJVNMAefYCyIvboJy2HHJDsxO0NgaOHTuGx372M6zRJLFzBxlPMxZI1PMMu56j48TvpaiLRLIijKFh8nmbxeBIj1+SiP1gkOUebQxVm2tK7BUZjmlBGBxrW2LY/maqbzCTuF0leSGAP3GnsbAsH+3JYN6sMDTVp8K+o4BPprBr00iZ1gkTn7yyb6VaDESoD2mYG9PxyKOP4sqPXY4PfOADY39J1SEvaBEvyqZg9/eC+rpgD/SCkgOAlXPuSQ9DilWDVTcIQyqrqhXSynjx2M9/jl1/eAVXrVkKmWHMequBgjnFc4gLUO41iKK9RfCEeBAekd6ssF0MI4scQA8Rwz21oVh6XWv5qCIepg1hcKxriWDnS5kjR+TkzYxRA3/Ls54lUqaQNJobw0JFCRLMjdWQJCZUFK9CubC+MwmMzJIY9cjdJZfNqsHW3+3F7XfcgdbWVtTXj690G9MjkJsiQNN8X69rz949+Od77wUzDSyujZY4jIy5xmlnfLi0E1FlXzKWxwNbkEVGGO2HHyLglxZwa5KqOj/RWp59bsre6Dkc++vSqIprrwHsGwB25h/rG8wJm4ZlU1GWK59sMU1FSHbEWFFYVpJLGljJd+/ljVXQdRWPP/EE7rvvPuRywRuGR0MikcDt3/8+Xv3Dq5hbHcG8WKh00gWcHjK2FnIkRUVGTPOnvMF4wCXA7r4sevsLePcI/wXg5lmmfnBBrPTxFqNh2hHGFUvqwOo1MiPaszbR3wPYl3+cM3dnTyaALu2FIQJ7NAUxVYHERd0iibWjgd91W30Mc6rCSKXS+Kc77sC/P/QQLKv4yWiZTAZ33nUXfvzww+LfS+tiaAxrJTR4kpAAZT0kxqsYxs2hMwuyMNDVZxQgTNppgb7WFDNeOlCfweql1UW5pslg2hEGxwdX6ogylWSb/ZKIbvaK7sBdMD2cNHozQvwrBphrXQ9HIq7xr3RbKL/l+VUhtDXExG7a3d2Nm775TWzZsqWopJHNZnH3PffgtttvF8QlyTJWNlUhpARrYxoT/MSSDD0cDaQVwKindUs0dMWzhebkARBuSqeSzwzaNbjqtKaiXddkMC0Jg2Pd0hD0cCRnZ9gjRPRtAEPhjd4AeepJsSCpOpgSXL/O8YDvZDW6igua64QrmC/Uw4cP46+++lWxgJNu2HiQ4CR1y3e+g299+9vo6+sTRtO6kIpVTTWlb/WkyGCinmdxBomPR09/Fh29BSOT3ybQ15MmfhGLVdtrz4gW5ZqmgmlLGBwXtUcQqQkZKsk/ssn+B9G92oVHGp1FtGmILu6lTnF37RgfmFuPhrAuJqwsy8Kt+Xc33YS/ufFG7Nu/P5hzE+Hll1/GX3zlevzjbbehf2BAnNsmwhn1MfEqbUEwEqntIpekCNdxfA4WlCze4xudRew/6mNR8yNnBd9TxA9Ma8LgWNce45JGyrJy94Lou4VIQ0TSjdGg2R+Qo46UQcUriwjLZ1VhZVP1kL7MF+7AwADuvvdeXH3NNfjX++8XJOIHOFHs378f//Dd7+KTV1+Nh7c8AiOXgyRJLoExfHB+PZoiWsniL5wLdWthKMF7IPh9dsczo0kWRwn4Zlqy/l8oFDHWtZWf+3Q0TCu36mi4sC2Ep/b0p8xs5m7R6JSx/wNAUDafn70DhohgntMQgqpMtGzK+MFkRRRmKTX4PdfqCi5e0oTt73SLycuEg8DZH1548UXs2bMHWx55BFd87HJsWL8BixYtgq6PfyFxkkgkEti7dy+2bt2Kx37xC+zevVsQhZxn+OWfa4zouGhhoyiaWyxj9KjXrWqgkwSZTQXMq5gVzzp1LUbe7zGb0a2KxTZXRWKZjWUYazEWZgRhQOSc1GD7nv5ENpv+vyCZwNhfA2hEXps5vnA4aehBBHd5u5eql00h3vULG9BaH8NrXQOiaK0HRVGQSqfx1LZteObZZ7F40SKcd955uOD889HW1obmOXNQXVODcCgEVVWFsTSbzSKVSqG3txfvHD6MXbt24fkXXsCrO3eio6NDfIYThTzMS8Sf+bnNtVjVVD28J2gJQI4EGKBhOifKSWacxMiRpzgC4FvMZD/SI+H02tbyt1kMx4whDI6d+/fjzCWnJ7NG7p8ZkGMMfwNgyOzcP5gT7N/cEEI4gDBykuWSp7h74Dvb4poILj19Nvb2JNx+X8fBpQ3+Mk0Tb+7bhzfeeENIHDU1NWior0ddXR2i0aiQOvhnOMEkBgbQG4+jLx5HMpWCbdtDv1MoBJ0vmIiq4LKlc1CjKyWXLsRDUDUwWfV97EXt2ZyNY70ZURWuwO8fBti3sqa1OVoVzaxtmX5kgZlGGNd/9Bzx9+m9ycHBdPZuldlpBnwNwFDoYiJlwrLSQtKIRfy8facaNXzsqDXFqxEqwBUtzXhs/zHs7U4UrHLNGHOkAlkWBMAliO7u7sJSEmPi8/zlEcVY4BLF+XPrsH5hY5kIXeSojLL/wXWprOnkhqRG1OLk2E+Em3Ky/JNwWDc2TlOywEwwehbC+rYoYmE9Y1nshwT6WwIOeMe8Eu5HOtNOc1s/J44kl7xMXz64NNVWH8XH2+ZBkU+uhnlEwKUFRVVHvhRFkMvJiAKuKlKtK7hq2XzMjuploI44IC3kezsIvgm925kWfwtgNxF9VYL5aLUeMi5ZVh51LSaLGUkYcEkjFI5ksoweItD/BvBK/vFszsZ73Wl0xTOi98OUZQK3ZydKnOI+HBJj+ETbXFwwt66oMSn8VBef1oRNS5pK7jUaAh8XPj6iFsbUrom5Bt3efkNsPunsiJKRNoDnQOwv+tOJn4XC0dxFLaWvmDVVzFjCgDCEhlEdiloZK/W4CXwFwA53IMXc8eooHu3OCAKZYu8zEVnppE77dQdTB9/ZF1SFcO2qxZhVpJ2eP9cldVF84ezFwltTatPFCRiqtjV58LmTs2zhMj3akylUX5aLGr8khq+8p9T/prG20S52S8OgMKMJg2N9SxThcLX1R8sHfkvAlwh4lAsY3nHPg3K4IzWaSDl+8Jmkh9xKU+WzSvhO+JHTmvCZFQtFwlyQV8ZVkSpdwZfPWYLz5tQUVaoZD4RKwqZmw0ilHZW2q88JyBpezwIMPwLh+tnp9AvNGmhje/nmhkwUM54wODa112HrgTmYk1V3G8T+CsDdAPrzP5NMW0IP7Sk8CcYJJiakUxPDr6ufOkiUnWP4/MqF+OgZcwSBBHF5nHxlJuHTKxYKNYiVsP1IQTB3fITxd2JXxtz7608YeLczhf6kWegnugH8k2GzrymKcqCnoRGbWspI3PQBM8pLMhY2tUZwV2cvVnSZ76Zz9A0myQdB7AYAi+EKB1y0PNqTFUbRWXU6QtoEXa8M7oSUyq5VIVdFZkd0/N3qFiQME08e7BT2Db+ms01Og+I/bZ+HG85dgpgql42h0wENFQJy9snx1zFlboUsvpn0DuSEe7jAc9sLYt8zrNzD1ZHq1EXt0ysga7w4JSQMD19uqse+dBNULdSvEt0DYl8B8Pshu4YrvscTORzuSIv6GnzOj39ReUa18nysfAGfXhvBty5sEwZJclUIP35XlRiuXjYfX1/dIlLYy4ssXIFCVHYPjXtAvY8Npky825EWqekF8pIsgG2XbPaltK5sDumh1BE75fvllwvKc2YHiM+dy7BxWS30cMTY06k+RoTPAXiIz4v8z6Uyjp56tCc9IYMoO0lF6lKD747t9THctm45rlm+QNSwnOziJvf3miI6/vKCpfjGmlY0R/XS5ouMBckljHGMJhNRm7ZIXjzcmUYiXdC+xdXafyGwaw+dZWyLauHcJWfW4urljUFcfVnglFFJhmNNSwxP7UkT2bTLytl/DWa/DtjXAmwB8rwoPX0G0hkLjbU6qqOKKMs36nogcuIwZM9tV576KyeIRdVh3LymVVTnuv/Vt7EvPujYIKSTqymcEPhLV2SsnlePL65ajEsWzxI9PMpOssiHdHK3N3PVq0G3+bcgikJSJsN+EO6CLW1WdSXevjeMC5eXPo8oaJyyhAHX7crx9K7+Y6k0u00OYScj/CVAawAMZSglMxYynWnUxlQ01GiiOvmoULlKUv6PlS/supCKL5y9EGvm12PLnvfw60OdONiXQtZ07C/568rjAYkBtSENZ86qwmVnNOOjp89Gc0wfIpGyBpf8+PiMcp1ef9PeAUNUbssVjs/JANgGYv8oE3tWCYXNde3lVdk7SJT/zC4CspEqhKRB49iRmscbmrreZJCuA8PVAGbB23VsEhMpmTEFadTGNFFs+MS550oYAWZD+glvga9orELrB1tw1fL5eP5oHC8d7cP+eBLxjIGMZYuQ8piqiHqcyxqrRDLZyqZqYUSFG3dR/iBHVdRGBk8JadIipwNZvyHUURSWD98j4AFidP/83tSh3rmNuKjl1CELlK3MXCL8+rWsKDWfysZjErFNNsP1DDg/X9ogd5eNhhQ01mqigZJQU+AY1aS+Y9A3fxus87AbUTg9wCeC7N6HYdkYNCwkc5Zo2sQJI6LIiKqyKMevuG0Cylr9GA6yQdX1MK66Eda8Fqdbm6t+pDKmIAonz4gKaSxZAM8wRncyQ3vSCOUy7y5pwBcjp97yqUgYebhkuY5HX9iJusjiwVd27f3Jme2n7SawzzLgkwCakeeP55MrbVjCrtFQrSGsK068luzUW5huU8kzYHIojKE2pAiVhQ0dJ7fpGSE3jXjiBLjlB7wojIxhCTdp/2BuKFqzAFm8Q8BmInqgoaHxrYF4ArVSCH98CpIFKoQxEh8/7yzx9xev9FAItKeXWV8Py+oOybKvBeFDAISD3RNje/tzGExZqIkpqKvWEVbKo4jOVEDuf4IJ7yoRyKmIRqqGrGGifyAr3OfZnD2aeToBYBsBP5AZns3AyBhZAxevmDlRm5PBKedWHS/+eFUD+vUQoqFIetPyHz5myezzRLiZgD35UT8ir8C0RQn5d46l0NFnIidNb8KYqbCYgu6ELcbpWG9WkAVGkoVFwB9AuJEB183pyT7FFDUzT5+LC08vn0zkUqEiYYyBy9ucVOQdb6QQSSQODyjybRroSTD250S4nAFz8z/PRdyujIUaU4VuuzPx1JRcyw6MgIytoGOAkNOs0YblEICfMOBBi+zXNcj24+vm4utllH1calQIYxxY2xrBjURY99qAyRheNixjnwTpcYD+DMAGALXw7BtMgiXrQgYhrwF6RY4rHcjtuWxBjAtJciGy6Aaw1WL0QzD2nCapab4wdM2okMUwVAhjnLiVMdzq/v+2N5OJeL/xRFi1f8+YfYkE9mkAqwFUC8LwXHfkuvzdNIaKtFFEUB5ZuLAU3Y3CHbLNxAn4jQ1sBqOnGyy1PxlTsWEa9AcpFSp73ySwoSWKpjodqqb0bNra+GML9FkQbgDYdgJL2uqwfAU+cS3nNZPsiOUKThLeKx+CMARzi5DuJ4jhy8xmX5zb9M5/arLW310lV8jiJKhIGJPEh5Y62Yj3HXkPp/WGjuy05QeWU+5XpKgflrOD1xGTzhnxJZc4OJlUJI4AYB+X6EbBAEnybxhhC9n2UwsPNnYebR3A0c5VuHRlZTDGg8pT8gEPPLUP85pnw4aEubduUuc1Nd0hkXntSb8ouTaOyihMDZ7qcRLpzdCqXzzSdsk1zzVf+cayBQYkTcG6ikQxIVSmqo/o/LOPgGy5RY7KWySNnT2uL7E80qiMxsQwTqIY+niWOqxk5jNq63lb6/72lqCvbkaiYsPwEUcHeyTI8kYi1jLuxU+j69wVjALvmU3QJkRgs0gNfczc/+r0Lt1dQlQIwye896kNmB2b3QyGy0GYeLklcnVwa0LFoE4t5BPFRJ+RQ+ASA7vEIuns+OcvC+QSZzoqhOET1m7eBkWS1zKw84dijSejYuQtiomI2zMa+V6myZCpZ2R2sJBJ7Mp4OlkJ25wE/icAAP//iFU60gIwwN4AAAAASUVORK5CYII=
-  href: 'https://example-gitops-server-common-example.'
-  location: ApplicationMenu
-  text: 'Example ArgoCD'
diff --git a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
deleted file mode 100644
index c1a23515..00000000
--- a/common/tests/golang-external-secrets-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,8461 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: SourceRef allows you to override the source from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                refreshTime:
-                  description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-                - namespaceSelector
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: You can assume a role before making calls to the desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: SourceRef allows you to override the source from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: Data defines the static data returned by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: Length of the password to be generated. Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: SymbolCharacters specifies the special characters that should be used in the generated password.
-                  type: string
-                symbols:
-                  description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                            - secretKey
-                          type: object
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                              type: string
-                            roleId:
-                              description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                          properties:
-                            clientCert:
-                              description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                              type: string
-                            role:
-                              description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                              type: string
-                            secretRef:
-                              description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                              type: string
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    caBundle:
-                      description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    namespace:
-                      description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                      type: string
-                    path:
-                      description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                      type: string
-                    readYourWrites:
-                      description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    version:
-                      default: v2
-                      description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-controller
-subjects:
-  - name: golang-external-secrets
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: golang-external-secrets
-    namespace: "default"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=golang-external-secrets-webhook
-          - --secret-namespace=default
-          
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: Secret
-        name: hub-ca
-        key: hub-kube-root-ca.crt
-        namespace: imperative
-
-      auth:
-        kubernetes:
-
-          mountPath: region.example.com
-          role: region.example.com-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml b/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 7ae2a78f..00000000
--- a/common/tests/golang-external-secrets-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,8461 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: SourceRef allows you to override the source from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                refreshTime:
-                  description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-                - namespaceSelector
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: You can assume a role before making calls to the desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: SourceRef allows you to override the source from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: Data defines the static data returned by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: Length of the password to be generated. Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: SymbolCharacters specifies the special characters that should be used in the generated password.
-                  type: string
-                symbols:
-                  description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                            - secretKey
-                          type: object
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                              type: string
-                            roleId:
-                              description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                          properties:
-                            clientCert:
-                              description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                              type: string
-                            role:
-                              description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                              type: string
-                            secretRef:
-                              description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                              type: string
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    caBundle:
-                      description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    namespace:
-                      description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                      type: string
-                    path:
-                      description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                      type: string
-                    readYourWrites:
-                      description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    version:
-                      default: v2
-                      description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-controller
-subjects:
-  - name: golang-external-secrets
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: golang-external-secrets
-    namespace: "default"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=golang-external-secrets-webhook
-          - --secret-namespace=default
-          
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml b/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 7ae2a78f..00000000
--- a/common/tests/golang-external-secrets-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,8461 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: SourceRef allows you to override the source from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                refreshTime:
-                  description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-                - namespaceSelector
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: You can assume a role before making calls to the desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: SourceRef allows you to override the source from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: Data defines the static data returned by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: Length of the password to be generated. Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: SymbolCharacters specifies the special characters that should be used in the generated password.
-                  type: string
-                symbols:
-                  description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                            - secretKey
-                          type: object
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                              type: string
-                            roleId:
-                              description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                          properties:
-                            clientCert:
-                              description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                              type: string
-                            role:
-                              description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                              type: string
-                            secretRef:
-                              description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                              type: string
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    caBundle:
-                      description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    namespace:
-                      description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                      type: string
-                    path:
-                      description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                      type: string
-                    readYourWrites:
-                      description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    version:
-                      default: v2
-                      description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-controller
-subjects:
-  - name: golang-external-secrets
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: golang-external-secrets
-    namespace: "default"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=golang-external-secrets-webhook
-          - --secret-namespace=default
-          
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/common/tests/golang-external-secrets-naked.expected.yaml b/common/tests/golang-external-secrets-naked.expected.yaml
deleted file mode 100644
index 518bda17..00000000
--- a/common/tests/golang-external-secrets-naked.expected.yaml
+++ /dev/null
@@ -1,8461 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: SourceRef allows you to override the source from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                refreshTime:
-                  description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-                - namespaceSelector
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: You can assume a role before making calls to the desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: SourceRef allows you to override the source from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: Data defines the static data returned by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: Length of the password to be generated. Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: SymbolCharacters specifies the special characters that should be used in the generated password.
-                  type: string
-                symbols:
-                  description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                            - secretKey
-                          type: object
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                              type: string
-                            roleId:
-                              description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                          properties:
-                            clientCert:
-                              description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                              type: string
-                            role:
-                              description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                              type: string
-                            secretRef:
-                              description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                              type: string
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    caBundle:
-                      description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    namespace:
-                      description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                      type: string
-                    path:
-                      description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                      type: string
-                    readYourWrites:
-                      description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    version:
-                      default: v2
-                      description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-controller
-subjects:
-  - name: golang-external-secrets
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: golang-external-secrets
-    namespace: "default"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=golang-external-secrets-webhook
-          - --secret-namespace=default
-          
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/common/tests/golang-external-secrets-normal.expected.yaml b/common/tests/golang-external-secrets-normal.expected.yaml
deleted file mode 100644
index 7ae2a78f..00000000
--- a/common/tests/golang-external-secrets-normal.expected.yaml
+++ /dev/null
@@ -1,8461 +0,0 @@
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: golang-external-secrets
-  namespace: golang-external-secrets
-  annotations:
-    kubernetes.io/service-account.name: golang-external-secrets
-type: kubernetes.io/service-account-token
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/acraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: acraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - acraccesstoken
-    kind: ACRAccessToken
-    listKind: ACRAccessTokenList
-    plural: acraccesstokens
-    shortNames:
-      - acraccesstoken
-    singular: acraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md"
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview'
-              properties:
-                auth:
-                  properties:
-                    managedIdentity:
-                      description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
-                      properties:
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                      type: object
-                    servicePrincipal:
-                      description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
-                      properties:
-                        secretRef:
-                          description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - secretRef
-                      type: object
-                    workloadIdentity:
-                      description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
-                      properties:
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                  type: object
-                environmentType:
-                  default: PublicCloud
-                  description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                  enum:
-                    - PublicCloud
-                    - USGovernmentCloud
-                    - ChinaCloud
-                    - GermanCloud
-                  type: string
-                registry:
-                  description: the domain name of the ACR registry e.g. foobarexample.azurecr.io
-                  type: string
-                scope:
-                  description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/"
-                  type: string
-                tenantId:
-                  description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                  type: string
-              required:
-                - auth
-                - registry
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clusterexternalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clusterexternalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterExternalSecret
-    listKind: ClusterExternalSecretList
-    plural: clusterexternalsecrets
-    shortNames:
-      - ces
-    singular: clusterexternalsecret
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-              properties:
-                externalSecretName:
-                  description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
-                  type: string
-                externalSecretSpec:
-                  description: The spec for the ExternalSecrets to be created
-                  properties:
-                    data:
-                      description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                      items:
-                        description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                        properties:
-                          remoteRef:
-                            description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          secretKey:
-                            description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                            type: string
-                          sourceRef:
-                            description: SourceRef allows you to override the source from which the value will pulled from.
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                      type: array
-                    dataFrom:
-                      description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                      items:
-                        properties:
-                          extract:
-                            description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              key:
-                                description: Key is the key used in the Provider, mandatory
-                                type: string
-                              metadataPolicy:
-                                description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                                type: string
-                              property:
-                                description: Used to select a specific property of the Provider value (if a map), if supported
-                                type: string
-                              version:
-                                description: Used to select a specific version of the Provider value, if supported
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          find:
-                            description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                            properties:
-                              conversionStrategy:
-                                default: Default
-                                description: Used to define a conversion Strategy
-                                type: string
-                              decodingStrategy:
-                                default: None
-                                description: Used to define a decoding Strategy
-                                type: string
-                              name:
-                                description: Finds secrets based on the name.
-                                properties:
-                                  regexp:
-                                    description: Finds secrets base
-                                    type: string
-                                type: object
-                              path:
-                                description: A root path to start the find operations.
-                                type: string
-                              tags:
-                                additionalProperties:
-                                  type: string
-                                description: Find secrets based on tags.
-                                type: object
-                            type: object
-                          rewrite:
-                            description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                            items:
-                              properties:
-                                regexp:
-                                  description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                                  properties:
-                                    source:
-                                      description: Used to define the regular expression of a re.Compiler.
-                                      type: string
-                                    target:
-                                      description: Used to define the target pattern of a ReplaceAll operation.
-                                      type: string
-                                  required:
-                                    - source
-                                    - target
-                                  type: object
-                              type: object
-                            type: array
-                          sourceRef:
-                            description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                            maxProperties: 1
-                            properties:
-                              generatorRef:
-                                description: GeneratorRef points to a generator custom resource in
-                                properties:
-                                  apiVersion:
-                                    default: generators.external-secrets.io/v1alpha1
-                                    description: Specify the apiVersion of the generator resource
-                                    type: string
-                                  kind:
-                                    description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                    type: string
-                                  name:
-                                    description: Specify the name of the generator resource
-                                    type: string
-                                required:
-                                  - kind
-                                  - name
-                                type: object
-                              storeRef:
-                                description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                                properties:
-                                  kind:
-                                    description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                    type: string
-                                  name:
-                                    description: Name of the SecretStore resource
-                                    type: string
-                                required:
-                                  - name
-                                type: object
-                            type: object
-                        type: object
-                      type: array
-                    refreshInterval:
-                      default: 1h
-                      description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                      type: string
-                    secretStoreRef:
-                      description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                      properties:
-                        kind:
-                          description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                          type: string
-                        name:
-                          description: Name of the SecretStore resource
-                          type: string
-                      required:
-                        - name
-                      type: object
-                    target:
-                      default:
-                        creationPolicy: Owner
-                        deletionPolicy: Retain
-                      description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                      properties:
-                        creationPolicy:
-                          default: Owner
-                          description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                          enum:
-                            - Owner
-                            - Orphan
-                            - Merge
-                            - None
-                          type: string
-                        deletionPolicy:
-                          default: Retain
-                          description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                          enum:
-                            - Delete
-                            - Merge
-                            - Retain
-                          type: string
-                        immutable:
-                          description: Immutable defines if the final secret will be immutable
-                          type: boolean
-                        name:
-                          description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                          type: string
-                        template:
-                          description: Template defines a blueprint for the created Secret resource.
-                          properties:
-                            data:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            engineVersion:
-                              default: v2
-                              type: string
-                            mergePolicy:
-                              default: Replace
-                              type: string
-                            metadata:
-                              description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                                labels:
-                                  additionalProperties:
-                                    type: string
-                                  type: object
-                              type: object
-                            templateFrom:
-                              items:
-                                properties:
-                                  configMap:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  literal:
-                                    type: string
-                                  secret:
-                                    properties:
-                                      items:
-                                        items:
-                                          properties:
-                                            key:
-                                              type: string
-                                            templateAs:
-                                              default: Values
-                                              type: string
-                                          required:
-                                            - key
-                                          type: object
-                                        type: array
-                                      name:
-                                        type: string
-                                    required:
-                                      - items
-                                      - name
-                                    type: object
-                                  target:
-                                    default: Data
-                                    type: string
-                                type: object
-                              type: array
-                            type:
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                namespaceSelector:
-                  description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                          - key
-                          - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                refreshTime:
-                  description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
-                  type: string
-              required:
-                - externalSecretSpec
-                - namespaceSelector
-              type: object
-            status:
-              description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      message:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                failedNamespaces:
-                  description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
-                  items:
-                    description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-                    properties:
-                      namespace:
-                        description: Namespace is the namespace that failed when trying to apply an ExternalSecret
-                        type: string
-                      reason:
-                        description: Reason is why the ExternalSecret failed to apply to the namespace
-                        type: string
-                    required:
-                      - namespace
-                    type: object
-                  type: array
-                provisionedNamespaces:
-                  description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-                  items:
-                    type: string
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/clustersecretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: clustersecretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ClusterSecretStore
-    listKind: ClusterSecretStoreList
-    plural: clustersecretstores
-    shortNames:
-      - css
-    singular: clustersecretstore
-  scope: Cluster
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/ecrauthorizationtoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: ecrauthorizationtokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - ecrauthorizationtoken
-    kind: ECRAuthorizationToken
-    listKind: ECRAuthorizationTokenList
-    plural: ecrauthorizationtokens
-    shortNames:
-      - ecrauthorizationtoken
-    singular: ecrauthorizationtoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines how to authenticate with AWS
-                  properties:
-                    jwt:
-                      description: Authenticate against AWS using service account tokens.
-                      properties:
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      type: object
-                    secretRef:
-                      description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                      properties:
-                        accessKeyIDSecretRef:
-                          description: The AccessKeyID is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        sessionTokenSecretRef:
-                          description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                  type: object
-                region:
-                  description: Region specifies the region to operate in.
-                  type: string
-                role:
-                  description: You can assume a role before making calls to the desired AWS service.
-                  type: string
-              required:
-                - region
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/externalsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-      - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: ExternalSecretDataRemoteRef defines Provider data location.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        type: string
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    description: ExternalSecretDataRemoteRef defines Provider data location.
-                    properties:
-                      conversionStrategy:
-                        default: Default
-                        description: Used to define a conversion Strategy
-                        type: string
-                      key:
-                        description: Key is the key used in the Provider, mandatory
-                        type: string
-                      property:
-                        description: Used to select a specific property of the Provider value (if a map), if supported
-                        type: string
-                      version:
-                        description: Used to select a specific version of the Provider value, if supported
-                        type: string
-                    required:
-                      - key
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v1
-                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            maxProperties: 1
-                            minProperties: 1
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              required:
-                - secretStoreRef
-                - target
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .spec.secretStoreRef.name
-          name: Store
-          type: string
-        - jsonPath: .spec.refreshInterval
-          name: Refresh Interval
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: ExternalSecret is the Schema for the external-secrets API.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: ExternalSecretSpec defines the desired state of ExternalSecret.
-              properties:
-                data:
-                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
-                  items:
-                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                    properties:
-                      remoteRef:
-                        description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch.
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      secretKey:
-                        description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret
-                        type: string
-                      sourceRef:
-                        description: SourceRef allows you to override the source from which the value will pulled from.
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    required:
-                      - remoteRef
-                      - secretKey
-                    type: object
-                  type: array
-                dataFrom:
-                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
-                  items:
-                    properties:
-                      extract:
-                        description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          key:
-                            description: Key is the key used in the Provider, mandatory
-                            type: string
-                          metadataPolicy:
-                            description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-                            type: string
-                          property:
-                            description: Used to select a specific property of the Provider value (if a map), if supported
-                            type: string
-                          version:
-                            description: Used to select a specific version of the Provider value, if supported
-                            type: string
-                        required:
-                          - key
-                        type: object
-                      find:
-                        description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.'
-                        properties:
-                          conversionStrategy:
-                            default: Default
-                            description: Used to define a conversion Strategy
-                            type: string
-                          decodingStrategy:
-                            default: None
-                            description: Used to define a decoding Strategy
-                            type: string
-                          name:
-                            description: Finds secrets based on the name.
-                            properties:
-                              regexp:
-                                description: Finds secrets base
-                                type: string
-                            type: object
-                          path:
-                            description: A root path to start the find operations.
-                            type: string
-                          tags:
-                            additionalProperties:
-                              type: string
-                            description: Find secrets based on tags.
-                            type: object
-                        type: object
-                      rewrite:
-                        description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                        items:
-                          properties:
-                            regexp:
-                              description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
-                              properties:
-                                source:
-                                  description: Used to define the regular expression of a re.Compiler.
-                                  type: string
-                                target:
-                                  description: Used to define the target pattern of a ReplaceAll operation.
-                                  type: string
-                              required:
-                                - source
-                                - target
-                              type: object
-                          type: object
-                        type: array
-                      sourceRef:
-                        description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values
-                        maxProperties: 1
-                        properties:
-                          generatorRef:
-                            description: GeneratorRef points to a generator custom resource in
-                            properties:
-                              apiVersion:
-                                default: generators.external-secrets.io/v1alpha1
-                                description: Specify the apiVersion of the generator resource
-                                type: string
-                              kind:
-                                description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
-                                type: string
-                              name:
-                                description: Specify the name of the generator resource
-                                type: string
-                            required:
-                              - kind
-                              - name
-                            type: object
-                          storeRef:
-                            description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                            properties:
-                              kind:
-                                description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                                type: string
-                              name:
-                                description: Name of the SecretStore resource
-                                type: string
-                            required:
-                              - name
-                            type: object
-                        type: object
-                    type: object
-                  type: array
-                refreshInterval:
-                  default: 1h
-                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
-                  type: string
-                secretStoreRef:
-                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-                  properties:
-                    kind:
-                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                      type: string
-                    name:
-                      description: Name of the SecretStore resource
-                      type: string
-                  required:
-                    - name
-                  type: object
-                target:
-                  default:
-                    creationPolicy: Owner
-                    deletionPolicy: Retain
-                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
-                  properties:
-                    creationPolicy:
-                      default: Owner
-                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
-                      enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                      type: string
-                    deletionPolicy:
-                      default: Retain
-                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
-                      enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                      type: string
-                    immutable:
-                      description: Immutable defines if the final secret will be immutable
-                      type: boolean
-                    name:
-                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
-                      type: string
-                    template:
-                      description: Template defines a blueprint for the created Secret resource.
-                      properties:
-                        data:
-                          additionalProperties:
-                            type: string
-                          type: object
-                        engineVersion:
-                          default: v2
-                          type: string
-                        mergePolicy:
-                          default: Replace
-                          type: string
-                        metadata:
-                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              type: object
-                            labels:
-                              additionalProperties:
-                                type: string
-                              type: object
-                          type: object
-                        templateFrom:
-                          items:
-                            properties:
-                              configMap:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              literal:
-                                type: string
-                              secret:
-                                properties:
-                                  items:
-                                    items:
-                                      properties:
-                                        key:
-                                          type: string
-                                        templateAs:
-                                          default: Values
-                                          type: string
-                                      required:
-                                        - key
-                                      type: object
-                                    type: array
-                                  name:
-                                    type: string
-                                required:
-                                  - items
-                                  - name
-                                type: object
-                              target:
-                                default: Data
-                                type: string
-                            type: object
-                          type: array
-                        type:
-                          type: string
-                      type: object
-                  type: object
-              type: object
-            status:
-              properties:
-                binding:
-                  description: Binding represents a servicebinding.io Provisioned Service reference to the secret
-                  properties:
-                    name:
-                      description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?'
-                      type: string
-                  type: object
-                  x-kubernetes-map-type: atomic
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/fake.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: fakes.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - fake
-    kind: Fake
-    listKind: FakeList
-    plural: fakes
-    shortNames:
-      - fake
-    singular: fake
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: FakeSpec contains the static data.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                data:
-                  additionalProperties:
-                    type: string
-                  description: Data defines the static data returned by this generator.
-                  type: object
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/gcraccesstoken.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: gcraccesstokens.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - gcraccesstoken
-    kind: GCRAccessToken
-    listKind: GCRAccessTokenList
-    plural: gcraccesstokens
-    shortNames:
-      - gcraccesstoken
-    singular: gcraccesstoken
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                auth:
-                  description: Auth defines the means for authenticating with GCP
-                  properties:
-                    secretRef:
-                      properties:
-                        secretAccessKeySecretRef:
-                          description: The SecretAccessKey is used for authentication
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    workloadIdentity:
-                      properties:
-                        clusterLocation:
-                          type: string
-                        clusterName:
-                          type: string
-                        clusterProjectID:
-                          type: string
-                        serviceAccountRef:
-                          description: A reference to a ServiceAccount resource.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                      required:
-                        - clusterLocation
-                        - clusterName
-                        - serviceAccountRef
-                      type: object
-                  type: object
-                projectID:
-                  description: ProjectID defines which project to use to authenticate with
-                  type: string
-              required:
-                - auth
-                - projectID
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/password.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: passwords.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - password
-    kind: Password
-    listKind: PasswordList
-    plural: passwords
-    shortNames:
-      - password
-    singular: password
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PasswordSpec controls the behavior of the password generator.
-              properties:
-                allowRepeat:
-                  default: false
-                  description: set AllowRepeat to true to allow repeating characters.
-                  type: boolean
-                digits:
-                  description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-                length:
-                  default: 24
-                  description: Length of the password to be generated. Defaults to 24
-                  type: integer
-                noUpper:
-                  default: false
-                  description: Set NoUpper to disable uppercase characters
-                  type: boolean
-                symbolCharacters:
-                  description: SymbolCharacters specifies the special characters that should be used in the generated password.
-                  type: string
-                symbols:
-                  description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password
-                  type: integer
-              required:
-                - allowRepeat
-                - length
-                - noUpper
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/pushsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: pushsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - pushsecrets
-    kind: PushSecret
-    listKind: PushSecretList
-    plural: pushsecrets
-    singular: pushsecret
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: PushSecretSpec configures the behavior of the PushSecret.
-              properties:
-                data:
-                  description: Secret Data that should be pushed to providers
-                  items:
-                    properties:
-                      match:
-                        description: Match a given Secret Key to be pushed to the provider.
-                        properties:
-                          remoteRef:
-                            description: Remote Refs to push to providers.
-                            properties:
-                              property:
-                                description: Name of the property in the resulting secret
-                                type: string
-                              remoteKey:
-                                description: Name of the resulting provider secret.
-                                type: string
-                            required:
-                              - remoteKey
-                            type: object
-                          secretKey:
-                            description: Secret Key to be pushed
-                            type: string
-                        required:
-                          - remoteRef
-                          - secretKey
-                        type: object
-                    required:
-                      - match
-                    type: object
-                  type: array
-                deletionPolicy:
-                  default: None
-                  description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
-                  type: string
-                refreshInterval:
-                  description: The Interval to which External Secrets will try to push a secret definition
-                  type: string
-                secretStoreRefs:
-                  items:
-                    properties:
-                      kind:
-                        default: SecretStore
-                        description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
-                        type: string
-                      labelSelector:
-                        description: Optionally, sync to secret stores with label selector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      name:
-                        description: Optionally, sync to the SecretStore of the given name
-                        type: string
-                    type: object
-                  type: array
-                selector:
-                  description: The Secret Selector (k8s source) for the Push Secret
-                  properties:
-                    secret:
-                      description: Select a Secret to Push.
-                      properties:
-                        name:
-                          description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
-                          type: string
-                      required:
-                        - name
-                      type: object
-                  required:
-                    - secret
-                  type: object
-              required:
-                - secretStoreRefs
-                - selector
-              type: object
-            status:
-              description: PushSecretStatus indicates the history of the status of PushSecret.
-              properties:
-                conditions:
-                  items:
-                    description: PushSecretStatusCondition indicates the status of the PushSecret.
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        description: PushSecretConditionType indicates the condition of the PushSecret.
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-                refreshTime:
-                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
-                  format: date-time
-                  nullable: true
-                  type: string
-                syncedPushSecrets:
-                  additionalProperties:
-                    additionalProperties:
-                      properties:
-                        match:
-                          description: Match a given Secret Key to be pushed to the provider.
-                          properties:
-                            remoteRef:
-                              description: Remote Refs to push to providers.
-                              properties:
-                                property:
-                                  description: Name of the property in the resulting secret
-                                  type: string
-                                remoteKey:
-                                  description: Name of the resulting provider secret.
-                                  type: string
-                              required:
-                                - remoteKey
-                              type: object
-                            secretKey:
-                              description: Secret Key to be pushed
-                              type: string
-                          required:
-                            - remoteRef
-                            - secretKey
-                          type: object
-                      required:
-                        - match
-                      type: object
-                    type: object
-                  description: Synced Push Secrets for later deletion. Matches Secret Stores to PushSecretData that was stored to that secretStore.
-                  type: object
-                syncedResourceVersion:
-                  description: SyncedResourceVersion keeps track of the last synced version.
-                  type: string
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/secretstore.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: secretstores.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-      - externalsecrets
-    kind: SecretStore
-    listKind: SecretStoreList
-    plural: secretstores
-    shortNames:
-      - ss
-    singular: secretstore
-  scope: Namespaced
-  versions:
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-      deprecated: true
-      name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          properties:
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                serviceAccount:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key the value inside of the provider type to use, only used with "Secret" type
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - roleId
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: false
-      subresources:
-        status: {}
-    - additionalPrinterColumns:
-        - jsonPath: .metadata.creationTimestamp
-          name: AGE
-          type: date
-        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-          name: Status
-          type: string
-        - jsonPath: .status.capabilities
-          name: Capabilities
-          type: string
-        - jsonPath: .status.conditions[?(@.type=="Ready")].status
-          name: Ready
-          type: string
-      name: v1beta1
-      schema:
-        openAPIV3Schema:
-          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              description: SecretStoreSpec defines the desired state of SecretStore.
-              properties:
-                conditions:
-                  description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-                  items:
-                    description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance.
-                    properties:
-                      namespaceSelector:
-                        description: Choose namespace using a labelSelector
-                        properties:
-                          matchExpressions:
-                            description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                            items:
-                              description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
-                              properties:
-                                key:
-                                  description: key is the label key that the selector applies to.
-                                  type: string
-                                operator:
-                                  description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                                  type: string
-                                values:
-                                  description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-                                  items:
-                                    type: string
-                                  type: array
-                              required:
-                                - key
-                                - operator
-                              type: object
-                            type: array
-                          matchLabels:
-                            additionalProperties:
-                              type: string
-                            description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
-                            type: object
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      namespaces:
-                        description: Choose namespaces by name
-                        items:
-                          type: string
-                        type: array
-                    type: object
-                  type: array
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property'
-                  type: string
-                provider:
-                  description: Used to configure the provider. Only one provider may be set
-                  maxProperties: 1
-                  minProperties: 1
-                  properties:
-                    akeyless:
-                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
-                      properties:
-                        akeylessGWApiURL:
-                          description: Akeyless GW API Url from which the secrets to be fetched from.
-                          type: string
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Akeyless.
-                          properties:
-                            kubernetesAuth:
-                              description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource.
-                              properties:
-                                accessID:
-                                  description: the Akeyless Kubernetes auth-method access-id
-                                  type: string
-                                k8sConfName:
-                                  description: Kubernetes-auth configuration name in Akeyless-Gateway
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - accessID
-                                - k8sConfName
-                              type: object
-                            secretRef:
-                              description: Reference to a Secret that contains the details to authenticate with Akeyless.
-                              properties:
-                                accessID:
-                                  description: The SecretAccessID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessType:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessTypeParam:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                      required:
-                        - akeylessGWApiURL
-                        - authSecretRef
-                      type: object
-                    alibaba:
-                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                      properties:
-                        auth:
-                          description: AlibabaAuth contains a secretRef for credentials.
-                          properties:
-                            rrsa:
-                              description: Authenticate against Alibaba using RRSA.
-                              properties:
-                                oidcProviderArn:
-                                  type: string
-                                oidcTokenFilePath:
-                                  type: string
-                                roleArn:
-                                  type: string
-                                sessionName:
-                                  type: string
-                              required:
-                                - oidcProviderArn
-                                - oidcTokenFilePath
-                                - roleArn
-                                - sessionName
-                              type: object
-                            secretRef:
-                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                accessKeySecretSecretRef:
-                                  description: The AccessKeySecret is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - accessKeyIDSecretRef
-                                - accessKeySecretSecretRef
-                              type: object
-                          type: object
-                        regionID:
-                          description: Alibaba Region to be used for the provider
-                          type: string
-                      required:
-                        - auth
-                        - regionID
-                      type: object
-                    aws:
-                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
-                      properties:
-                        additionalRoles:
-                          description: AdditionalRoles is a chained list of Role ARNs which the SecretManager provider will sequentially assume before assuming Role
-                          items:
-                            type: string
-                          type: array
-                        auth:
-                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
-                          properties:
-                            jwt:
-                              description: Authenticate against AWS using service account tokens.
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            secretRef:
-                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        externalID:
-                          description: AWS External ID set on assumed IAM roles
-                          type: string
-                        region:
-                          description: AWS Region to be used for the provider
-                          type: string
-                        role:
-                          description: Role is a Role ARN which the SecretManager provider will assume
-                          type: string
-                        service:
-                          description: Service defines which service should be used to fetch the secrets
-                          enum:
-                            - SecretsManager
-                            - ParameterStore
-                          type: string
-                      required:
-                        - region
-                        - service
-                      type: object
-                    azurekv:
-                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
-                      properties:
-                        authSecretRef:
-                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
-                          properties:
-                            clientId:
-                              description: The Azure clientId of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            clientSecret:
-                              description: The Azure ClientSecret of the service principle used for authentication.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        authType:
-                          default: ServicePrincipal
-                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
-                          enum:
-                            - ServicePrincipal
-                            - ManagedIdentity
-                            - WorkloadIdentity
-                          type: string
-                        environmentType:
-                          default: PublicCloud
-                          description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
-                          enum:
-                            - PublicCloud
-                            - USGovernmentCloud
-                            - ChinaCloud
-                            - GermanCloud
-                          type: string
-                        identityId:
-                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
-                          type: string
-                        serviceAccountRef:
-                          description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
-                          properties:
-                            audiences:
-                              description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: The name of the ServiceAccount resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          required:
-                            - name
-                          type: object
-                        tenantId:
-                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
-                          type: string
-                        vaultUrl:
-                          description: Vault Url from which the secrets to be fetched from.
-                          type: string
-                      required:
-                        - vaultUrl
-                      type: object
-                    doppler:
-                      description: Doppler configures this store to sync secrets using the Doppler provider
-                      properties:
-                        auth:
-                          description: Auth configures how the Operator authenticates with the Doppler API
-                          properties:
-                            secretRef:
-                              properties:
-                                dopplerToken:
-                                  description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - dopplerToken
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        config:
-                          description: Doppler config (required if not using a Service Token)
-                          type: string
-                        format:
-                          description: Format enables the downloading of secrets as a file (string)
-                          enum:
-                            - json
-                            - dotnet-json
-                            - env
-                            - yaml
-                            - docker
-                          type: string
-                        nameTransformer:
-                          description: Environment variable compatible name transforms that change secret names to a different format
-                          enum:
-                            - upper-camel
-                            - camel
-                            - lower-snake
-                            - tf-var
-                            - dotnet-env
-                          type: string
-                        project:
-                          description: Doppler project (required if not using a Service Token)
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    fake:
-                      description: Fake configures a store with static key/value pairs
-                      properties:
-                        data:
-                          items:
-                            properties:
-                              key:
-                                type: string
-                              value:
-                                type: string
-                              valueMap:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              version:
-                                type: string
-                            required:
-                              - key
-                            type: object
-                          type: array
-                      required:
-                        - data
-                      type: object
-                    gcpsm:
-                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against GCP
-                          properties:
-                            secretRef:
-                              properties:
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            workloadIdentity:
-                              properties:
-                                clusterLocation:
-                                  type: string
-                                clusterName:
-                                  type: string
-                                clusterProjectID:
-                                  type: string
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - clusterLocation
-                                - clusterName
-                                - serviceAccountRef
-                              type: object
-                          type: object
-                        projectID:
-                          description: ProjectID project where secret is located
-                          type: string
-                      type: object
-                    gitlab:
-                      description: GitLab configures this store to sync secrets using GitLab Variables provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a GitLab instance.
-                          properties:
-                            SecretRef:
-                              properties:
-                                accessToken:
-                                  description: AccessToken is used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          required:
-                            - SecretRef
-                          type: object
-                        environment:
-                          description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-                          type: string
-                        groupIDs:
-                          description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-                          items:
-                            type: string
-                          type: array
-                        inheritFromGroups:
-                          description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-                          type: boolean
-                        projectID:
-                          description: ProjectID specifies a project where secrets are located.
-                          type: string
-                        url:
-                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    ibm:
-                      description: IBM configures this store to sync secrets using IBM Cloud provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            containerAuth:
-                              description: IBM Container-based auth with IAM Trusted Profile.
-                              properties:
-                                iamEndpoint:
-                                  type: string
-                                profile:
-                                  description: the IBM Trusted Profile
-                                  type: string
-                                tokenLocation:
-                                  description: Location the token is mounted on the pod
-                                  type: string
-                              required:
-                                - profile
-                              type: object
-                            secretRef:
-                              properties:
-                                secretApiKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        serviceUrl:
-                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
-                          type: string
-                      required:
-                        - auth
-                      type: object
-                    keepersecurity:
-                      description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-                      properties:
-                        authRef:
-                          description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                        folderID:
-                          type: string
-                      required:
-                        - authRef
-                        - folderID
-                      type: object
-                    kubernetes:
-                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            cert:
-                              description: has both clientCert and clientKey as secretKeySelector
-                              properties:
-                                clientCert:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                clientKey:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            serviceAccount:
-                              description: points to a service account that should be used for authentication
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                            token:
-                              description: use static token to authenticate with
-                              properties:
-                                bearerToken:
-                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                          type: object
-                        remoteNamespace:
-                          default: default
-                          description: Remote namespace to fetch the secrets from
-                          type: string
-                        server:
-                          description: configures the Kubernetes server Address.
-                          properties:
-                            caBundle:
-                              description: CABundle is a base64-encoded CA certificate
-                              format: byte
-                              type: string
-                            caProvider:
-                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
-                              properties:
-                                key:
-                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                                  type: string
-                                name:
-                                  description: The name of the object located at the provider type.
-                                  type: string
-                                namespace:
-                                  description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                                  type: string
-                                type:
-                                  description: The type of provider to use such as "Secret", or "ConfigMap".
-                                  enum:
-                                    - Secret
-                                    - ConfigMap
-                                  type: string
-                              required:
-                                - name
-                                - type
-                              type: object
-                            url:
-                              default: kubernetes.default
-                              description: configures the Kubernetes server Address.
-                              type: string
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    onepassword:
-                      description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
-                      properties:
-                        auth:
-                          description: Auth defines the information necessary to authenticate against OnePassword Connect Server
-                          properties:
-                            secretRef:
-                              description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-                              properties:
-                                connectTokenSecretRef:
-                                  description: The ConnectToken is used for authentication to a 1Password Connect Server.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - connectTokenSecretRef
-                              type: object
-                          required:
-                            - secretRef
-                          type: object
-                        connectHost:
-                          description: ConnectHost defines the OnePassword Connect Server to connect to
-                          type: string
-                        vaults:
-                          additionalProperties:
-                            type: integer
-                          description: Vaults defines which OnePassword vaults to search in which order
-                          type: object
-                      required:
-                        - auth
-                        - connectHost
-                        - vaults
-                      type: object
-                    oracle:
-                      description: Oracle configures this store to sync secrets using Oracle Vault provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
-                          properties:
-                            secretRef:
-                              description: SecretRef to pass through sensitive information.
-                              properties:
-                                fingerprint:
-                                  description: Fingerprint is the fingerprint of the API private key.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                privatekey:
-                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - fingerprint
-                                - privatekey
-                              type: object
-                            tenancy:
-                              description: Tenancy is the tenancy OCID where user is located.
-                              type: string
-                            user:
-                              description: User is an access OCID specific to the account.
-                              type: string
-                          required:
-                            - secretRef
-                            - tenancy
-                            - user
-                          type: object
-                        region:
-                          description: Region is the region where vault is located.
-                          type: string
-                        vault:
-                          description: Vault is the vault's OCID of the specific vault where secret is located.
-                          type: string
-                      required:
-                        - region
-                        - vault
-                      type: object
-                    scaleway:
-                      description: Scaleway
-                      properties:
-                        accessKey:
-                          description: AccessKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                        apiUrl:
-                          description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-                          type: string
-                        projectId:
-                          description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
-                          type: string
-                        region:
-                          description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
-                          type: string
-                        secretKey:
-                          description: SecretKey is the non-secret part of the api key.
-                          properties:
-                            secretRef:
-                              description: SecretRef references a key in a secret that will be used as value.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            value:
-                              description: Value can be specified directly to set a value without using a secret.
-                              type: string
-                          type: object
-                      required:
-                        - accessKey
-                        - projectId
-                        - region
-                        - secretKey
-                      type: object
-                    senhasegura:
-                      description: Senhasegura configures this store to sync secrets using senhasegura provider
-                      properties:
-                        auth:
-                          description: Auth defines parameters to authenticate in senhasegura
-                          properties:
-                            clientId:
-                              type: string
-                            clientSecretSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - clientId
-                            - clientSecretSecretRef
-                          type: object
-                        ignoreSslCertificate:
-                          default: false
-                          description: IgnoreSslCertificate defines if SSL certificate must be ignored
-                          type: boolean
-                        module:
-                          description: Module defines which senhasegura module should be used to get secrets
-                          type: string
-                        url:
-                          description: URL of senhasegura
-                          type: string
-                      required:
-                        - auth
-                        - module
-                        - url
-                      type: object
-                    vault:
-                      description: Vault configures this store to sync secrets using Hashi provider
-                      properties:
-                        auth:
-                          description: Auth configures how secret-manager authenticates with the Vault server.
-                          properties:
-                            appRole:
-                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                              properties:
-                                path:
-                                  default: approle
-                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                                  type: string
-                                roleId:
-                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                                  type: string
-                                roleRef:
-                                  description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                                - secretRef
-                              type: object
-                            cert:
-                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                              properties:
-                                clientCert:
-                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            iam:
-                              description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                              properties:
-                                externalID:
-                                  description: AWS External ID set on assumed IAM roles
-                                  type: string
-                                jwt:
-                                  description: Specify a service account with IRSA enabled
-                                  properties:
-                                    serviceAccountRef:
-                                      description: A reference to a ServiceAccount resource.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  type: object
-                                path:
-                                  description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                                  type: string
-                                region:
-                                  description: AWS region
-                                  type: string
-                                role:
-                                  description: This is the AWS role to be assumed before talking to vault
-                                  type: string
-                                secretRef:
-                                  description: Specify credentials in a Secret object
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    secretAccessKeySecretRef:
-                                      description: The SecretAccessKey is used for authentication
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                    sessionTokenSecretRef:
-                                      description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                      properties:
-                                        key:
-                                          description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      type: object
-                                  type: object
-                                vaultAwsIamServerID:
-                                  description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                                  type: string
-                                vaultRole:
-                                  description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                                  type: string
-                              required:
-                                - vaultRole
-                              type: object
-                            jwt:
-                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                              properties:
-                                kubernetesServiceAccountToken:
-                                  description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                                  properties:
-                                    audiences:
-                                      description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                      items:
-                                        type: string
-                                      type: array
-                                    expirationSeconds:
-                                      description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                      format: int64
-                                      type: integer
-                                    serviceAccountRef:
-                                      description: Service account field containing the name of a kubernetes ServiceAccount.
-                                      properties:
-                                        audiences:
-                                          description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                          items:
-                                            type: string
-                                          type: array
-                                        name:
-                                          description: The name of the ServiceAccount resource being referred to.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                          type: string
-                                      required:
-                                        - name
-                                      type: object
-                                  required:
-                                    - serviceAccountRef
-                                  type: object
-                                path:
-                                  default: jwt
-                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                                  type: string
-                                role:
-                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                                  type: string
-                                secretRef:
-                                  description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              required:
-                                - path
-                              type: object
-                            kubernetes:
-                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                              properties:
-                                mountPath:
-                                  default: kubernetes
-                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                                  type: string
-                                role:
-                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                                  type: string
-                                secretRef:
-                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                serviceAccountRef:
-                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - mountPath
-                                - role
-                              type: object
-                            ldap:
-                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                              properties:
-                                path:
-                                  default: ldap
-                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                                  type: string
-                                secretRef:
-                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                username:
-                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                                  type: string
-                              required:
-                                - path
-                                - username
-                              type: object
-                            tokenSecretRef:
-                              description: TokenSecretRef authenticates with Vault by presenting a token.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Vault server certificate.
-                          properties:
-                            key:
-                              description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        forwardInconsistent:
-                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                          type: boolean
-                        namespace:
-                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                          type: string
-                        path:
-                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                          type: string
-                        readYourWrites:
-                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                          type: boolean
-                        server:
-                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                          type: string
-                        version:
-                          default: v2
-                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                          enum:
-                            - v1
-                            - v2
-                          type: string
-                      required:
-                        - auth
-                        - server
-                      type: object
-                    webhook:
-                      description: Webhook configures this store to sync secrets using a generic templated webhook
-                      properties:
-                        body:
-                          description: Body
-                          type: string
-                        caBundle:
-                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                          format: byte
-                          type: string
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate webhook server certificate.
-                          properties:
-                            key:
-                              description: The key the value inside of the provider type to use, only used with "Secret" type
-                              type: string
-                            name:
-                              description: The name of the object located at the provider type.
-                              type: string
-                            namespace:
-                              description: The namespace the Provider type is in.
-                              type: string
-                            type:
-                              description: The type of provider to use such as "Secret", or "ConfigMap".
-                              enum:
-                                - Secret
-                                - ConfigMap
-                              type: string
-                          required:
-                            - name
-                            - type
-                          type: object
-                        headers:
-                          additionalProperties:
-                            type: string
-                          description: Headers
-                          type: object
-                        method:
-                          description: Webhook Method
-                          type: string
-                        result:
-                          description: Result formatting
-                          properties:
-                            jsonPath:
-                              description: Json path of return value
-                              type: string
-                          type: object
-                        secrets:
-                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
-                          items:
-                            properties:
-                              name:
-                                description: Name of this secret in templates
-                                type: string
-                              secretRef:
-                                description: Secret ref to fill in credentials
-                                properties:
-                                  key:
-                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                    type: string
-                                  name:
-                                    description: The name of the Secret resource being referred to.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                    type: string
-                                type: object
-                            required:
-                              - name
-                              - secretRef
-                            type: object
-                          type: array
-                        timeout:
-                          description: Timeout
-                          type: string
-                        url:
-                          description: Webhook url to call
-                          type: string
-                      required:
-                        - result
-                        - url
-                      type: object
-                    yandexcertificatemanager:
-                      description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                    yandexlockbox:
-                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-                      properties:
-                        apiEndpoint:
-                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-                          type: string
-                        auth:
-                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
-                          properties:
-                            authorizedKeySecretRef:
-                              description: The authorized key used for authentication
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        caProvider:
-                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-                          properties:
-                            certSecretRef:
-                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                        - auth
-                      type: object
-                  type: object
-                refreshInterval:
-                  description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-                  type: integer
-                retrySettings:
-                  description: Used to configure http retries if failed
-                  properties:
-                    maxRetries:
-                      format: int32
-                      type: integer
-                    retryInterval:
-                      type: string
-                  type: object
-              required:
-                - provider
-              type: object
-            status:
-              description: SecretStoreStatus defines the observed state of the SecretStore.
-              properties:
-                capabilities:
-                  description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
-                  type: string
-                conditions:
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        format: date-time
-                        type: string
-                      message:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    required:
-                      - status
-                      - type
-                    type: object
-                  type: array
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/crds/vaultdynamicsecret.yaml
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.4
-  name: vaultdynamicsecrets.generators.external-secrets.io
-spec:
-  group: generators.external-secrets.io
-  names:
-    categories:
-      - vaultdynamicsecret
-    kind: VaultDynamicSecret
-    listKind: VaultDynamicSecretList
-    plural: vaultdynamicsecrets
-    shortNames:
-      - vaultdynamicsecret
-    singular: vaultdynamicsecret
-  scope: Namespaced
-  versions:
-    - name: v1alpha1
-      schema:
-        openAPIV3Schema:
-          properties:
-            apiVersion:
-              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-              type: string
-            kind:
-              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-              type: string
-            metadata:
-              type: object
-            spec:
-              properties:
-                controller:
-                  description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property'
-                  type: string
-                method:
-                  description: Vault API method to use (GET/POST/other)
-                  type: string
-                parameters:
-                  description: Parameters to pass to Vault write (for non-GET methods)
-                  x-kubernetes-preserve-unknown-fields: true
-                path:
-                  description: Vault path to obtain the dynamic secret from
-                  type: string
-                provider:
-                  description: Vault provider common spec
-                  properties:
-                    auth:
-                      description: Auth configures how secret-manager authenticates with the Vault server.
-                      properties:
-                        appRole:
-                          description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
-                          properties:
-                            path:
-                              default: approle
-                              description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
-                              type: string
-                            roleId:
-                              description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
-                              type: string
-                            roleRef:
-                              description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                            - secretRef
-                          type: object
-                        cert:
-                          description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
-                          properties:
-                            clientCert:
-                              description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          type: object
-                        iam:
-                          description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method
-                          properties:
-                            externalID:
-                              description: AWS External ID set on assumed IAM roles
-                              type: string
-                            jwt:
-                              description: Specify a service account with IRSA enabled
-                              properties:
-                                serviceAccountRef:
-                                  description: A reference to a ServiceAccount resource.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              type: object
-                            path:
-                              description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
-                              type: string
-                            region:
-                              description: AWS region
-                              type: string
-                            role:
-                              description: This is the AWS role to be assumed before talking to vault
-                              type: string
-                            secretRef:
-                              description: Specify credentials in a Secret object
-                              properties:
-                                accessKeyIDSecretRef:
-                                  description: The AccessKeyID is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                secretAccessKeySecretRef:
-                                  description: The SecretAccessKey is used for authentication
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                                sessionTokenSecretRef:
-                                  description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
-                                  properties:
-                                    key:
-                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                      type: string
-                                    name:
-                                      description: The name of the Secret resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  type: object
-                              type: object
-                            vaultAwsIamServerID:
-                              description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
-                              type: string
-                            vaultRole:
-                              description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-                              type: string
-                          required:
-                            - vaultRole
-                          type: object
-                        jwt:
-                          description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
-                          properties:
-                            kubernetesServiceAccountToken:
-                              description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
-                              properties:
-                                audiences:
-                                  description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead'
-                                  items:
-                                    type: string
-                                  type: array
-                                expirationSeconds:
-                                  description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.'
-                                  format: int64
-                                  type: integer
-                                serviceAccountRef:
-                                  description: Service account field containing the name of a kubernetes ServiceAccount.
-                                  properties:
-                                    audiences:
-                                      description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                      items:
-                                        type: string
-                                      type: array
-                                    name:
-                                      description: The name of the ServiceAccount resource being referred to.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                      type: string
-                                  required:
-                                    - name
-                                  type: object
-                              required:
-                                - serviceAccountRef
-                              type: object
-                            path:
-                              default: jwt
-                              description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
-                              type: string
-                            role:
-                              description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
-                              type: string
-                            secretRef:
-                              description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                          required:
-                            - path
-                          type: object
-                        kubernetes:
-                          description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
-                          properties:
-                            mountPath:
-                              default: kubernetes
-                              description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
-                              type: string
-                            role:
-                              description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
-                              type: string
-                            secretRef:
-                              description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            serviceAccountRef:
-                              description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
-                              properties:
-                                audiences:
-                                  description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: The name of the ServiceAccount resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              required:
-                                - name
-                              type: object
-                          required:
-                            - mountPath
-                            - role
-                          type: object
-                        ldap:
-                          description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
-                          properties:
-                            path:
-                              default: ldap
-                              description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
-                              type: string
-                            secretRef:
-                              description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
-                              properties:
-                                key:
-                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                                  type: string
-                                name:
-                                  description: The name of the Secret resource being referred to.
-                                  type: string
-                                namespace:
-                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                                  type: string
-                              type: object
-                            username:
-                              description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
-                              type: string
-                          required:
-                            - path
-                            - username
-                          type: object
-                        tokenSecretRef:
-                          description: TokenSecretRef authenticates with Vault by presenting a token.
-                          properties:
-                            key:
-                              description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
-                              type: string
-                            name:
-                              description: The name of the Secret resource being referred to.
-                              type: string
-                            namespace:
-                              description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
-                              type: string
-                          type: object
-                      type: object
-                    caBundle:
-                      description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
-                      format: byte
-                      type: string
-                    caProvider:
-                      description: The provider for the CA bundle to use to validate Vault server certificate.
-                      properties:
-                        key:
-                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
-                          type: string
-                        name:
-                          description: The name of the object located at the provider type.
-                          type: string
-                        namespace:
-                          description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
-                          type: string
-                        type:
-                          description: The type of provider to use such as "Secret", or "ConfigMap".
-                          enum:
-                            - Secret
-                            - ConfigMap
-                          type: string
-                      required:
-                        - name
-                        - type
-                      type: object
-                    forwardInconsistent:
-                      description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
-                      type: boolean
-                    namespace:
-                      description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
-                      type: string
-                    path:
-                      description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
-                      type: string
-                    readYourWrites:
-                      description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
-                      type: boolean
-                    server:
-                      description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
-                      type: string
-                    version:
-                      default: v2
-                      description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
-                      enum:
-                        - v1
-                        - v2
-                      type: string
-                  required:
-                    - auth
-                    - server
-                  type: object
-                resultType:
-                  default: Data
-                  description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure.
-                  type: string
-              required:
-                - path
-                - provider
-              type: object
-          type: object
-      served: true
-      storage: true
-      subresources:
-        status: {}
-  conversion:
-    strategy: Webhook
-    webhook:
-      conversionReviewVersions:
-        - v1
-      clientConfig:
-        service:
-          name: golang-external-secrets-webhook
-          namespace: "default"
-          path: /convert
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "apiextensions.k8s.io"
-    resources:
-    - "customresourcedefinitions"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "admissionregistration.k8s.io"
-    resources:
-    - "validatingwebhookconfigurations"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "endpoints"
-    verbs:
-    - "list"
-    - "get"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "secretstores"
-    - "clustersecretstores"
-    - "externalsecrets"
-    - "clusterexternalsecrets"
-    - "pushsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    - "externalsecrets/status"
-    - "externalsecrets/finalizers"
-    - "secretstores"
-    - "secretstores/status"
-    - "secretstores/finalizers"
-    - "clustersecretstores"
-    - "clustersecretstores/status"
-    - "clustersecretstores/finalizers"
-    - "clusterexternalsecrets"
-    - "clusterexternalsecrets/status"
-    - "clusterexternalsecrets/finalizers"
-    - "pushsecrets"
-    - "pushsecrets/status"
-    - "pushsecrets/finalizers"
-    verbs:
-    - "update"
-    - "patch"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts"
-    - "namespaces"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-  - apiGroups:
-    - ""
-    resources:
-    - "secrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
-    - "create"
-    - "update"
-    - "delete"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "serviceaccounts/token"
-    verbs:
-    - "create"
-  - apiGroups:
-    - ""
-    resources:
-    - "events"
-    verbs:
-    - "create"
-    - "patch"
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "create"
-    - "update"
-    - "delete"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-view
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "get"
-      - "watch"
-      - "list"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-edit
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-rules:
-  - apiGroups:
-      - "external-secrets.io"
-    resources:
-      - "externalsecrets"
-      - "secretstores"
-      - "clustersecretstores"
-      - "pushsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
-  - apiGroups:
-    - "generators.external-secrets.io"
-    resources:
-    - "acraccesstokens"
-    - "ecrauthorizationtokens"
-    - "fakes"
-    - "gcraccesstokens"
-    - "passwords"
-    - "vaultdynamicsecrets"
-    verbs:
-      - "create"
-      - "delete"
-      - "deletecollection"
-      - "patch"
-      - "update"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: golang-external-secrets-servicebindings
-  labels:
-    servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - "external-secrets.io"
-    resources:
-    - "externalsecrets"
-    verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-cert-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-cert-controller
-subjects:
-  - name: external-secrets-cert-controller
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: golang-external-secrets-controller
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: golang-external-secrets-controller
-subjects:
-  - name: golang-external-secrets
-    namespace: "default"
-    kind: ServiceAccount
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: role-tokenreview-binding
-  namespace: default
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: golang-external-secrets
-  namespace: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-rules:
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    resourceNames:
-    - "external-secrets-controller"
-    verbs:
-    - "get"
-    - "update"
-    - "patch"
-  - apiGroups:
-    - ""
-    resources:
-    - "configmaps"
-    verbs:
-    - "create"
-  - apiGroups:
-    - "coordination.k8s.io"
-    resources:
-    - "leases"
-    verbs:
-    - "get"
-    - "create"
-    - "update"
-    - "patch"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: golang-external-secrets-leaderelection
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: golang-external-secrets-leaderelection
-subjects:
-  - kind: ServiceAccount
-    name: golang-external-secrets
-    namespace: "default"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-    external-secrets.io/component: webhook
-spec:
-  type: ClusterIP
-  ports:
-  - port: 443
-    targetPort: 10250
-    protocol: TCP
-    name: webhook
-  selector:
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
----
-# Source: golang-external-secrets/charts/external-secrets/templates/cert-controller-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-cert-controller
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-cert-controller
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-cert-controller
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-cert-controller
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: external-secrets-cert-controller
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: cert-controller
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - certcontroller
-          - --crd-requeue-interval=5m
-          - --service-name=golang-external-secrets-webhook
-          - --service-namespace=default
-          - --secret-name=golang-external-secrets-webhook
-          - --secret-namespace=default
-          
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      serviceAccountName: golang-external-secrets
-      automountServiceAccountToken: true
-      hostNetwork: false
-      containers:
-        - name: external-secrets
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - --concurrent=1
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
----
-# Source: golang-external-secrets/charts/external-secrets/templates/webhook-deployment.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: golang-external-secrets-webhook
-  namespace: "default"
-  labels:
-    helm.sh/chart: external-secrets-0.8.3
-    app.kubernetes.io/name: external-secrets-webhook
-    app.kubernetes.io/instance: golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
-    app.kubernetes.io/managed-by: Helm
-spec:
-  replicas: 1
-  revisionHistoryLimit: 10
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets-webhook
-      app.kubernetes.io/instance: golang-external-secrets
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: external-secrets-webhook
-        app.kubernetes.io/instance: golang-external-secrets
-    spec:
-      hostNetwork: false
-      serviceAccountName: external-secrets-webhook
-      automountServiceAccountToken: true
-      containers:
-        - name: webhook
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-              - ALL
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
-          imagePullPolicy: IfNotPresent
-          args:
-          - webhook
-          - --port=10250
-          - --dns-name=golang-external-secrets-webhook.default.svc
-          - --cert-dir=/tmp/certs
-          - --check-interval=5m
-          - --metrics-addr=:8080
-          - --healthz-addr=:8081
-          ports:
-            - containerPort: 8080
-              protocol: TCP
-              name: metrics
-            - containerPort: 10250
-              protocol: TCP
-              name: webhook
-          readinessProbe:
-            httpGet:
-              port: 8081
-              path: /readyz
-            initialDelaySeconds: 20
-            periodSeconds: 5
-          volumeMounts:
-            - name: certs
-              mountPath: /tmp/certs
-              readOnly: true
-      volumes:
-        - name: certs
-          secret:
-            secretName: golang-external-secrets-webhook
----
-# Source: golang-external-secrets/templates/golang-external-secrets-hub-secretstore.yaml
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-backend
-  namespace: golang-external-secrets
-spec:
-  provider:
-    vault:
-      server: https://vault-vault.apps.hub.example.com
-      path: secret
-      # Version of KV backend
-      version: v2
-
-      caProvider:
-        type: ConfigMap
-        name: kube-root-ca.crt
-        key: ca.crt
-        namespace: golang-external-secrets
-
-      auth:
-        kubernetes:
-
-          mountPath: hub
-          role: hub-role
-
-          secretRef:
-            name: golang-external-secrets
-            namespace: golang-external-secrets
-            key: "token"
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: secretstore-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.secretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["secretstores"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-
-- name: "validate.clustersecretstore.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["clustersecretstores"]
-    scope:       "Cluster"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
----
-# Source: golang-external-secrets/charts/external-secrets/templates/validatingwebhook.yaml
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: externalsecret-validate
-  labels:
-    external-secrets.io/component: webhook
-webhooks:
-- name: "validate.externalsecret.external-secrets.io"
-  rules:
-  - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
-    operations:  ["CREATE", "UPDATE", "DELETE"]
-    resources:   ["externalsecrets"]
-    scope:       "Namespaced"
-  clientConfig:
-    service:
-      namespace: "default"
-      name: golang-external-secrets-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
-  admissionReviewVersions: ["v1", "v1beta1"]
-  sideEffects: None
-  timeoutSeconds: 5
-  failurePolicy: Fail
diff --git a/common/tests/golang-external-secrets.expected.diff b/common/tests/golang-external-secrets.expected.diff
deleted file mode 100644
index 19d26594..00000000
--- a/common/tests/golang-external-secrets.expected.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- tests/golang-external-secrets-naked.expected.yaml
-+++ tests/golang-external-secrets-normal.expected.yaml
-@@ -6337,7 +6337,7 @@
- spec:
-   provider:
-     vault:
--      server: https://vault-vault.hub.example.com
-+      server: https://vault-vault.apps.hub.example.com
-       path: secret
-       # Version of KV backend
-       version: v2
diff --git a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 8377766b..00000000
--- a/common/tests/hashicorp-vault-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,408 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.24.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: hashicorp-vault
-        component: server
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "hashicorp-vault-server-test"
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml b/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 8377766b..00000000
--- a/common/tests/hashicorp-vault-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,408 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.24.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: hashicorp-vault
-        component: server
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "hashicorp-vault-server-test"
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml b/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 8377766b..00000000
--- a/common/tests/hashicorp-vault-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,408 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.24.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: hashicorp-vault
-        component: server
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "hashicorp-vault-server-test"
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/common/tests/hashicorp-vault-naked.expected.yaml b/common/tests/hashicorp-vault-naked.expected.yaml
deleted file mode 100644
index c8506883..00000000
--- a/common/tests/hashicorp-vault-naked.expected.yaml
+++ /dev/null
@@ -1,408 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.24.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: hashicorp-vault
-        component: server
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.foo.cluster.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "hashicorp-vault-server-test"
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/common/tests/hashicorp-vault-normal.expected.yaml b/common/tests/hashicorp-vault-normal.expected.yaml
deleted file mode 100644
index 8377766b..00000000
--- a/common/tests/hashicorp-vault-normal.expected.yaml
+++ /dev/null
@@ -1,408 +0,0 @@
----
-# Source: hashicorp-vault/charts/vault/templates/server-serviceaccount.yaml
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
----
-# Source: hashicorp-vault/charts/vault/templates/server-config-configmap.yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: hashicorp-vault-config
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-data:
-  extraconfig-from-values.hcl: |-
-    disable_mlock = true
-    ui = true
-    listener "tcp" {
-      address = "[::]:8200"
-      cluster_address = "[::]:8201"
-      tls_cert_file = "/vault/userconfig/vault-secret/tls.crt"
-      tls_key_file = "/vault/userconfig/vault-secret/tls.key"
-    }
-    storage "file" {
-      path = "/vault/data"
-    }
----
-# Source: hashicorp-vault/charts/vault/templates/server-clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: hashicorp-vault-server-binding
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: hashicorp-vault
-  namespace: default
----
-# Source: hashicorp-vault/charts/vault/templates/server-headless-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-internal
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-    vault-internal: "true"
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret-internal
-spec:
-  clusterIP: None
-  publishNotReadyAddresses: true
-  ports:
-    - name: "http"
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/server-service.yaml
-# Service for Vault cluster
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-
-
-    service.beta.openshift.io/serving-cert-secret-name: vault-secret
-spec:
-  # We want the servers to become available even if they're not ready
-  # since this DNS is also used for join operations.
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-    - name: https-internal
-      port: 8201
-      targetPort: 8201
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
----
-# Source: hashicorp-vault/charts/vault/templates/ui-service.yaml
-apiVersion: v1
-kind: Service
-metadata:
-  name: hashicorp-vault-ui
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault-ui
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  selector:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    component: server
-  publishNotReadyAddresses: true
-  ports:
-    - name: http
-      port: 8200
-      targetPort: 8200
-  type: LoadBalancer
-  externalTrafficPolicy: Cluster
----
-# Source: hashicorp-vault/charts/vault/templates/server-statefulset.yaml
-# StatefulSet to run the actual vault server cluster.
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  serviceName: hashicorp-vault-internal
-  podManagementPolicy: Parallel
-  replicas: 1
-  updateStrategy:
-    type: OnDelete
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: hashicorp-vault
-      component: server
-  template:
-    metadata:
-      labels:
-        helm.sh/chart: vault-0.24.1
-        app.kubernetes.io/name: vault
-        app.kubernetes.io/instance: hashicorp-vault
-        component: server
-    spec:
-      
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            - labelSelector:
-                matchLabels:
-                  app.kubernetes.io/name: vault
-                  app.kubernetes.io/instance: "hashicorp-vault"
-                  component: server
-              topologyKey: kubernetes.io/hostname
-  
-      
-      
-      
-      terminationGracePeriodSeconds: 10
-      serviceAccountName: hashicorp-vault
-      
-      volumes:
-        
-        - name: config
-          configMap:
-            name: hashicorp-vault-config
-  
-        - name: userconfig-vault-secret
-          secret:
-            secretName: vault-secret
-            defaultMode: 420
-        - name: home
-          emptyDir: {}
-      containers:
-        - name: vault
-          
-          image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-          imagePullPolicy: IfNotPresent
-          command:
-          - "/bin/sh"
-          - "-ec"
-          args: 
-          - |
-            cp /vault/config/extraconfig-from-values.hcl /tmp/storageconfig.hcl;
-            [ -n "${HOST_IP}" ] && sed -Ei "s|HOST_IP|${HOST_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${POD_IP}" ] && sed -Ei "s|POD_IP|${POD_IP?}|g" /tmp/storageconfig.hcl;
-            [ -n "${HOSTNAME}" ] && sed -Ei "s|HOSTNAME|${HOSTNAME?}|g" /tmp/storageconfig.hcl;
-            [ -n "${API_ADDR}" ] && sed -Ei "s|API_ADDR|${API_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${TRANSIT_ADDR}" ] && sed -Ei "s|TRANSIT_ADDR|${TRANSIT_ADDR?}|g" /tmp/storageconfig.hcl;
-            [ -n "${RAFT_ADDR}" ] && sed -Ei "s|RAFT_ADDR|${RAFT_ADDR?}|g" /tmp/storageconfig.hcl;
-            /usr/local/bin/docker-entrypoint.sh vault server -config=/tmp/storageconfig.hcl 
-   
-          env:
-            - name: HOST_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.hostIP
-            - name: POD_IP
-              valueFrom:
-                fieldRef:
-                  fieldPath: status.podIP
-            - name: VAULT_K8S_POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_K8S_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: VAULT_ADDR
-              value: "http://127.0.0.1:8200"
-            - name: VAULT_API_ADDR
-              value: "http://$(POD_IP):8200"
-            - name: SKIP_CHOWN
-              value: "true"
-            - name: SKIP_SETCAP
-              value: "true"
-            - name: HOSTNAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: VAULT_CLUSTER_ADDR
-              value: "https://$(HOSTNAME).hashicorp-vault-internal:8201"
-            - name: HOME
-              value: "/home/vault"
-            
-            
-            - name: "VAULT_ADDR"
-              value: "https://vault.vault.svc.cluster.local:8200"
-            - name: "VAULT_CACERT"
-              value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-            
-          volumeMounts:
-          
-  
-    
-            - name: data
-              mountPath: /vault/data
-    
-  
-  
-            - name: config
-              mountPath: /vault/config
-  
-            - name: userconfig-vault-secret
-              readOnly: true
-              mountPath: /vault/userconfig/vault-secret
-            - name: home
-              mountPath: /home/vault
-          ports:
-            - containerPort: 8200
-              name: http
-            - containerPort: 8201
-              name: https-internal
-            - containerPort: 8202
-              name: http-rep
-          readinessProbe:
-            # Check status; unsealed vault servers return 0
-            # The exit code reflects the seal status:
-            #   0 - unsealed
-            #   1 - error
-            #   2 - sealed
-            exec:
-              command: ["/bin/sh", "-ec", "vault status -tls-skip-verify"]
-            failureThreshold: 2
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            successThreshold: 1
-            timeoutSeconds: 3
-          lifecycle:
-            # Vault container doesn't receive SIGTERM from Kubernetes
-            # and after the grace period ends, Kube sends SIGKILL.  This
-            # causes issues with graceful shutdowns such as deregistering itself
-            # from Consul (zombie services).
-            preStop:
-              exec:
-                command: [
-                  "/bin/sh", "-c",
-                  # Adding a sleep here to give the pod eviction a
-                  # chance to propagate, so requests will not be made
-                  # to this pod while it's terminating
-                  "sleep 5 && kill -SIGTERM $(pidof vault)",
-                ]
-      
-  
-  volumeClaimTemplates:
-    - metadata:
-        name: data
-      
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 10Gi
----
-# Source: hashicorp-vault/templates/vault-app.yaml
-apiVersion: console.openshift.io/v1
-kind: ConsoleLink
-metadata:
-  name: vault-link
-  namespace: vault
-spec:
-  applicationMenu:
-    section: HashiCorp Vault
-    imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
-  href: 'https://vault-vault.apps.region.example.com'
-  location: ApplicationMenu
-  text: 'Vault'
----
-# Source: hashicorp-vault/charts/vault/templates/server-route.yaml
-kind: Route
-apiVersion: route.openshift.io/v1
-metadata:
-  name: hashicorp-vault
-  namespace: default
-  labels:
-    helm.sh/chart: vault-0.24.1
-    app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: hashicorp-vault
-    app.kubernetes.io/managed-by: Helm
-spec:
-  host: 
-  to:
-    kind: Service
-    name: hashicorp-vault
-    weight: 100
-  port:
-    targetPort: 8200
-  tls:
-    termination: reencrypt
----
-# Source: hashicorp-vault/charts/vault/templates/tests/server-test.yaml
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "hashicorp-vault-server-test"
-  namespace: default
-  annotations:
-    "helm.sh/hook": test
-spec:
-  
-  containers:
-    - name: hashicorp-vault-server-test
-      image: registry.connect.redhat.com/hashicorp/vault:1.13.1-ubi
-      imagePullPolicy: IfNotPresent
-      env:
-        - name: VAULT_ADDR
-          value: http://hashicorp-vault.default.svc:8200
-        
-        - name: "VAULT_ADDR"
-          value: "https://vault.vault.svc.cluster.local:8200"
-        - name: "VAULT_CACERT"
-          value: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-      command:
-        - /bin/sh
-        - -c
-        - |
-          echo "Checking for sealed info in 'vault status' output"
-          ATTEMPTS=10
-          n=0
-          until [ "$n" -ge $ATTEMPTS ]
-          do
-            echo "Attempt" $n...
-            vault status -format yaml | grep -E '^sealed: (true|false)' && break
-            n=$((n+1))
-            sleep 5
-          done
-          if [ $n -ge $ATTEMPTS ]; then
-            echo "timed out looking for sealed info in 'vault status' output"
-            exit 1
-          fi
-
-          exit 0
-      volumeMounts:
-  volumes:
-  restartPolicy: Never
diff --git a/common/tests/hashicorp-vault.expected.diff b/common/tests/hashicorp-vault.expected.diff
deleted file mode 100644
index 9e948a07..00000000
--- a/common/tests/hashicorp-vault.expected.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- tests/hashicorp-vault-naked.expected.yaml
-+++ tests/hashicorp-vault-normal.expected.yaml
-@@ -341,7 +341,7 @@
-   applicationMenu:
-     section: HashiCorp Vault
-     imageURL: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAf0AAAHhCAQAAADO0a/jAAAcYElEQVR42u2dB5hU5fWHzy5NmoBd7LH3WIIFFVS6goJRFBVjwYqKIhgbCFgQO2LBBoKKBQWFYIt/E2NHo4SABERAaui9LOzm/41DCLA7M7ffr7zv++Qxj48c7j3n++3Mztz7XZGh8h9EdMyhIodKGY1AdMoylXvFAFqB6JQD5Ff2lhKageiMJSrzG7mHdiA64z2yiZ1kFQ1BdMJVKu+b0Y2WIDphN9mCbWURTUG03kUq61txJW1BtN4rpRzVZBaNQbTaWSrnFdCe1iBabXupkEoymeYgWutklfEcNKc9iNbaXPLwHQ1CtNLvJC9NaRGilTaVAoykSYjWOVIKchxtQrTO48QDL9EoRKt8STxxiJTSLERrLFWZ9kh/2oVojf3FM3vKOhqGaIXrVJ590IeWIVphH/HFjrKSpiEa70qVZZ90pW2IxttVfFNbFtI4RKNdqHIcgCtoHaLRXiGBqCYzaR6isc6seGMOL5xL+xCN9VwJTLFMooGIRjpJ5TcEzWghopE2k5CMpYmIxjlWQnM6bUQ0ztMlAkbQSESjHCGR8DtaiWiUv5OIGEwzEY1xsETGQWzegWiIpSqvEfIYLUU0wsckUvZg8w5EA1ynshoxvWgrovb2ksjZQVbQWEStXaFyGgM301pErb1ZYqGWLKC5iNq6QGU0Ji6nvYjaernERlWZQYMRtXSGymeMnEOLEbX0HImVYplIkxG1c2K4jTm80IQ2I2pnE0mAr2k0olZ+LYlwKq1G1MpTJSHeotmI2viWJMYxtBtRG4+RBHmRhiNq4YuSKAfIBpqOmLobVBYT5lHajpi6j0ri7C5raTxiqq5VOUyBnrQeMVV7SipsJ8tpPmJqLlcZTIkutB8xNbtIatSU+QwAMRXnq/ylyKWMADEVL5VUqSLTGQJi4k5X2UuZdowBMXHbSeoUywQGgZioE+LfmMMLZzEKxEQ9SzThI4aBmJgfiTY0YhyIidlINGI4A0FMxOGiFUcxEsREPEo043mGghi7z4t27M/mHYgxu0HlTEMeZjSIsfqwaEl9WcNwEGNzjcqYpvRgPIix2UO0pZ4sY0CIsbhM5UtjbmREiLF4o2hNDZnHkBAjd57KluZcwpgQI/cS0Z4q8jODQozUn9PfmMMLZzMqxEg9W4ygSMYzLMTIHK8yZQitGRdiZLYWg/iAgSFG4gdiFCczMsRIPFkM4w2GhhjaN8Q4jpQyBocYyjKVIwN5jtEhhvI5MZJ9ZT3DQwzsepUhQ3mQ8SEG9kExll1lNQNEDORqlR+DuZMRIgbyTjGaurKEISL6donKjuFczxgRfXu9GE91mcsgEX05V+XGAjoySkRfdhQrqCxTGSaiZ6eqzFhCG8aJ6Nk2Yg1FMo6BInpynDkbc3ihFSNF9GQrsYz3GSpiQd8X62jIWBEL2lAs5DUGi5jX18RKjmDzDsQ8lqmMWMpAxouY04FiLb9h8w7EHJaofFhMP0aMWKH9xGp2kVUMGbGcq1Q2LOcOxoxYzjvEeurIYgaNuIWLVS4c4DpGjbiF14kTVJc5DBtxk3Ps2JjDCxcx7kAXfCyUf8rH8lf5lyzTuGbWNTJNvpAP5QeZKxuYXl4vEmeoLJMZuA+XyMtygdTbood7yNUyStZpVTPrFLlfGmxx4+k20kqelJlMskIn27MxhxdaM3KPrpA+eT4C2lNeDPCaGkfNrAvkKinOUbeK+sEym4mWs7U4RZF8ydA9+L7sVLCXh8qPqdfM+sFW7yIq+pynP1Pdwi/t2pjDCy0Ye0EflkqeermtjE61ZtZX1eu6Fy4P/SuFTbYQBxnD4PPa00cvi2VkajWzjvLx6tWGezg3Okac5ARGn8fhPt8I1pZ/plIz63TZzlfl25nwr54gjjKM4edwmtT03c39C7yRjqPmfz3Jd+X3mLJa/85yGG/8chjsEQz9E6+Z9a0AdQ+XUuev0zhMHOZpYl6BE3J+QZafnWVlojWzrpcDA1V+xfEpPy1Os7eUEPVyBn/U4kuJ1sz6ZsC6Jzo94xK19h2nL1EvZ/DdWs5NtGbW5gHrFstCh2fcV5xnp4JvKF3zxxDdrJNjC7Q4amadEfAXiQwvOzvjlR4uq3KA24j7VpfGhGFyYjWzPhKibldnZ3wbsc9eN7aIwEcUJpFPE6uZtVmIuhc6OuFFas3Dr1xL4Dfz1lC9fCOxmhlXyzYh6p7u6ISvJfL/parMIvKbvCFUL/8UQ82X8nxlGAY3H8Y2S6132EQHIr/Je0N9JLcu8pr5HpW6MFTddk7OtwNx35xKbN6xyRdC9LFjDDVFfshzRVqVEHVd/EVvssc7Jx3iDEK/0Y9DdPGjGGoWy5I8R7tfiMouPpDlDKJenu+I/a+uDXCbTZZjY6gpclzeow2zl+w452b7HTGviGbEfqNnBezg2zHUFOmT91iD33G+h4OTbUbMK2Y0sQ9xAU6DvPdBBr2op7jAVl1rZEcu6PHoaCIe7K2lO5bKob57V0XGR14zQ+GN0x8NVLeW/Nu5uR5HxHPzCsH/1RG+O9czhpqZHyhTPXw2sUeAync6N9NXiHc+DnF+A4dg3/628LR9tv9vlB/2dKx/9r2T/FHOPXG5VK1tyMtTxH7j79DHeu7Z4bI88pr5rhIo7+O+6u4kM5yb51NEuxC7s1XzRmer10YvHOHjwRZea2Zoq97Kez/aOz3X3UXGOjfLdWpdQ0HuJ/YbXSXnefhKdHnkNTOPSOnpe9/E16SGp2sPXLxf435i7YUdZAWx3+TQPPvr1JIH826jEaRmhuPlL4GOdZK0y1u3nvRVv3S4N8MVak2DJ24l8ptZIs/IyeWu/K4jV4Z4gGXFNUW9bp8p74Q62rFykWxf4a8lvWWpoxO8lUh7pbbMIfJbuVhel/vkBvV2/Q9ytwyP5NXzfzUvlK7ST8ZE9JpcKp/Lo2rBXyLnyDXSSwY5/ZTdOWo9g2euJuxoiVcTZz9U42nsaIUz1VoGX1zAskELvIAo+6WSTGLhoOFOYmOOILRi6aDhtiLGwRjL4kGDHUuEg9KE5YMG24QIB2cUCwgNdRTxDcORLKGNrpe/ySDpK13kFnlIXs6zS266NbP+LK/L43KbXC995Dl537lbdDMeQXzDMZTYy7vSXuqW68zucqV8o1XNjNOkewV3pm8jLdSPAJceqD6U6IblYE+bUNjrxwW2dWorE7SomXGedM77ZJl9ZIgjW7FsUOsWQjPA2dhvkBs99KeKDEy5Ztb/q/C2na1pkXdXf1scQGyjYE8nb/T8j4qI90+Ir/X43iiOmlmf9LxJ1wHWP2lpTaDdCqEC7nXyFd/fV0NdU6qZ1d9W3/vIQqtndy+RjYodfO5EY4M3+u7SkFRqZvxWqvus2zjQFiNmuJyNOaKku3Mf7vmnRoFdDuKomX0vcWCAyvY+b687cY2SWrLAqegHe1jDNYnXzPh8oLrbWbpnzwK1ViFSrnLqe/xgVJHpidbMWBL4I62eVs7uSqIaNdUc2ru9feAu9Uu0ZtBfI7LsZ+HkZrAxRxy0d+aS3bqBe9QowZpZbw4x0X/xQxu8UFzggZK2+LcQPaqc47uQOGpmDXPV2mOWTW68WqMQCy2ciP6gUD36R2I1s1YNUbezZZNrQUTj42sHoh/uSS0fJVYz4+JQdX9v1dy+Jp5xcoID0e8SqkNDE6uZcWKouidbNbcTiGe8vGN99G8J1Z/hMdR8LeexTglV9zSLpvYO0YybY62P/kOh+vNtDDU/yXmsK0LV7WDR1I4hmvEzxPLovxyqOwtiqPljnqOtGaJuV2tmNoRYJsEBlm/e8UOI3uwbQ82asjbP0TYIUXmwNXdZHkAsk+EJy1/3dwvcmd4x1GyT91h7Ba5bLPMtmdcTRDIpds/7OuTudeBFMi2Ga8sHFrhh1/Vva9aq9QiJ0cfq6H8TsCsXx1CzjizOe6xlcrTjb/f7EMck2V6WWR3+toF6siDymiL3FDzW9wLVPdSSDTqXedqRECLkFqujP0Gq+O7I0Bhq1peVHo721ADzG81VGBCMWtZ8SFSxA332o0cMNavK556Odbbs6rNyN0umNJ+NOdKgk+Wf81/roxedY6gp8oLnY/3K133qZ1izG38nYpgGVQvsH2P+t8VdPfWhkvSVsohrZrr7gq+j/avs6LFyB1ltyYSmh7pvEUJwnvUX9Q6RGgV/G/9L5DUzVT8PEITCn/VXtmo7zvOIYFoUB3xAlEnOkWtyfjy3rfTx9DGcn5qZr/PuCVQ1855ikOyV56qDDvKTVR/FsjFHijRz4CbezCMs+0mjLZ5uUyynSP9QD7IoXzNzyW4bGVjge/xCrpPX5eKtdqIvkt9JL5lo2VSaEb90+cSJ8GdcLv+Qj2SovClfy6KIaw5TffwxwmskS9Xr+2cyXAbLGPk+sqPVyU+IXto0dib6qJONiV76jGAhYsKOIHY6cDRLERP2aGKnB4NZjJigg4mcLuxv+eYdqNelVvsTOX14nCWJCfk4cdOJnWWN1cttvXwi3eUcaSj7ykHSSNpLH/m7hjWzTpX+cpE0kcNkb2kgbaSzjAx4kZB+rlFrDbSit7Wx/0U6SZ0Kz7m+9Ai4b0EcNbM/TgbmeBRXNTlLvrNgGr2Jmm5sF/IqND1dKV0K3BO3vTzi+ead+GpmfVv2y1u3SM5VP3RMnscitc5AO2628ALeIzydeZu8D8SMv2b2+r3unuruJH8zeCI3EzMdqSmzrAr+t1tdCZ+PQ2ReajUzlsiZnutWlWGGTmRWqKcOQIxcbtUde/V9nXtDWZdKzaxX+6pbTb40ciaXEzFdqSJTLQl+iRzv++w7pVAz6zO+6+6ifgyZNpOpAfY2hMSw5bHNAwKd/ZeJ18y4ULYNUPdS42bye+KlM8Uy3oLgr1KvikE4NeGaWYPtSVsp75P89HM8G3PoTlOnrxf7LNGaGRdL9YB1Oxo1k6ZES38+Nz76jQOf+y2J1sw4LHDdegbdefE5sTKBUwwP/tKtts3yw0EJ1sx6YYhJfWrMTE4hVmbwttHRHx3q3OcmVjNr/RB1exkykbeJlCn8NtBlqLr4TKhzH5tYzewNrGE+/DLjISplaj2BMQwyOPp3hzrzUYnVzDg3VN3WRsxjEHEyib1kvbHR7xzqzAfHUHNQnq+8wnCCEbdL70WczOJRY6N/Z6jzHhNDzRF5bv4NQ0sDpvEoUTKNXY19stsToc57Qgw1c1/Rty5UXf2v6Fvt+xnCoAF3Gxr94SHOuSjHbjjDQ3VyWp6j3T5E3Tss/9wFUqKeLDEy+rNDnHOjGGrWz3u0rSP/5UQfl6g1BEZyk6Gv+0cFPuMXY6jZKaavImtG+KCveLyJCJlKDfVqZ2L0ewQ831p5dtbpEbiL7+Q91pnql4xgtNP+3VcNImQulxkZ/XkBd4N5OIaaBxe80v6CgLP5SvMpXEZ8TMbUzTtuC3CuRxcI6W2BOvhWwWOdEuj+AN1f89mYw3jaGRn9JbKHz/OsLeMir+nlbv2MXX3XrS2TNZ9AO6JjOkUFI6Gn3/m6D76afBx5zcw1kQs8XvF2mq+6xfKu5t0fF/gTDNCIZoZ+zv+6VPIc/JGR1xSpKz94PtaFcqCPiTykfe+bERs7+MjQ8P/Z0wMf9vH1VJs/e3yIxEHyL1/HuthjXKrLq9r3/SMiYwvHGXs9/09ycoFfZy70feFSoZrZqkt9H+sGuUO2KVD5SCMevnUckbGH4QbfxDtGjs5xVi0CPx4zd02RM+T7wMc6Uzrl/GT8ABlmxD4Kw4mLTRxh0D5wFfmj+v34dNlr46vqTnKS9JOfI61ZS/aTs+W5CC6CWipvSEc5eONFsFVkN2kovSN6hm/8bvD4YDIwhhcM37Hvf8FaE0PNeB6BvVYWGbdf0gtExTZ+IyWWhB/js0StE7COR1jaWMBHiImN7CKrWNyYx6BPKALt6cHyxhjumATtqSuLWeCY86KkukTEXm5kiWMObyQeNlPdwOe6YxLOCfzYUDCEP7DME/te3yT/QDRsp5JMIeyxXs1nolN83NEIxtKW2Oe5hr8o1DX8ptqWWLhAUZ7HR7pgXHfumetYNuZwhZYOBz+u+/VNtiWRcIcPHQ1+XLv0mOyHxMElTnQy+HHtzWe2JxIHt3jTueDHtyOvyb5JFFzjMCl1LPpx7cNvsqVqHYBzPOdU8ON7+o7JPkcMXGQvpzbviOuZeyZbotYAOMlDDkU/riftmuxDRMBVdnbm2vXZIbpU39KerFTzB2e5y5Hoh9tgepqVPbmL5e8ydWSRE9F/IlSXvrSwI4vU7MFpbnAi+neE6tEICztyA0vfdbaR6Q5Ev3OoHg22rh/TCz4iDBygowPRvztUh0Zb14+OLHsQqSyTrY/+M6E6ZNtNzpPVzAEUZ1kf/dGh+jPXsm6cxZKHLEVGPPo5jEtDvM4dZN39i2zMAZtobv3rfuPAvbnFsk40Z7nD5rxvefQfD9yZz6zqw/ssddiS4y2PftDnydl2x/7xLHXYmtctD/+AQF2x60q+11nmUJ6DLd+8oyTAK55dd+2VqhkDVMCzlr/uz5H6vvrRUNZZdf7PssShYna3bKmX91vZwXM3DpF5Vp37OjVfgBz0s/5LvmlyhKdOtJHllp15P5Y35GZ7WWF9+FdKF6lWoAuPSJllZ71CnRVAHu5w4ibeX6RTjvvV60sPWcZty+Ae28q/Hdm5Z718It2lnTSUfeVAaSTtpY/83dJz/beaK0ABOjsSfZfszLKGwmwjMwmLVc5kYw7wxsXExSovZkmDNyrJJAJjjZN8PF0YnKc1kbHG1ixn8MNYQmOFY1nK4I8mxMYKm7CUwS/vERzjfY9lDP5pQHSMtwHLGIIwjPAY7TCWMATjYNlAgIx1AxtzQHCeIULG+gzLF4Kzp6wlREa6Vs0OIAQPECMjfYClC+HYwbrdalxwuY+NyABycDtRMs7bWbYQntqygDAZ5QI1M4AIuJY4GeW1LFmIhmoyg0AZ44wCm44C+OBCImWMF7JcIToqyURCZYQT2ZgDouVMYmWEZ7JUIWq+IVja+w3LFKLnNKKlvaexTCEO/kS4tPZPLFGIh2OJl9YeyxKFuHiVgGnrqyxPiI8D2bxD2405DmR5Qpw8Rcy09CmWJsTLHmzeoeXGHLuzNCFu7idq2nk/yxLiZ3tZRti0cpmaCUAC/JG4aeUfWZKQDLVkPoHTxvlqHgAJcQ2R08ZrWI6QHFVlOqHTwulqFgAJcgGx08ILWIqQLMUygeCl7gQ1B4CEaUX0UrcVyxDS4CvCl6pfsQQhHRoTv1RtzBKEtBhFAFNzFMsP0uNoKSOEqVimeg+QIi8Tw1R8maUH6XKArCeIibte9R0gZZ4kion7JMsO0mc3WUMYE3WN6jmABtxHHBP1PpYc6MF2spRAJuZS1W8ATehOJBOzO8sN9KGmzCOUiThP9RpAI64ilol4FUsN9KKq/EwwY/dnNuYA/TifaMbu+Swz0I9iGU84Y3U8G3OAnrQknrHakiUGuvIFAY3NL1heoC+nENHYPIXlBTrzLiGNxXdZWqA3v2Xzjlg25vgtSwt0ZwhRjdwhLCvQn/3YvCPyjTn2Y1mBCTxBXCP1CZYUmEF9WU1gI3O16ieAIdxDZCPzHpYTmEM9WUJoI3GJ6iWAQXQjtpHYjaUEZlFD5hLc0M5VfQQwjE5EN7SdWEZgHlVkKuEN5VTVQwADOY/4hvI8lhCYSZGMI8CBHaf6B2AozYlwYJuzfMBkPiPEgfyMpQNmcxIxDuRJLB0wnZEE2bcjWTZgPkeyeYfvjTmOZNmADbxEnH35EksG7GBfKSHQni1R/QKwhP5E2rP9WS5gD7vKKkLtyVWyC8sFbKI3sfZkb5YK2EVdWUywC7pY9QnAMroS7YJ2ZZmAfVSXOYQ7r3NUjwAs5ArindcrWCJgJ5VlCgHP6RTVHwBLOZeI5/RclgfYS5F8T8gr9Hs25gC7aUrMK7QpSwNs51OCXs5PWRZgPycS9XKeyLIAF3ibsG/h2ywJcIPDpZTAb7JU9QPAEQYR+U0OYjmAO+zD5h2bNubYh+UALvEYsf/Vx1gK4BY7y0qCr3qwM0sBXKMX0Vc9AHCOOrLI8eAvUj0AcJCbHI/+TSwBcJPqMsvh4M9iYw5wl8scjv5ljB/cpbJMdjT4k9mYA9zmHEejfw6jB7cpkr87GPzv2JgDoImD0W/C2AFEPnEs+J8wcoAMxzsW/eMZOUCWtxwK/luMG+C/HOrM5h2l6lwBYBMvOhL9Fxk1wObsLescCP46dZ4AsAWPOBD9RxgzwNbsJCssD/4KdY4AUI6elke/JyMGqIhtZaHFwV+ozg8AKqSLxdHvwngBcrGNzLQ0+DPVuQFATi61NPqXMlqAfFSSSRYGf5I6LwDIS1sLo9+WsQIUoki+tSz437IxB4AXmloW/aaMFMAbH1oU/A8ZJ4BXGlgU/QaME8A7b1oS/DcZJYAfDpYNFgR/gzoPAPDF8xZE/3nGCOCXPWWt4cFfq84BAHzzsOHRf5gRAgRhR1lucPCXq+MHgEDcZXD072J8AEGpLQsMDf4CdewAEJgbDI3+DYwOIAzV5BcDg/+LOm4ACMUlBkb/EsYGEJZK8qNhwZ/IxhwAUXC2YdE/m5EBRMM3BgX/G8YFEBWnGxT90xkXQHR8YEjwP2BUAFFyrCHRP5ZRAUTLGwYE/w3GBBA1B2m/eccGdYwAEDnPah79ZxkRQBzsofXmHWvV8QFALDyocfQfZDwAcbGDLNM0+MvUsQFAbNypafTvZDQAcVJL5msY/PnquAAgVq7XMPrXMxaAuKkq0zUL/nR1TAAQOxdrFv2LGQlAEhTLBI2CP0EdDwAkQhuNot+GcQAkx1eaBP8rRgGQJKdqEv1TGQVAsrynQfDfYwwASXOMlKUc/DJ1DACQOK+lHP3XGAFAGhwg61MM/nr19wNAKgxMMfoDaT9AWuwma1IK/hr1dwNAajyQUvQfoPUAabKdLE0h+EvV3wsAqXJ7CtG/nbYDpE1NmZdw8OepvxMAUue6hKN/HS0H0IGqMi3B4E9jYw4AXbgowehfRLsBdKFYxicU/PFszAGgE2cmFP0zaTWAXnyRQPC/oM0AutEogeg3os0A+jEm5uCPocUAOnJUrJt3lKn6AKAlr8YY/VdpL4Cu7B/b5h3rVW0A0JanY4r+07QWQGfqy+oYgr9a1QUArekbQ/T70lYA3aknSyIO/hJVEwC057aIo38bLQUwgRoyN8Lgz1X1AMAIrokw+tfQTgBTqCJTIwr+VFULAIyhQ0TR70ArAUyiWMZFEPxxbMwBYBpnRBD9M2gjgHl8FjL4n9FCABM5OWT0T6aFAGYyOkTwR9M+AFM5MvDmHWXqzwKAsbwSMPqv0DoAk9lXSgIEv0T9OQAwmicDRP9J2gZgOrvKKp/BX6X+DAAYz30+o38fLQOwgbqy2EfwF6v/HgCs4FYf0b+VdgHYQg2Z4zH4c9iYA8AmrvYY/atpFYBNVJGfPAT/JzbmALCN8z1E/3zaBGAbRfJDgeD/oP4bALCOlgWi35IWAdjJp3mC/yntAbCVhnmi35D2ANjLuzmC/y6tAbCZw6W0guCXqn8PAFYztILoD6UtALazT7nNO0rUvwMA6xmwVfQH0BIAF9hFVm4W/JWyMy0BcIN7N4v+vbQDwBXqyKKNwV+k/j8AOEO3jdHvRisAXKK6zFbBn63+CQBOcaWK/pW0AcA1Ksto9T8AcA525HGY/wcAxiEwaH/ifAAAAABJRU5ErkJggg==
--  href: 'https://vault-vault.apps.foo.cluster.com'
-+  href: 'https://vault-vault.apps.region.example.com'
-   location: ApplicationMenu
-   text: 'Vault'
- ---
diff --git a/common/tests/install-industrial-edge-factory.expected.yaml b/common/tests/install-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 0dfd0d84..00000000
--- a/common/tests/install-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: install-example
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: install-example
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: install-example,openshift-gitops
diff --git a/common/tests/install-industrial-edge-hub.expected.yaml b/common/tests/install-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 0dfd0d84..00000000
--- a/common/tests/install-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: install-example
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: install-example
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: install-example,openshift-gitops
diff --git a/common/tests/install-medical-diagnosis-hub.expected.yaml b/common/tests/install-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 0dfd0d84..00000000
--- a/common/tests/install-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-# Source: pattern-install/templates/argocd/namespace.yaml
-# Pre-create so we can create our argo app for keeping subscriptions in sync
-# Do it here so that we don't try to sync it in the future
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: openshift-gitops
----
-# Source: pattern-install/templates/argocd/application.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: install-example
-  namespace: openshift-gitops
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io/foreground
-spec:
-  destination:
-    name: in-cluster
-    namespace: install-example
-  project: default
-  source:
-    repoURL: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-    path: common/clustergroup
-    helm:
-      ignoreMissingValueFiles: true
-      valueFiles:
-      - "/values-global.yaml"
-      - "/values-example.yaml"
-      # Track the progress of https://github.com/argoproj/argo-cd/pull/6280
-      parameters:
-        - name: global.repoURL
-          value: $ARGOCD_APP_SOURCE_REPO_URL
-        - name: global.targetRevision
-          value: $ARGOCD_APP_SOURCE_TARGET_REVISION
-        - name: global.namespace
-          value: $ARGOCD_APP_NAMESPACE
-        - name: global.pattern
-          value: install
-        - name: global.hubClusterDomain
-          value: apps.hub.example.com
-        - name: global.clusterVersion
-          value: ""
-  syncPolicy:
-    automated: {}
----
-# Source: pattern-install/templates/argocd/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-gitops-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/openshift-gitops-operator.openshift-operators: ""
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: openshift-gitops-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
-  config:
-    env:
-      - name: ARGOCD_CLUSTER_CONFIG_NAMESPACES
-        value: install-example,openshift-gitops
diff --git a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml b/common/tests/letsencrypt-industrial-edge-factory.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/common/tests/letsencrypt-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml b/common/tests/letsencrypt-industrial-edge-hub.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/common/tests/letsencrypt-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml b/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/common/tests/letsencrypt-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/letsencrypt-naked.expected.yaml b/common/tests/letsencrypt-naked.expected.yaml
deleted file mode 100644
index 73aa94a4..00000000
--- a/common/tests/letsencrypt-naked.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/letsencrypt-normal.expected.yaml b/common/tests/letsencrypt-normal.expected.yaml
deleted file mode 100644
index b5aded2f..00000000
--- a/common/tests/letsencrypt-normal.expected.yaml
+++ /dev/null
@@ -1,202 +0,0 @@
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager-operator
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: cert-manager
-spec:
----
-# Source: letsencrypt/templates/namespaces.yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: letsencrypt
-spec:
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  servingCerts:
-    namedCertificates:
-      - names:
-        - api.region.example.com
-        servingCertificate:
-          name: api-validated-patterns-letsencrypt-cert
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ArgoCD
-metadata:
-  name: openshift-gitops
-  namespace: openshift-gitops
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  server:
-    route:
-      enabled: true
-      tls:
-         termination: reencrypt
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operator.openshift.io/v1alpha1
-kind: CertManager
-metadata:
-  name: cluster
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  managementState: "Managed"
-  unsupportedConfigOverrides:
-    # Here's an example to supply custom DNS settings.
-    controller:
-      args:
-        - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
-        - "--dns01-recursive-nameservers-only"
----
-# Source: letsencrypt/templates/api-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: api-validated-patterns-cert
-  namespace: openshift-config
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: api-validated-patterns-letsencrypt-cert
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: 'api.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-  - api.region.example.com
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/wildcard-cert.yaml
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: lets-encrypt-certs
-  namespace: openshift-ingress
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  secretName: lets-encrypt-wildcart-cert-tls
-  duration: 168h0m0s
-  renewBefore: 28h0m0s
-  commonName: '*.apps.region.example.com'
-  usages:
-    - server auth
-  dnsNames:
-    - '*.apps.region.example.com'
-  issuerRef:
-    name: validated-patterns-issuer
-    kind: ClusterIssuer
-  subject:
-    organizations:
-    - hybrid-cloud-patterns.io
----
-# Source: letsencrypt/templates/issuer.yaml
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: validated-patterns-issuer
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: test@example.com
-    privateKeySecretRef:
-      name: validated-patterns-issuer-account-key
-    solvers:
-    - selector: {}
-      dns01:
-        route53:
-          region: eu-central-1
-          accessKeyIDSecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_access_key_id
-          secretAccessKeySecretRef:
-            name: cert-manager-dns-credentials
-            key: aws_secret_access_key
----
-# Source: letsencrypt/templates/credentials-request.yaml
-apiVersion: cloudcredential.openshift.io/v1
-kind: CredentialsRequest
-metadata:
-  name: letsencrypt-cert-manager-dns
-  namespace: openshift-cloud-credential-operator
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-spec:
-  providerSpec:
-    apiVersion: cloudcredential.openshift.io/v1
-    kind: AWSProviderSpec
-    statementEntries:
-    - action:
-      - 'route53:ChangeResourceRecordSets'
-      - 'route53:GetChange'
-      - 'route53:ListHostedZonesByName'
-      - 'route53:ListHostedZones'
-      effect: Allow
-      resource: '*'
-  secretRef:
-    name: cert-manager-dns-credentials
-    namespace: cert-manager
----
-# Source: letsencrypt/templates/default-routes.yaml
-apiVersion: operator.openshift.io/v1
-kind: IngressController
-metadata:
-  name: default
-  namespace: openshift-ingress-operator
-  annotations:
-    argocd.argoproj.io/sync-options: ServerSideApply=true, Validate=false, SkipDryRunOnMissingResource=true
-spec:
-  routeAdmission:
-    wildcardPolicy: WildcardsAllowed
-  defaultCertificate:
-    name: lets-encrypt-wildcart-cert-tls
-# Patch the cluster-wide argocd instance so it uses the ingress tls cert
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup
-metadata:
-  name: cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  targetNamespaces:
-  - cert-manager-operator
----
-# Source: letsencrypt/templates/cert-manager-installation.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-cert-manager-operator
-  namespace: cert-manager-operator
-spec:
-  channel: "stable-v1"
-  installPlanApproval: Automatic
-  name: openshift-cert-manager-operator
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install-industrial-edge-factory.expected.yaml b/common/tests/operator-install-industrial-edge-factory.expected.yaml
deleted file mode 100644
index 5fc96bf3..00000000
--- a/common/tests/operator-install-industrial-edge-factory.expected.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: example
-  gitSpec:
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-  gitOpsSpec:
-    operatorChannel: gitops-1.8
-    operatorSource: redhat-operators
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install-industrial-edge-hub.expected.yaml b/common/tests/operator-install-industrial-edge-hub.expected.yaml
deleted file mode 100644
index 5fc96bf3..00000000
--- a/common/tests/operator-install-industrial-edge-hub.expected.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: example
-  gitSpec:
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-  gitOpsSpec:
-    operatorChannel: gitops-1.8
-    operatorSource: redhat-operators
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml b/common/tests/operator-install-medical-diagnosis-hub.expected.yaml
deleted file mode 100644
index 5fc96bf3..00000000
--- a/common/tests/operator-install-medical-diagnosis-hub.expected.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: example
-  gitSpec:
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-  gitOpsSpec:
-    operatorChannel: gitops-1.8
-    operatorSource: redhat-operators
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install-naked.expected.yaml b/common/tests/operator-install-naked.expected.yaml
deleted file mode 100644
index 4c7837fe..00000000
--- a/common/tests/operator-install-naked.expected.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: default
-  gitSpec:
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-  gitOpsSpec:
-    operatorChannel: gitops-1.8
-    operatorSource: redhat-operators
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install-normal.expected.yaml b/common/tests/operator-install-normal.expected.yaml
deleted file mode 100644
index 5fc96bf3..00000000
--- a/common/tests/operator-install-normal.expected.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-# Source: pattern-install/templates/pattern.yaml
-apiVersion: gitops.hybrid-cloud-patterns.io/v1alpha1
-kind: Pattern
-metadata:
-  name: operator-install
-  namespace: openshift-operators
-spec:
-  clusterGroupName: example
-  gitSpec:
-    targetRepo: https://github.com/pattern-clone/mypattern
-    targetRevision: main
-  gitOpsSpec:
-    operatorChannel: gitops-1.8
-    operatorSource: redhat-operators
----
-# Source: pattern-install/templates/subscription.yaml
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: patterns-operator
-  namespace: openshift-operators
-  labels:
-    operators.coreos.com/patterns-operator.openshift-operators: ""
-spec:
-  channel: fast
-  installPlanApproval: Automatic
-  name: patterns-operator
-  source: community-operators
-  sourceNamespace: openshift-marketplace
diff --git a/common/tests/operator-install.expected.diff b/common/tests/operator-install.expected.diff
deleted file mode 100644
index 3f73da90..00000000
--- a/common/tests/operator-install.expected.diff
+++ /dev/null
@@ -1,11 +0,0 @@
---- tests/operator-install-naked.expected.yaml
-+++ tests/operator-install-normal.expected.yaml
-@@ -6,7 +6,7 @@
-   name: operator-install
-   namespace: openshift-operators
- spec:
--  clusterGroupName: default
-+  clusterGroupName: example
-   gitSpec:
-     targetRepo: https://github.com/pattern-clone/mypattern
-     targetRevision: main
diff --git a/common/values-global.yaml b/common/values-global.yaml
deleted file mode 100644
index 24feccd5..00000000
--- a/common/values-global.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-global:
-  options:
-    useCSV: True
-    syncPolicy: Manual
-    installPlanApproval: Automatic
-    applicationRetryLimit: 20
-
-  git:
-    hostname: github.com
-    # Account is the user or organization under which the pattern repos lives
-    account: hybrid-cloud-patterns
-    email: someone@somewhere.com
-    dev_revision: main
-
-main:
-  clusterGroupName: example
-

From 48553414bcab6f466266a748251c7729719f1e29 Mon Sep 17 00:00:00 2001
From: jonny <65790298+day0hero@users.noreply.github.com>
Date: Mon, 31 Jul 2023 15:33:16 -0500
Subject: [PATCH 11/11] make test

---
 ...mmon-acm-industrial-edge-hub.expected.yaml | 16 ++--
 ...on-acm-medical-diagnosis-hub.expected.yaml | 16 ++--
 tests/common-acm-normal.expected.yaml         | 32 ++++----
 ...rets-industrial-edge-factory.expected.yaml | 80 +++++++++----------
 ...-secrets-industrial-edge-hub.expected.yaml | 80 +++++++++----------
 ...ecrets-medical-diagnosis-hub.expected.yaml | 80 +++++++++----------
 ...olang-external-secrets-naked.expected.yaml | 80 +++++++++----------
 ...lang-external-secrets-normal.expected.yaml | 80 +++++++++----------
 8 files changed, 217 insertions(+), 247 deletions(-)

diff --git a/tests/common-acm-industrial-edge-hub.expected.yaml b/tests/common-acm-industrial-edge-hub.expected.yaml
index d54a8db6..444b833c 100644
--- a/tests/common-acm-industrial-edge-hub.expected.yaml
+++ b/tests/common-acm-industrial-edge-hub.expected.yaml
@@ -206,14 +206,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-factory.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml'
+                        - "/values-global.yaml"
+                        - "/values-factory.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-factory.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-factory.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
diff --git a/tests/common-acm-medical-diagnosis-hub.expected.yaml b/tests/common-acm-medical-diagnosis-hub.expected.yaml
index 6e3eedff..f79e013b 100644
--- a/tests/common-acm-medical-diagnosis-hub.expected.yaml
+++ b/tests/common-acm-medical-diagnosis-hub.expected.yaml
@@ -197,14 +197,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-region-one.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml'
+                        - "/values-global.yaml"
+                        - "/values-region-one.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-region-one.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-region-one.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
diff --git a/tests/common-acm-normal.expected.yaml b/tests/common-acm-normal.expected.yaml
index b2f0ac48..900cc291 100644
--- a/tests/common-acm-normal.expected.yaml
+++ b/tests/common-acm-normal.expected.yaml
@@ -600,14 +600,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
+                        - "/values-global.yaml"
+                        - "/values-acm-edge.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-edge.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-edge.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
@@ -694,14 +694,14 @@ spec:
                     helm:
                       ignoreMissingValueFiles: true
                       valueFiles:
-                      - "/values-global.yaml"
-                      - "/values-acm-provision-edge.yaml"
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
-                      - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
-                      # We cannot use $.Values.global.clusterVersion because that gets resolved to the
-                      # hub's cluster version, whereas we want to include the spoke cluster version
-                      - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
+                        - "/values-global.yaml"
+                        - "/values-acm-provision-edge.yaml"
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}.yaml'
+                        - '/values-{{ (lookup "config.openshift.io/v1" "Infrastructure" "" "cluster").spec.platformSpec.type }}-acm-provision-edge.yaml'
+                        # We cannot use $.Values.global.clusterVersion because that gets resolved to the
+                        # hub's cluster version, whereas we want to include the spoke cluster version
+                        - '/values-{{ printf "%d.%d" ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Major) ((semver (lookup "operator.openshift.io/v1" "OpenShiftControllerManager" "" "cluster").status.version).Minor) }}-acm-provision-edge.yaml'
                       parameters:
                       - name: global.repoURL
                         value: $ARGOCD_APP_SOURCE_REPO_URL
diff --git a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml
index a7235b2d..1ef6cf66 100644
--- a/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml
+++ b/tests/common-golang-external-secrets-industrial-edge-factory.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: common-golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: common-golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml
index fd1707a6..b516e345 100644
--- a/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml
+++ b/tests/common-golang-external-secrets-industrial-edge-hub.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: common-golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: common-golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml
index fd1707a6..b516e345 100644
--- a/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml
+++ b/tests/common-golang-external-secrets-medical-diagnosis-hub.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: common-golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: common-golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/common-golang-external-secrets-naked.expected.yaml b/tests/common-golang-external-secrets-naked.expected.yaml
index 49d8f63d..ac3c1ad1 100644
--- a/tests/common-golang-external-secrets-naked.expected.yaml
+++ b/tests/common-golang-external-secrets-naked.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: common-golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: common-golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook
diff --git a/tests/common-golang-external-secrets-normal.expected.yaml b/tests/common-golang-external-secrets-normal.expected.yaml
index fd1707a6..b516e345 100644
--- a/tests/common-golang-external-secrets-normal.expected.yaml
+++ b/tests/common-golang-external-secrets-normal.expected.yaml
@@ -6,10 +6,10 @@ metadata:
   name: external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/serviceaccount.yaml
@@ -19,10 +19,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-serviceaccount.yaml
@@ -32,10 +32,10 @@ metadata:
   name: external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: golang-external-secrets/charts/external-secrets/templates/webhook-secret.yaml
@@ -45,10 +45,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 ---
@@ -7771,10 +7771,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7838,10 +7838,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -7947,10 +7947,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-view
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-view: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
@@ -7987,10 +7987,10 @@ kind: ClusterRole
 metadata:
   name: common-golang-external-secrets-edit
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
@@ -8031,10 +8031,10 @@ metadata:
   name: common-golang-external-secrets-servicebindings
   labels:
     servicebinding.io/controller: "true"
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8052,10 +8052,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-cert-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8072,10 +8072,10 @@ kind: ClusterRoleBinding
 metadata:
   name: common-golang-external-secrets-controller
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8108,10 +8108,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 rules:
   - apiGroups:
@@ -8147,10 +8147,10 @@ metadata:
   name: common-golang-external-secrets-leaderelection
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -8168,10 +8168,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
     external-secrets.io/component: webhook
 spec:
@@ -8192,10 +8192,10 @@ metadata:
   name: common-golang-external-secrets-cert-controller
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-cert-controller
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8222,9 +8222,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - certcontroller
@@ -8252,10 +8250,10 @@ metadata:
   name: common-golang-external-secrets
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8282,9 +8280,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - --concurrent=1
@@ -8300,10 +8296,10 @@ metadata:
   name: common-golang-external-secrets-webhook
   namespace: "default"
   labels:
-    helm.sh/chart: external-secrets-0.8.3
+    helm.sh/chart: external-secrets-0.8.5
     app.kubernetes.io/name: external-secrets-webhook
     app.kubernetes.io/instance: common-golang-external-secrets
-    app.kubernetes.io/version: "v0.8.3"
+    app.kubernetes.io/version: "v0.8.5"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -8330,9 +8326,7 @@ spec:
               - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
-            seccompProfile:
-              type: RuntimeDefault
-          image: "ghcr.io/external-secrets/external-secrets:v0.8.3-ubi"
+          image: "ghcr.io/external-secrets/external-secrets:v0.8.5-ubi"
           imagePullPolicy: IfNotPresent
           args:
           - webhook