From 3471561346d0ea9bdf45588a5e4ecd79ceb4bb5f Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 19 Mar 2021 11:59:51 +0100
Subject: [PATCH 01/17] docs: Move architecture diagrams into sub directory

Move all `.uml` to a `diagrams` directory, so the
directory only contains architecture document
which is cleaner.
---
 docs/developer/architecture/deployment.rst           |  2 +-
 .../architecture/{ => diagrams}/deployment.uml       |  0
 .../{ => diagrams}/logs-components-diagram.uml       |  0
 .../{ => diagrams}/solutions-interaction.uml         |  0
 .../{ => diagrams}/volume-creation_seqdiag.uml       |  0
 .../{ => diagrams}/volume-deletion_decision_tree.uml |  0
 .../{ => diagrams}/volume-deletion_seqdiag.uml       |  0
 .../volume-deploy_volume_flowchart.uml               |  0
 .../volume-finalize_volume_flowchart.uml             |  0
 .../{ => diagrams}/volume-main_loop_flowchart.uml    |  0
 docs/developer/architecture/logs.rst                 |  2 +-
 docs/developer/architecture/solutions.rst            |  2 +-
 docs/developer/architecture/volume.rst               | 12 ++++++------
 docs/developer/solutions/introduction.rst            |  2 +-
 14 files changed, 10 insertions(+), 10 deletions(-)
 rename docs/developer/architecture/{ => diagrams}/deployment.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/logs-components-diagram.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/solutions-interaction.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-creation_seqdiag.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-deletion_decision_tree.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-deletion_seqdiag.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-deploy_volume_flowchart.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-finalize_volume_flowchart.uml (100%)
 rename docs/developer/architecture/{ => diagrams}/volume-main_loop_flowchart.uml (100%)

diff --git a/docs/developer/architecture/deployment.rst b/docs/developer/architecture/deployment.rst
index c8dd4ab724..aff18d5a8f 100644
--- a/docs/developer/architecture/deployment.rst
+++ b/docs/developer/architecture/deployment.rst
@@ -4,7 +4,7 @@ Deployment
 Here is a diagram representing how MetalK8s orchestrates deployment on a set of
 machines:
 
-.. uml:: deployment.uml
+.. uml:: diagrams/deployment.uml
 
 Some notes
 ----------
diff --git a/docs/developer/architecture/deployment.uml b/docs/developer/architecture/diagrams/deployment.uml
similarity index 100%
rename from docs/developer/architecture/deployment.uml
rename to docs/developer/architecture/diagrams/deployment.uml
diff --git a/docs/developer/architecture/logs-components-diagram.uml b/docs/developer/architecture/diagrams/logs-components-diagram.uml
similarity index 100%
rename from docs/developer/architecture/logs-components-diagram.uml
rename to docs/developer/architecture/diagrams/logs-components-diagram.uml
diff --git a/docs/developer/architecture/solutions-interaction.uml b/docs/developer/architecture/diagrams/solutions-interaction.uml
similarity index 100%
rename from docs/developer/architecture/solutions-interaction.uml
rename to docs/developer/architecture/diagrams/solutions-interaction.uml
diff --git a/docs/developer/architecture/volume-creation_seqdiag.uml b/docs/developer/architecture/diagrams/volume-creation_seqdiag.uml
similarity index 100%
rename from docs/developer/architecture/volume-creation_seqdiag.uml
rename to docs/developer/architecture/diagrams/volume-creation_seqdiag.uml
diff --git a/docs/developer/architecture/volume-deletion_decision_tree.uml b/docs/developer/architecture/diagrams/volume-deletion_decision_tree.uml
similarity index 100%
rename from docs/developer/architecture/volume-deletion_decision_tree.uml
rename to docs/developer/architecture/diagrams/volume-deletion_decision_tree.uml
diff --git a/docs/developer/architecture/volume-deletion_seqdiag.uml b/docs/developer/architecture/diagrams/volume-deletion_seqdiag.uml
similarity index 100%
rename from docs/developer/architecture/volume-deletion_seqdiag.uml
rename to docs/developer/architecture/diagrams/volume-deletion_seqdiag.uml
diff --git a/docs/developer/architecture/volume-deploy_volume_flowchart.uml b/docs/developer/architecture/diagrams/volume-deploy_volume_flowchart.uml
similarity index 100%
rename from docs/developer/architecture/volume-deploy_volume_flowchart.uml
rename to docs/developer/architecture/diagrams/volume-deploy_volume_flowchart.uml
diff --git a/docs/developer/architecture/volume-finalize_volume_flowchart.uml b/docs/developer/architecture/diagrams/volume-finalize_volume_flowchart.uml
similarity index 100%
rename from docs/developer/architecture/volume-finalize_volume_flowchart.uml
rename to docs/developer/architecture/diagrams/volume-finalize_volume_flowchart.uml
diff --git a/docs/developer/architecture/volume-main_loop_flowchart.uml b/docs/developer/architecture/diagrams/volume-main_loop_flowchart.uml
similarity index 100%
rename from docs/developer/architecture/volume-main_loop_flowchart.uml
rename to docs/developer/architecture/diagrams/volume-main_loop_flowchart.uml
diff --git a/docs/developer/architecture/logs.rst b/docs/developer/architecture/logs.rst
index bca0e94eac..54601942de 100644
--- a/docs/developer/architecture/logs.rst
+++ b/docs/developer/architecture/logs.rst
@@ -202,7 +202,7 @@ Components
 
 Our Log Centralization system can be split into several components as follows:
 
-.. uml:: logs-components-diagram.uml
+.. uml:: diagrams/logs-components-diagram.uml
 
 Collector
 ~~~~~~~~~
diff --git a/docs/developer/architecture/solutions.rst b/docs/developer/architecture/solutions.rst
index 18dad1ab6c..1147cc8fbd 100644
--- a/docs/developer/architecture/solutions.rst
+++ b/docs/developer/architecture/solutions.rst
@@ -308,7 +308,7 @@ Interaction diagram
 We include a detailed interaction sequence diagram for describing how MetalK8s
 will handle user input when deploying / upgrading Solutions.
 
-.. uml:: solutions-interaction.uml
+.. uml:: diagrams/solutions-interaction.uml
 
 Rejected design choices
 -----------------------
diff --git a/docs/developer/architecture/volume.rst b/docs/developer/architecture/volume.rst
index f9461fa463..ff5e2731ab 100644
--- a/docs/developer/architecture/volume.rst
+++ b/docs/developer/architecture/volume.rst
@@ -116,9 +116,9 @@ system) through the Salt API. Authentication to the Salt API will be done
 though a dedicated Salt account (with limited privileges) using credentials
 from a dedicated cluster **Service Account**.
 
-.. uml:: volume-creation_seqdiag.uml
+.. uml:: diagrams/volume-creation_seqdiag.uml
 
-.. uml:: volume-deletion_seqdiag.uml
+.. uml:: diagrams/volume-deletion_seqdiag.uml
 
 
 Implementation Details
@@ -198,7 +198,7 @@ Once pre-checks are done, there are four cases:
 4. the backing **PersistentVolume** exists: the operator will check its status
    to update the volume's status accordingly.
 
-.. uml:: volume-main_loop_flowchart.uml
+.. uml:: diagrams/volume-main_loop_flowchart.uml
 
 
 .. _volume-deployment:
@@ -232,7 +232,7 @@ Once the **PersistentVolume** is successfuly created, the operator will move
 the **Volume** to the `Available` state and reschedule the request (the next
 iteration will check the health of the **PersistentVolume** just created).
 
-.. uml:: volume-deploy_volume_flowchart.uml
+.. uml:: diagrams/volume-deploy_volume_flowchart.uml
 
 Steady state
 ~~~~~~~~~~~~
@@ -262,7 +262,7 @@ becomes unused (this is done by rescheduling). Once the backing
 **PersistentVolume** becomes unused, the operator will reclaim its storage and
 remove the finalizers to let the object be deleted.
 
-.. uml:: volume-finalize_volume_flowchart.uml
+.. uml:: diagrams/volume-finalize_volume_flowchart.uml
 
 
 Volume Deletion Criteria
@@ -291,7 +291,7 @@ In the end, a **Volume** can be deleted in two cases:
 - the backing **PersistentVolume** is not bound (**Available**, **Released** or
   **Failed**)
 
-.. uml:: volume-deletion_decision_tree.uml
+.. uml:: diagrams/volume-deletion_decision_tree.uml
 
 
 Documentation
diff --git a/docs/developer/solutions/introduction.rst b/docs/developer/solutions/introduction.rst
index 86e5595aad..00e48d7102 100644
--- a/docs/developer/solutions/introduction.rst
+++ b/docs/developer/solutions/introduction.rst
@@ -123,4 +123,4 @@ will handle user input when deploying / upgrading Solutions.
 
 .. note:: Open the image in a new tab to see it in full resolution.
 
-.. uml:: ../architecture/solutions-interaction.uml
+.. uml:: ../architecture/diagrams/solutions-interaction.uml

From 19325d571fafed5ef5227e5bd43c97894a1bac8d Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 19 Mar 2021 12:06:16 +0100
Subject: [PATCH 02/17] docs: Alert history design document

This document describes how the alert history
feature works and explain why.

Refs: #3180
---
 docs/developer/architecture/alert-history.rst | 285 ++++++++++++++++++
 .../diagrams/alert-history_containers.uml     |  62 ++++
 .../architecture/img/GlobalHealthCpnt.png     | Bin 0 -> 28690 bytes
 .../architecture/models/alert-history.dsl     |  39 +++
 4 files changed, 386 insertions(+)
 create mode 100644 docs/developer/architecture/alert-history.rst
 create mode 100644 docs/developer/architecture/diagrams/alert-history_containers.uml
 create mode 100644 docs/developer/architecture/img/GlobalHealthCpnt.png
 create mode 100644 docs/developer/architecture/models/alert-history.dsl

diff --git a/docs/developer/architecture/alert-history.rst b/docs/developer/architecture/alert-history.rst
new file mode 100644
index 0000000000..730f8c5357
--- /dev/null
+++ b/docs/developer/architecture/alert-history.rst
@@ -0,0 +1,285 @@
+Alert History
+=============
+
+Context
+-------
+In NextGen UI we are introducing the Global Health Component that shows real
+time entity Health but also intends to show entity Health over the last X days.
+This Global Health Component is available in the System Health Monitor as well
+as in Metalk8s, xCore and XDM admin UIs. It applies to entities like Node,
+Volume, Platform, Storage Backends, etc.
+
+  .. image:: img/GlobalHealthCpnt.png
+
+The entity Health is computed based on active alerts. In order to know the
+health of an entity as it was in the past, we would need to collect alerts that
+were active for this specific past time. As soon as the Platform or Storage
+Admin identifies a time at which the entity was degraded, he can access the
+detailed list of sub alerts impacting this entity.
+
+Currently, once an active alert is cleared, it disappears from the System.
+
+Goal
+----
+In order to achieve the UI functionality as described above, we would need to
+keep information about the alerts that were fired in the past:
+
+- The alert (all info that were available at the time the alert was fired)
+- When it was fired
+- When it was cleared
+
+User Stories
+------------
+As a Platform/Storage Admin, I want to know the health of a given NextGen
+entity over the past X days in order to ease root cause analysis.
+
+Basically this should be achieved by collecting past alerts, belonging to this
+entity.
+
+As a Platform/Storage Admin, I want to collect the list of sub alerts which
+contributed to the degradation on a specific entity in the past, in order to
+understand more in details the cause of the degradation.
+
+Here we would need to access all sub alerts (contributing to the entity high
+level alert). This is related to the Alert grouping feature.
+
+The X days to keep accessible is configurable and ideally matches with the
+history of other observability data (metrics and logs) in order to ease the
+correlation between various observability indicators.
+This configuration must be persistent across platform upgrades.
+
+In conclusion, the system should retain all emitted alerts for a given
+configurable period.
+
+The service exposing past alerts is to be used by NextGen Admin UIs. It can
+also be used by some NextGen tooling when it comes to create a support ticket.
+It will not be used by xCore or XDM data workloads and it will not be exposed
+for external usage.
+
+Monitoring and Alerting
+-----------------------
+The service exposing past alerts should be monitored i.e. should expose key
+health/performance indicators that one can consume through dedicated
+Grafana dashboard. An alert should be triggered when the service is degraded.
+
+Deployment
+----------
+The said service is part of the infra service category and it is either
+deployed automatically or some documentation explains how to deploy it and
+provision storage for it.
+
+It should support one node failure when deploying NextGen on more than 3 nodes,
+like for monitoring, alerting and logging services.
+
+Future/Bonus Features
+---------------------
+Dedicated Grafana Dashboard to navigate through the past alerts without
+focusing on a specific entity only. From this dashboard, one can select one or
+multiple labels as well as a specific period, in order to collect all alerts
+with a given set of labels.
+
+A dump of the past alerts could be added to the sos report that one would
+generate when collecting all information to send to Scality support.
+
+Design Choices
+--------------
+
+.. uml:: diagrams/alert-history_containers.uml
+
+Alertmanager webhook
+~~~~~~~~~~~~~~~~~~~~
+
+To retrieve alerts sent by Alertmanager, we configure a specific receiver
+where it sends each and every incoming alerts.
+This receiver is a `webhook`_ which is basically an HTTP server listening
+on a port and waiting for HTTP POST request from Alertmanager.
+It then forwards alerts to the storage backend.
+
+Alerts sent by Alertmanager are JSON formatted as follows::
+
+    {
+      "version": "4",
+      "groupKey": <string>,              // key identifying the group of alerts (e.g. to deduplicate)
+      "truncatedAlerts": <int>,          // how many alerts have been truncated due to "max_alerts"
+      "status": "<resolved|firing>",
+      "receiver": <string>,
+      "groupLabels": <object>,
+      "commonLabels": <object>,
+      "commonAnnotations": <object>,
+      "externalURL": <string>,           // backlink to the Alertmanager.
+      "alerts": [
+        {
+          "status": "<resolved|firing>",
+          "labels": <object>,
+          "annotations": <object>,
+          "startsAt": "<rfc3339>",
+          "endsAt": "<rfc3339>",
+          "generatorURL": <string>       // identifies the entity that caused the alert
+        },
+        ...
+      ]
+    }
+
+Alertmanager implements an exponential backoff retry mechanism, so We can not
+miss alerts if the webhook is unreachable/down.
+It will keep retrying until it manages to send the alerts.
+
+.. _webhook: https://prometheus.io/docs/alerting/latest/configuration/#webhook_config
+
+Loki as storage backend
+~~~~~~~~~~~~~~~~~~~~~~~
+
+We use Loki as the storage backend for alert history because it provides
+several advantages.
+
+First, it allows to easily store the alerts by simply logging them on the
+webhook container output, letting Fluent-bit forward the alerts to it.
+
+Loki uses a NoSQL database, which is better to store JSON documents than
+an SQL one, allowing us to not have to create and maintain a database schema
+for the alerts.
+
+Loki also provides an API allowing us to expose and query these alerts using
+the LogQL language.
+
+Plus, since Loki is already part of the cluster, it saves us from having
+to install, manage and expose a new database.
+
+Using Loki, we also directly benefit from its retention and purge mechanisms,
+making the alerts history retention time automatically aligned with all
+other logs (14 days by default).
+
+.. warning::
+
+   There is a drawback in using Loki, if at some point its volume is full
+   (because there is too much logs), we will not be able to store new alerts
+   anymore, especially since there is no size-based purge mechanism.
+
+   Another issue is, since we share the retention configuration with the other
+   logs, it is hard to ensure we will keep enough alert history.
+
+   As for now, there is no retention based on labels, streams, tenant or
+   whatever (on-going discussion `GH Loki #162`_).
+
+.. _GH Loki #162: https://github.com/grafana/loki/issues/162
+
+Rejected Design Choices
+-----------------------
+
+Alertmanager API scraper
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+A program polling the Alertmanager API to retrieve alerts.
+
+It generates more load and forces us to parse the result from the API
+to keep track of what we already forward to the storage backend
+or query it to retrieve the previously sent alerts.
+
+Plus, it does not allow to have alerts in near to real time,
+except if we poll the API in a really aggressive manner.
+
+If the scraper is down for a long period of time, we could also
+loose some alerts.
+
+Dedicated database as storage backend
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Using a dedicated database to store alerts history was rejected, because
+it means adding an extra component to the stack.
+
+Furthermore, we would need to handle the database replication, lifecycle, etc.
+
+We would also need to expose this database to the various components consuming
+the data, probably through an API, bringing another extra component to
+develop and maintain.
+
+Implementation Details
+----------------------
+
+Alertmanager webhook
+~~~~~~~~~~~~~~~~~~~~
+
+We need a simple container, with a basic HTTP server running inside,
+simply handling POST requests and logging them on the standard output.
+
+It will be deployed by Salt as part of the monitoring stack.
+
+A deployment with only 1 replica will be used as we do not want
+duplicated entries and Alertmanager handles retry mechanism if the webhook
+is unreachable.
+
+An example of what we need can be found
+`here <https://github.com/tomtom-international/alertmanager-webhook-logger>`.
+
+Alertmanager configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The default Alertmanager's configuration must be updated to send all
+alerts to this webhook.
+
+Configuration example::
+
+    receivers:
+      - name: metalk8s-alert-logger
+        webhook_configs:
+          - send_resolved: true
+            url: http://<webhook-ip>:<webhook-port>
+    route:
+      receiver: metalk8s-alert-logger
+      routes:
+        - receiver: metalk8s-alert-logger
+          continue: True
+
+This configuration must not be overwritable by any user customization
+and the ``metalk8s-alert-logger`` receiver must be the first route to
+ensure it will receive all the alerts.
+
+Fluent-bit configuration
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Logs from the webhook need to be handled differently than the other Kubernetes
+containers.
+Timestamps of the logs must be extracted from the JSON ``timestamp`` key and
+only the JSON part of the log must be stored to make it easier to use by
+automatic tools.
+
+Expose Loki API
+~~~~~~~~~~~~~~~
+
+The Loki API must be reachable via the web UI, therefore it must be exposed
+through an ingress as it is already done for Prometheus or Alertmanager APIs.
+
+Grafana dashboard
+~~~~~~~~~~~~~~~~~
+
+Alerts are already retrievable from the ``Logs`` dashboard, but it is not
+user friendly as the webhook pod name must be known by the user and
+metrics displayed are relative to the pod, not the alerts themselves.
+
+A dedicated Grafana dashboard with the alerts and metrics related to them will
+be added.
+
+.. todo::
+
+   Information/metrics to display need to be defined
+
+This dashboard will be deployed by adding a ConfigMap
+``alert-history-dashboard`` in Namespace ``metalk8s-monitoring``:
+
+.. code-block:: yaml
+
+  apiVersion: v1
+  kind: ConfigMap
+  metadata:
+    name: alert-history-dashboard
+    namespace: metalk8s-monitoring
+    labels:
+      grafana_dashboard: "1"
+  data:
+    alert-history.json: <DASHBOARD DEFINITION>
+
+Test Plan
+---------
+
+Add a test in post-install to ensure we can at least retrieve the ``Watchdog``
+alert using Loki API.
diff --git a/docs/developer/architecture/diagrams/alert-history_containers.uml b/docs/developer/architecture/diagrams/alert-history_containers.uml
new file mode 100644
index 0000000000..3b23ad5162
--- /dev/null
+++ b/docs/developer/architecture/diagrams/alert-history_containers.uml
@@ -0,0 +1,62 @@
+@startuml(id=Container)
+title Alert history - Containers
+caption A detailed view of the alert history system.
+
+skinparam {
+  shadowing false
+  arrowFontSize 10
+  defaultTextAlignment center
+  wrapWidth 200
+  maxMessageSize 100
+}
+hide stereotype
+skinparam rectangle<<1>> {
+  BackgroundColor #08427b
+  FontColor #ffffff
+  BorderColor #dddddd
+}
+skinparam rectangle<<2>> {
+  BackgroundColor #1168bd
+  FontColor #ffffff
+  BorderColor #dddddd
+  roundCorner 20
+}
+skinparam rectangle<<6>> {
+  BackgroundColor #438dd5
+  FontColor #ffffff
+  BorderColor #dddddd
+  roundCorner 20
+}
+skinparam rectangle<<7>> {
+  BackgroundColor #438dd5
+  FontColor #ffffff
+  BorderColor #dddddd
+  roundCorner 20
+}
+skinparam rectangle<<8>> {
+  BackgroundColor #438dd5
+  FontColor #ffffff
+  BorderColor #dddddd
+  roundCorner 20
+}
+skinparam rectangle<<9>> {
+  BackgroundColor #438dd5
+  FontColor #ffffff
+  BorderColor #dddddd
+  roundCorner 20
+}
+rectangle "==MetalK8s Logging\n<size:10>[Software System]</size>" <<2>> as 2
+rectangle "==User\n<size:10>[Person]</size>\n\nA MetalK8s user." <<1>> as 1
+package "MetalK8s Monitoring\n[Software System]" {
+  rectangle "==Alert Logger\n<size:10>[Container]</size>\n\nService logging alerts received from Alertmanager." <<6>> as 6
+  rectangle "==Alertmanager\n<size:10>[Container]</size>\n\nService deduplicating, grouping and forwarding alerts." <<7>> as 7
+  rectangle "==Grafana\n<size:10>[Container]</size>\n\nService displaying metrics and logs through dashboards." <<9>> as 9
+  rectangle "==Prometheus\n<size:10>[Container]</size>\n\nService monitoring the cluster components." <<8>> as 8
+}
+7 .[#707070,thickness=2].> 6 : "Forwards alerts to"
+9 .[#707070,thickness=2].> 2 : "Queries logs (alerts) from"
+9 .[#707070,thickness=2].> 8 : "Queries metrics from"
+2 .[#707070,thickness=2].> 6 : "Reads logs from"
+8 .[#707070,thickness=2].> 7 : "Sends alerts to"
+1 .[#707070,thickness=2].> 9 : "Consults alerts dashboard"
+@enduml
\ No newline at end of file
diff --git a/docs/developer/architecture/img/GlobalHealthCpnt.png b/docs/developer/architecture/img/GlobalHealthCpnt.png
new file mode 100644
index 0000000000000000000000000000000000000000..9571e109486d9fba06e02578ea55a473d733f5a0
GIT binary patch
literal 28690
zcmeFX^Lw357d9L=cEiTDZCed@(%80b+fLfpw$qr6?Ivk#>)U<q-hH0qeSi7>fcHAC
zYtQU8v(|X#Tx(6ZqPzqGEDkIP2nd3dq^J@I2pBmqegpjh_*-3kDgy!nZ*DFkq9`RI
zLa69qYhrF?3<4q<o~#Z9P#(d^`H~P9_X7+i4%Gv#K%I)H0R&75@)HpZX%ZG%Km?w)
zid|(GrJ9qf=yW4UT}fCcZA2#nhDwriZ5}1HtuR>I8O<io<NjnWi|L#4*?6Zb$d8jf
zY0}mb3=sDnFLN(9Mn@|PoWwa$<cEAP=8L^6BUCjlEml9~rFZR(O}{3^DsJkQH?B8b
zu~3G%OAx_9k*wa-%PT^g4<NcziIUf#gw!_}%GYGDyqE^sRPe|<%#f2xJK3;VU;E|2
z*~2fb!Wh8w#P=KuH9*YP0zFJX8Q`wWyh4^V#xcV|f8c`JgD4E|iByDni|T9`L00)K
zVXVjyhFpT2N1b!lzYXRx^-t}YAm|(GfPcdvPLOhFoqeC0d9fWCOGbLC35ljo67Q$E
z3T5j^X5o_dFGY3@XE889ZwzTs?^j>I14$xIk|3oz{Y;V*g>Vdoh0Jr^O7t1|lMpWX
zWOTUNAq%sZK5p2yg-~($6<0X&u}Fs`A)K7zvQ>(FjQXSSF>|3+inMPE4c<lh#jRjY
zV!zU5Hwr8#wU2DRVp<v)6Qscy*k=d$ejH?;5eL+7D(v~N!6#`#pGtXkP`b(bFTw2H
zY7z)&hLb`D%1>mji~=7GGJ}cbqhQacFv-O!j{~!R+C%Mxw(6xq8mP?>#tO2tdoW^l
z5t6E;^W13>%1bL=-bh~s?j}3hN04&J8^>nCIebU=a12{FhJ-0=b#vg?%98fsRZbvC
zEr~*77~dBkq}uIG4K(ZdK;#GWv&PtOgz!_CX8Te5mcX7Q))pAmFc{cY$qf9YBsLbx
zcS|rz2w!1Rkh-t#z2Ny^iXgYTAq}JDB*VB^bXaNe;5ousP~QaUUl<6|$ndXH;By3{
ze-Ui7)?Dg!wAN4!zIXa4KFfU%$S_M5=l>O7%4H@6PZokq5~eT8vxbb+^Lk<Ch7d4;
zen05_;rhWu!A;tXgqK*0q5;iD0To@!H_U<6Ec8XcOw-6q7j6y5!DFkpMZhR@oD-Y_
zBBq7s=6fIbS5u@C<MJIfmEcG4`%UJDGn<l=;Yp(;-Y8trrdRu-kj{`H<j8Len~M_I
zmV=6&%OWHKPo}==-ux%|J`MdC`cO42OZF$Y3qkYX<Sy`*J@f_=AKlEH`LF@nfg3we
zJ0t$Q-+Ui-%e<(msT`~9&z#;WaK|uZ$JDKO?~F#AN-1U1ri^-<1N}x&uCv4$wX?Og
zK@>YIlVYozqx@Z=`#9g_I0(+{eeHdHeP=ne=O{oBGkQ-q-{edkA^FL-9G^~LbF?(`
z=C&i?K>5j7x8+$t$a}z+`n<IKDK5Z;2tSGj0OFvPdPM=oL|O+*jOgPK*MdxxkYl|T
zHHcPVUwY+hpiZD}^I&kHihCjLu(hCEw~r1%7=$?7ke-ksh=^E&Vz3B{!q9j8T8K9!
zK~N(^NiHR+6Jm^r3`AqbMfXVxhoz11>L5$SeZ&w+hT<J1KRJAI4|5{6jZ>fuQTnVs
zht()9@oj?=E?O9E8paHR8<I{GGf!q3wgGlMdg1HPG~6%e20ZWZJ3SEPA*?j){V;b!
zD_RVh@61e8?4M|QM{B7oFf4=aAE_5&ob?IpiRFjVTS&BeQQS}`zZY-SUy?m=dr|0w
z=Jr?bAYIzL(D;ip5_2MZ!Ql1*gfaA~zose5FUfO?azfrKL2dKJOBx|thw0cc6rt9K
zvxLcneG2mopXg`bF*HC57iA{oihGf&C8ejzRgu+{S&`!wZxcQuye%s&PcLgN3ob1z
z4WEyg8=ZG4#Zztnb|+gITOrm&{G4Do;&tV8#eBu?K=O#%8n`AgU9_b5LKU85HOeau
zS(xGw;ShVJrmelMwJzZu)h6j(<q`bEe_MZqG%uj!Tym$v?#!zyuPwbUWL>mT)Kxfb
zw$MPRi9?s$l%yudBjhP~JfCODX>P~*faAzY&343EW!5o6YN=^n$4X&=VUc2q|D&T|
zxlnAOZo$CPzR|=|)dFv!t#m$LZqa2rW`1&3=Ub=DbJm?BUP4Txd<mkissE%}HX3*A
zA=Y}pWYP7n>%-Mw#lP^{M72L@$JjL4l%C<QtF7Dc;qke48g-g`Bzs8QtYBk(&*;_v
z$(+J;$6~|CkHCUIh(nIm<OVpcq501L3uzH)2J=_yuk-ots`n8;b7YG+!<xRljjb*s
z8#7zZLA$bT@$bqZ+TWc+pAila7_hs1AMi-#hBqiT%tEHs@*~Ch2FVAv2T^w$2PvZ3
zWwFSG$d}2D$tC2t<qnHLi->2LXAO%O(mZ4_SW-25c}GszS(qak6Em%uEZL4(nwb=s
z8JIUMeKrFOwyopMKbuS&Ok0~<aIH8L8AtEo(bOe3C;zaBp2sdnT3}zGT7auOuFPHi
zwQ6StYi(h5wmf46Ze6^jwyaZ6vf{qFw`5(@ZWX)YxdeAgbIQP#hnRy%9EyNwO#)5g
zB_1ZB65Vnr>1@P>!MVW6?_|I!#)Hl^&(n!x&c$r~Ga}wp+{gLOZqj*U-)m89h-{{C
zxNv$ey1bKSs&VEv<I@D)xOL2zz*S3EC|Cby@%u0MPO;PYaD1A)U2Y!k(tMVDJe{<i
zGo1^b>o*IxG1odf-V32yXeTT~#Uls#)y1}5=RTX=FSxG`FD{RK1ja1Vj25dULvQ<U
zTJLmkr=a70H+~bKr~W4XYdvK>5<(b4FL|dzQvjC=s|A~da=imR^NX)rNLIRcv@VX&
z7^wJ4s53ZaXc-^d=x>D5+yQC;Ie=@6#6#4@KD4l?N`FLHCaxi3tn$QR%uPfVx;t|O
zPBL;M{n6(J?*`U3dsc34hnuqLdxHvtex}=6!W6W2>N}q-xwWL0%|Ya${^(NNYt{`i
zACs4K2#>ykAZ?g)v_P~}vJJU9xde(vQcLn!g(~^CIMjqX=0fk2;oAB^9Z5D>^g{N6
z_?d*+rsCTuIJ{;Lts%GA%Yj{6*_w1l>%P|T5Hv>${PY5@aGpa!ZX!N1Z}lfr8`|cG
z)x_QrK<@N};q}6W&Q;)p@r%5Fw_f3vMv?FS==g!gn?`vZcd&n-gMMllohF4xHeP%u
z)w77a)nrW8+gj3Er@Mvwp?l~6_YUsm$Ow62v7AjJr(^`#sj^pbMa~Rebb?JPQ5{TO
zh?n-mXW!2@H1ASxHH3M2b$PB9S99RA4aMQb+F3RN-j_F~!TQ17<2|MqCJp1PnOwH}
z-!&>UzL=2IvzRoG*QV9$$q%hvwDKH$-rpO4?i_A4GoEgLq`LluiN%oCzICavEinJl
z@}o?oE&a`x7ITy?$%Yc=+SQ%L$nKO2naNb{)Ra^ooxU#)Z>FiaG(Km#8LbV@=?8Vu
zW8q^1W40C0TD6XaccXpDvFgz}s_KKZG*q6=9y3RdduMx@3yKTFiw)|c>Z}!wTJ2t^
z2hM%Yi!^~W_f;I4-EOa;2rmfg>>sQv){Qz!oo0(CzD+bY1=*IC*Huw(O0Q|w+#WXl
zv^Mp*d@J;5-@cnU)pZGTZ8(qGbgx?}Z}Ui<t}<pbi|#0Lynk3vy$?DuFLAC|uS>0M
zb|P4!*u39aywSBiiCx)r=y?`A6)F!rMw&)So+EOeJ#IS=zCA@KMX(MfL271wV#9x$
zIBdp~Gm%S{xQU_Vk>+aKGJCJ>Gvu2{*st2v7$RtvwP^J;I0?6;7|OEZLw7zpIjotb
zn5>z^<vI3kI?Ot6{eI9nwWxd1q3AljyYqFE&qrYHXj#*B<XGvuaqd{Ob^c0>4oru`
zi^cH#>>}qPy;f}Nh6~BzU}fg6ZPVt?riTyD{oOGSr0dh!WT!-nx`Xbq&m(v~l&bI2
zYi;v-{p;}exKK<2GTyf5wEKrWwB^JpJh+^hoD=~TZ?)I8TX$tsz`-8ou8vbjQpd?L
z^_%kZ)NQquF5U~xuj<Hk!*(7W8QuGCjjM&N(-_yYb4`yO5B!cP&&~U<1&evE2NLJ8
zru>Co9t#||EQgK*nC%SFy7^rj$5Y4Wsdj~H{tBS*?5r$kejGd?d4*ttp$F`voO>E}
zg2;Q1&LIBpLCFULpqCJN7%mZ0ZZ0e!&wBMaaIN~vUVRiFK<6f`OG-sk4)@D`e(Os_
z{@UFAUdaSfAP&+c`TYFMesk};{2{OtLGb$H9<~aRsGG?W?l-|^_2^|VAE5Y~c3j^R
ze_}A#3&VGY)uA}@%1R_CpzaZ243ILBlLMg!#-TwVKyg4IfiY0v#}E4HZ(JOd5(NA|
zbTAN*P;(H7KY8SV;qNC7`2FVjCj?Ij0r@Q(75KU3f&H5sj64tg-#Ew(FbzaVSwu<-
z7%Ce&7#rI-n%O!zNCwjY2{3k&8jc_!7-YXcP$?zS3!wZ3a}|ISKu(t1(AJt>-^kX$
znBL9W?zbEeUN>%F)Y{ldpU}<P%Epn~jgR<0Ik<uG-(&`2!vAD(vg9KM$SD$v*g6;!
zvePrtGZOQ|5)u;fIvAO7D~XE#VF&)>BQ|q#vg2l8aCLR1cV(fsbueXM;^N|BU<96D
z%yhsUbdK&ePWo<iHjX6!2>DlzsIjA=gSnlPxvdT1Z@Kygw$4s`#KgY~`uqG-Ph&Up
z|CVIq_@`OG1~U9kVPK+XWcVu^$jbYh%B^VbW^AP)YHkheGhi9~%&e@u|H=P<rTn+V
z|KSAumy?Z+@qao0C*}X-RCP3V5V5re7U{(Q-{Jbh{J)8R7<n0fxBP#4;-7B*4;9$Y
z{II+Xf5(g;_6*lf0yvDg=AsHJzz{ge{_}VMe<^|A?-2Nr#b|_^uK+_$DN!L6H_(%8
zC^vM~r@?MgQse|hVVEGlAP7+p1~6)|GL_GQkOkpwl!RgtVGXJfD1qMqJz@}G(2^*M
z1@}cCh1zcLJ^bQ&-aB+VmNV@rKy&tX*4}yAPv}@2M{Tc8+|L(d)FmZ<S#Jx0kqZ8K
z-$B51K9axt755Oufx!IpQi8&wz5Vy^iy^dP+KVARB$V*Kd~rpLmv?t4y1Kf(<*Atd
z@&9tZ_!8Sa-&u#p#xD9c+irSnDK~#4*AWjEjCy!{e5I2vk;Z?R)r0y|`UMgxh!B`P
zDkdfcl4e!`v1|vK_tVYJZsH_Bno|1B-<JXx^-q;rqCp^Ff<`7X?U5Q3Wc0x-!@GUO
zBNCt@a-$RfDcsK+nv|4uxY1Ib;Fq5=IypAW2i_l(%bb4%!~xUS+MHz!46Av6fPR5R
zBOn0CQp(~}db7*_X%#!MpuRzV=)l*6KN5@4@)$2~D8?WEw9hXZ*bz&=^zBRjG+^rx
zf>M_E6~@u$4?&Lv>?1k52LPA)PqA*?z`j)Q?aLzgLs$v}2@a3O#|V}FQ)-U9Utj-h
zF5`j3|Eq=|*#Dp2sHtR>N~O;>f`?9$O=pqO(~Dc{^8P}v+eMm6uamS?t`31F<NgzV
zgv`h1aBnC0+N1K?ogmi<HG`viEkYqK&CzskrE#fXRw$iW#;)mPWq)K>VsC#UQ|cgV
zQ%{ztRhTThy86z3+e>!l5dQ6LB_uVqIg8)@C5D~Zc+y}$L2PHoW;k7$!kNDX+u8(X
zk{l~AHdaB&)6MaD!J1_g&SC#%#Ax#x{NE8z_B#y<Z*FdWczTj*!sRM3NTwiVRY-ey
zdZc>)v{*g1vEFWUydUkrzn=x1!K8E-EnA0A(WJb@N^eU|s_a!?$T)U)5+;kM;)FCC
zPxE#Rd$TmC5pj_k?WT9Gj4HVu=-AbK(wIM2>9p=}CZC}1<m=ZTka<pK)%ncBF4x(6
z&pe)Ri4^GMo1h|N5emp>QkzcYEWF`i=EaUG@RCu);w6h+`^ciIy<xLR?^!5F)g}}|
zI=bed;cv*Zq#8$Ja%XJQ{M(oeU}L17Zm<g!w~3XSKcm4gV}zvDo6Z?*9c1b_ga-d!
zms~D4VdD{RI+Hp4))-e01yFMpdyz`tWVu>hZp+3Wi8Sv{H>_zf?LGJn2SMETCYt9G
zm^`08a=APx&UhD&s>Zb;WMa{bvZY@<Vl^s}W;=PHA!AWi>YPy$5w%7G0Ho!q3{u>m
za8lHBtmic^+B^>sHCSDnvN(Nc54{er(4!wp>4su)Q?QlEN9ah(>>xfEC*U|ANi9bt
zPk70XNIAxS#|c^te7+w!&txZU{Lb<3>NN#xLM7kW;7?cwNNYBon$aTp*O|ZKEZ6x|
zwh44}bVSjRmeZfb$MTbVj_-8qozb=;U+cO`e`BPoK0|4dDU!!!IEbnV=cvMVg-PUf
zzfQj#9BES>Q*F`W_0@UzITKH-&~DXQNcY8Jh*{kiaP!?AM0g#4Cjvz!{Qb70)g&|e
ze*sSk^gzfQJ=69bp1M9rbBjik!hmRTBZlRpo?^A8_Zh5Xeq62odC?oV@Ad5#w6DM}
ze#ha}qhiqUWTR0zh4x8G{!{!;ZtuJQ7ug@aO($G(?~5vmR+`P?3)MR2K?BbIs^oN$
zBUie<DakSz6po<FuSjvb6n`r5pFYqC2vkk#!DCr$G4SE2C9NH#+w~$$$=|M@k`Xdw
zOE+KRT4lFYiiEB5XM~QWq-=MwQg2o``@u^Mzfh?|1jDgQ(86eb^#V7@hDK_c!jKHB
zS|%L;(;&t>^2X;YU8`gq&FIdpsy?|um&xk$;eJ~%?hGC6A~JM15JJ-L_si?=R~aOQ
zn5a6t)^Gk3j)4%Z`%UXE6AQ(tmXjd8-XwYD_LKCX1G;g1ZHX12UMWz`9wBIiWE%yH
z$l+xe#l7oxY{$4ux6`0h<AOtK$k%x`EfEUcaHe1Y?uZ#jfPEC;LoF3NR6epNgBdMj
z9`JKaSFlX2I=+nYl5LqE+J_Av_eC9JGMy@Ofvl~LQ2_tnDdPHjifGguv)E)D6i8ks
zkn@-%oGi78Rb~3A9FTB+K{VIX;)+G5p=TjiNILDdm2&Xr3>qmj?k;OA1dK2%<-2GD
zPe;raDT@W`yi-0!eS-kUA+hKg_{<}PMODm6{zNIKnU;cxWZL91#^r9)SQ9+5w96gN
zmqnl55borUl*i-#=TiUaBgvi^2rDvKFxmBlq1+0aI+Y_!@=*qX302n+a9)d`pA5)E
zayhnz*gR<6IF<&oh@`FDxP3-@GXr(Y5EI0HO-IUXg`$UbID$AyREY}&>DYXa{ziKx
z1ERqr5*7n6BY4z}pIA{L`oA^7GTUt})Q*n&!<kJ)7)$k54^ukG6S&xI{oNLlfx`s@
zo4PlNMozcdu=qq`84YK$NWcSeE7Q^0*#NDP4x3yUCDqB-;#)nQ%SMuJXOBS+%{vhP
zy}v;4*GD#IVa0Ly!xjPAY^P90p`KG`v;uDTK6RW$f6vcz2-xg3dRyL_hkcWMKd%a9
z0#>Np31CviC%#B7RP<)7bT~e%S?U{zj%Z#_#qUHh^{fPX(DME>ktBQ2pqHf6K->oX
zK<FyeT2~U=2njgYWE7G5r#@<kWQoVbA)`}6d+~YvVn9cXf!dQ!b4&kbtnW?`KRDIM
z_>H1Ei`#y!kg;^LCB28Z-u?Ru={-uFH{!{<VgI;239`*bJ!5YR;~6tLb$ZVtcL11m
zyAldH)ctAltEX!@R&OV=NU=gz9QgCy775Zn%N(_a4|Ej<ZH~r&58{%@cvL+uZp~fx
zGn;R#F~(szxyW91;IrJq7&8e*%*OV<9hvL}1Q8<g$H;4Sxs<62bJsS9xBz(dNKFaW
z8x@tC7iQn8aP{T9s&voBv^?AKp~a*TiJmjV0h!^i;Lo&l<dUHabEcwQ86+DJeKzbV
zxveb4WIny`WPjFsCR$B4qy2?=@S-3Z8mb;G<y(;j4J`(AP^ZIVU7M!XscB#Zei-t)
z@<AV@gtBiWxInKCHwdcZS(f>jdv%tqNp2>tIC7y(8<g#hrg9#FH}L{^RbE!BL%Cg>
zk%2h<i#9L9VjoVz{E2(uc*d?o?2+3gUrhgwoyHvco<lY6?!M4VWV1p<r$ZFh_YJ`k
z=&}FV1FVC?!TB+qUjn~?zq|d#r%S1Rr@`Ug(~dv?tV%&JDj3DI0@A*zzXYUckl+y!
zk*SzJYsC*j2{n&VN-8M#F99D16gDw5BnR&gf&_snAQjY4NPrgjOW<V%;yEM)J|6Nv
zy@e_%<=00_hT`*=;ARHIfcQ8bF0y~YaRNxNlr-_nU&6%?Aa3Mky*Wwyv%5(Wk^zfO
z5`9Sjm$3B}<$_Xw$IxZ-_WGKw{pIOs(C6~<5(te=U9O_LZF`oOuz0|B(K8_p7I!i^
zrcL_1n@2wVZHg9JP3Lb!t~MRVWGFt8!4?@58Y&Zmy9~LRE8wexi2ouZpUY2DTU$#_
z&A8owxCZB+xMWfzDjFnXXIHb~a<;~`-2Lv?-=C#mk=Tw?ES7ZeNA}hk^pZ~6!}GID
zJaMelY7>K0tHU0ta*?cflH1`45muE>C-rKRbt()R`DhAV_ei7V;tVO;$B(4Oqe%(u
z)|xWmr~}c0m+F=<HlmrS^x6r|$LzxeQk$7gt|ePi^`CYARYXYR$U(orCDzpN&J;+I
zm@n1%2L%N|i^2whuhFFeo^B3R6}7s3L?(0iXy7pE6Mp?Vba=Qxkzw54ek?Q|!%!+$
zb2fAzp~7Y^SZu<zHW`i+IuC~2|2d+}?0JWKeJ;V}eAHl^$@^FJv2%s6qLM{E25pu*
zUSJq;oZ>65%8bNh7@f@a9nInMoO5<ORttFK5B*55wFFRsm1(kC{yCn`!fd}on$B#T
zq19qXgiX|6yp_SR;ijGA(^h0OnYFCtI1LbO8u15*QeDd1%;IvCzT6ogWoDiMm<B`<
za*=)hoI5flz@R20T_^tN|9A9rpqG@=1VvRUHN~E8kLez-57b=|Xfcs-C1P;nj~A<H
zAOr*iMp7B78_X`VP#7no#mE9rR+|+<;2)bSbh|%S(zGB4fFB$IbJ}(-iw!^pjU`b{
zGdq%35EZkAVJv=|7#@b+<+h-^J(_32K=(ywFhip!0a*QaO|239-jg7T`jjpwICL$n
zMxsA)7>y(pUTt`a(9vNm*PEuky*^7u<0zPiOk}WGMjIEj!(u_h5D?goBvQmSrE}P(
zX?1ytt+RX&jcpkJMWsln^#T4D1v-tIA``RYz7;n2jd!ox|5;#vyh;T?Cj{Y>0qrNQ
zxrwW@_Q0Rbn?4G476qc9mXae0WPACsA?0ik8f={&xA6k+Yn7Lj&@PqQ?I|7C@&YjM
z@NsgPO<3iljC@FfRWW&af{iOL&zmBogoJ|ZR!c@fqn-}Geh@`V**hb3ll)!8*+3Kv
zQ)iRGVM|`!xuCHtODL)1`-;HjN<XNC+(V4|F-gi~JdHY*H$fqWK!E7HTR<y?L07-d
zsS1vky1HXVNXPAKq5XtW+~YMSbU$L9ZG{#~i6try4)tuY!h*^UpXVJ;`2;daoKO2P
z4uu`j*X*7iK{>e)HfT1bDy`PCWf2&d5zE4!XbAlfUsq2;xRH43>=nMQu0!~#3J)0O
z^eUa`#tz&|j?!q*-7bf{Q9Nu#Xz>te(G+E^HM!0YiyC-afd~Gcdf{!E?tsRDKZxK&
zsK=!bBGR<o#d>c5^GiC&ylkDzDfi)zul1Vz6`~OMkQlG&EcwyT#bF<MeXd5ZfTQM5
z@6zfJEE$Wx&Nc`U`QBj8qGCjdHgweU4JMw|^Uetd4o+ESB#!8O>}cMSc3oi7`fDz&
zMxA7DKzv4qR-PbeJqQ%ew38CJ8;8wW0T?V?v!PC!ClJ`O4Gy$c&TX7;bV}@xr&B;9
zHgVTH986}*r0-;iMf#xJoFDo5na`IMexz3UF>n5gXqdxc+jX*3%W{YVL4!#PP|Wc-
zf|*sf*`;r<P^&`t#D2t!=P29O+X0%ZR46UIH<~P4c8{Ua>X7WNV_xjZ)7*Ri&-Q;u
ztS6$MAa)$tV1Atdn>dl#jAc1=-1bAGRhv+{=0R9A59AYUm6(`N+DkzSXaSDv@m+`%
zkI$f1st%?@i?JS84fhXnW+#)0j3SIwkx)d-sF5<&^4X8%$ZXJ~*2`D!a;_m_AW#^l
z3=Fo>?#pe?nO^tn_jPWU2?Z_a0MDnpQ#u9S&l47aC%zR4KSmu)x~FA8D1VaSP)vIV
z)M8NRL8|ZTF`Ha_NTW%ASS;%W#~wnOW0O@cv&9^Abfv#>zlI{|;Oj;T8ihP{r14ma
zC0Yy8vU25@?viEscGq)^Fd;zgLiMJe=$2li7FTodrNFBbogu=p)lApx`1N6F@TuZR
zD%5{eHopT@;Q8K5j0g%!go2x;x+}Qh)1F()e4<(&UM>OoS*Zf>`SD>l-U7Ra__Y^`
zV6@KIZcj^D9lp+LrP;Qe9yScF1!z>v!jw5^LQ%hZ*iANmxX`!Y@;5g4k@r=zpRN)0
z0U0b!<o?XoLJesR&2fJm6XK^%hntj`@N7|ZbYWi5!WV3QuYz#*<qB;m2qV_b)EOt^
zgW3WwBpLZ^?#70uG2gfA>?pkF;6lp}YT;^?nk6)FXV_7u{b8T!gQeP>_${cgxt(e>
zSuhyh=2aFu<D#ZdSDSyv3b<HobG7slO80%g&V0yx!|4uu#O1V8T<1Dn?Y06-C?6Y+
z&o?@pF+S?+)3QUNmFo1oXB8Ux%4{+Y;EOdizU8$e_yftFe}f=@xB|Ovi3tNXO|cI%
z9-moH%c}>==Slbag0T=GM(%!1%ULW`ltz*S=z89H@lZXW!#M=Q?#bDmgi19^b-j6X
z6cK#S-YuI53j-tfYYMezQJE9Av6H$vf3J$brWr$c(_+jyn$MlN?4i4QJkTADK&O%8
z9W(Za1hdDoD<_PkWM)<}RP(qy$@lL>X5&QqYV1ttlkax9Gbqj6-%>GYK|2wFUfy7R
z;Q0e%Fkr`tp?ghyS4J@i(cAZGq?kS!<_^Bk3x(9{<-s1C*DY<qLuv#H46K$J2Bx_o
zmRgmXru=l()vSztQsie3@l54v=FvB79+#|eH16UQd?W47R~H7f8m+#tp}niU)Xfqa
zYPPCL$6e2VK<o2=rct#y?c{masxI8uUI+XAacpcpkElUf!4g5)9<m+4&(DkqHV`M?
zfiNU`ck}A+h21|cv90?Y7_FA{N>xg~oh3Tn{9+<e5zqW)-9GM|%9e*-ct!+!wLej=
zmRThCsWcd9hH=xV(esDL<rJkuq{6f~5I}-1_j%n|aKmV^^teAeaG0*t?XIGqgnqKx
z>`GKimzzM{{RK|{?QFeWI`G4-ik8>gBWLHL{l+D1{O1NU6g;>9ThocB&p>cuO)E3-
zvwn)-l}fg!-hS6~?lh2=6uP!Si{=+pmX1$rCC1lJeB7f<5a?V$Go;!WvQni&E`Mbe
zepn$Q-pZjP4$D4EV-4wg{~vn+zTEHKRsp>Gj=-~`Mq|!X^6_d<&N{&<Ln!dol8`$F
zkEe*3l$cl;^9yZH3@z#lwStpvl+2wT5tei+eIXNWFf6)KEm(ZL!yYwSf2+tYd0ezo
zjb4GK`b9)A4is!n?>Zw8v=~{pJ^6WdJ(^_2_@1pj{yvbkw2P{Wi9|ML$MbbMpDZq$
z8Y~J3>4EXKQAjY@fDiQK&};|bi@gZ!W<La-;U;psdjQ!*rK<U&Fwlt%TCix0qQ+}L
zpaC<;Z!u@)je%^SW&q#!Gu`w^rdS@YVFSKDXLp5K6`x~=hRFq@icMu@U_;a{mS_R8
zmMKiAmw@V@W#j)&@Eb#2m~Dl)U5!}aK!2$<a7Rb2q2z=z>O&0}z{Q9@S*|}s6MKO!
zYv{|~^&)L!_nJcuNQ0w|d!TpE)LBumI#F#LCY*&BQV^h<;|!m>+p@ob)MxhbGO%xf
zgu}p&8~_<AHLA8VgvaBSq=N>BLS$Z+I8LNqA#eY2C?Y8--<Z-P+@RMh+(=9my+Q<m
zo7&en|83yfBH8Z~74?yF;|e^^P1WS8bXpHLn?XMm^<>wp%eR+{@3hX|M2%Qy*y><l
zQ>9*ybtXC9PQ|9<m_h??>~a~btir{SnwB-Hf&c*iL=3g&4HLT6SZXyZ*Z_C-5)(n!
zKPF-~M9@`OG+wY4LdDwK5sGq)BG{vN&I&BR3nD(RSp@~f4JJ>WAhO8iVX<N3IBx*2
zHlC!=WGX}Ma({Km2ybag3Z#I5Zgi?(W{n^reu4h?Cu*FUc!D+LnhH+o?RJaBOFUYZ
z^Nv|{Z7w^s+tcTmHci43J3;u~Z~kr6)~ij^VjZ6MIdztcx#n$hTVRJPw+NLstM#U~
z%U!RrJcAG>z+*^t!=pU2385T9OB%WYkJnAFtPet{eR?`kR$R`eQJM%6``Z5^GMvkl
zR>rqPlE?YTX$HVV05E;J^ImPx9yfxaTM*P$SqhGXqHj1`_dEuyG+G+w?4cFKj4KS5
zu}R&tIM~@=?EYg3@H0iLX=Lop?`3f4kNG(quRZHpi$b7<X*!w34(G)!r~DhZ4Tkj8
zp`hQUzuYeBmh!8%5P*S$JD~{zi0X_+$}m9t>+-7a$TJIsgB_@ezvUNyf*Wo=I+ALf
z?p849K;{br_s0s0$@%ImLa)VHor2IJqgUyEJwczL1UDuhidbzn7&A|dKoki17KjvL
zp8j@wyjV{5L2Nv$66;sH)iU!@3=D_)?C^sBCn$OvK#~#~IWksBKC{mY=N<|{ESS0a
zyf9=fxFsyJ1H0{;oSqyI`Bo3E>aDaidp$a6VlfbZ^NS#Z&PYqUCdYeH&lYeA7niOT
z`9;*iUI=$&^Kgap&wlCoTO+d%Ca?hm$SZ~+*kIGPL7RB*M%&;>rmOW7m9y7Ah_E`H
zu86JkA=3lA+FiV5FlXDfMQbHV)F2NhosSpPQjzOaYiO>bKiLQHxor*lw?krNn9rJ+
zJyn%6admxfQEY)vr)_~+W)7RM<L@C=uhPO12?XF291znzT<wifhXL)4c?1wpp&{g&
zvT@Y#wL!EQ)T(7z^a!#M4)WHk@fasq;1BxpVF;tP>^ecifwwSh3K1Xuk4^kyjDHTt
zvgLdbh60=3Qt}5w2|C!PZNRm@PX3R|(&Gs2R=_9}-!Pg?V>wC}kucETZx(`Jz+Hp9
zIR#n{V!#2^*9x5#5DECL0$3$1%Fb_(InGL@!q8e$YT`I77er}>`ZD}E5t7D+Xq3MB
zzI&HPz(eQFA+|`z9l`f9xt@7FUVM)?$r&+ZA)F%&!Qrqe2!JKKM<G3_=_??U#eEgo
zA{D5~WOgyV<M4#yvoWv^vCJg!VicZj$=?0KXgeg}6?>1&74}7l4Pb=aTNa$bV!hH~
zBs!k&fv_)NzjLoi62e3=a(IpQ8zi~mfX1Scm!L+ppwZ4j!iig4&;(G%zk*o?7!q}*
zLWRR)HUzVO@2h#fFjoF(UA6EmSTXwg5)sM<Qia>1N9dvW5#jmn=V<b5l(U~EOxME>
z4FY4ZVlB5F!%<Mj`<voA1GHM4uCI22RZfkW3P+=|$E}CVvmc!4M253(yEGxK=sK(9
zI-OcYnAhtq1X>*TDnLo}z=Okl6qyzoTSTtM=5VG^Zhl2dGaqui67huX=BPZI^@G_=
z0hI|uK0y*x5Nt%fK8x6mc9)k1oph*M8W1d#4^#sh$Np6eWP0+0U@(SW9toHt*J(0l
zA|{?|T6zOOTt{AU&Cseo^m`G)LHC)I+6PAA^NHV`t-A`yZP+6{`3*okPdOc4WuV~1
zW?nry%1*b~HVh8oad3L0pnMjb4J=nJw_yMHA_Q#p7|)J2A(kS1mC3{rj>6SJZhNCa
zxiSk*V4$~ooH+#M7*H#Y-jZgd>ivwvdSdlx*ERLX7ZAJYQC|Mxj@ShfU3>e?-nl0`
znAJdKO$-;ILcuPS=vT8)pa(T+v(=;Ax-2CYhus#>sP}kUZAQ*%nVio*J~KUEFnluE
ztr;^QJX_Y?Q(Z?s|2dMF5zJz_koEkQ9G$nKu5)Mx#*$ec3~qc>%W?^XQEyG0FSc*c
z$iDut6~Cb9Q-J4a8sWM~>0La(_lHv8E`=fWJy5h`tjT)yJdNh=rZ<Nrd|>xQ3lXai
z`Wr;GU1|?{5Xd4>xzezyORXcSIa+ToZtDOljfLjJHC~(qcAJD71zN3jny>6KDdU5D
z>^&drR!cA0kO^zZzk=Y`dD`{tu-L2tI&FW$=&OxZxvqaK@E5pX_$0D=&OP`nzg5#p
z@)|3z$Gyci6nys6_FQmlgZC_;S;eySE|X(dj<;XZa3al;7W81&3N?~3rlA4>P@>Nz
z*j7<pox7l+(dE@@(pj(oQ`XVP7x?i@zlqn?NE%NCSqs7GcVmb#n2mOBy<WdYVxWPd
zCDz2E2tGjW{&Y207FS=sYCrHCg#s0wZM3Bmwu~~Jaa+K(rS*qEfL$oUr-J9Lt&CFT
z;$!C}&l1;je2cG#v&G%+e8nPSgtS_!l1y(8yOhz#_H0o9GektP7c|{&mj)U30X<T*
zS$5!gaVwy^2`!me;YqQmy;+j>c#L_u7;nOZ<45!5jV3Tb@|v~OK%Lm>UaN&82A{7C
zw6Y4r38GM~OhrhWuI7Qz`|dlEgn1bqzPtt0=!xsunp9-+*9DlP_?EIluxUTvEhA^W
zMLht`7P~(WCAUYL0|ZahrvR{8_8L3F2@d16-^MRZ+Zt66FgKK!h*nMlEN}z!8Ue&L
z1DO=sdFpyeb#VeR>7*Yx3~rl+GU^j+y{}>U*gWjg&k_?@fZ#vI3^#JnRXDV?*X<9z
zZ!F0)>NDIVOOB9K^~Vd=E!Cr6k>MVkV}fx?+kr4O3lw}~7J#lE={qVAD?va<YBxc+
zZ@k@?%l75Nvd|>d6Hwcp_4bYUNL67?vH+$*StS~^tJ6REa}tjlIw2VO`(!^50xfK9
zH1tR1M<-P;*B9#yL4cLJUz-d<Di5|Oxuh>;%ZdACsmMS<s5V-tvb|#a57np$Ep2fD
z=Op@ksq&Zm6@R-R5Mka(!||G5H@~LWjqX*LYN<OL^geMCioh)MmrMnur2<t?PL8oZ
z3N^lH&q5zW6$WhyL&uNN7Ga&4B-OO{_|E~_o|onPjgTAjj-r_WEgsi1$|?R;6$YW{
z>TtAf7Mrgl7F4a7?8gh0`K1H;`tDJM#+A#dCMC5SFU|1$PrbrxwT7O`8J)G7P>RVI
zLiy$zZiHrW7Eu74ag>E{peeD?J-7UkyGuqUO|K%G+Zos@>g{h;!|5!ha}$AB7yz~&
z<LiC8j0}X&J65V!_fv#GtK;<6lGCAAG!4b{)i&*wVn>y1`V4hT3@#UO_sdmz)8~9~
zXY`1rOek7qO-o$IKQ0WvSC}Quw4MZi-No1E`_Gu*0qmFzI^Pbf09bh4{pWj3Unh#>
zGR<lz1L)&b!M?J%J2Whaw5~QODnmd{#hJ4>TQsBqhD>~8z<0j+ytZiyZ@6)e5BhA5
zcDP^9%k8ub9<fnU{^(DPn$eEIq}MV66X{m799f4ZFK5@k?eSqBh{R;Wh_z*vTYl7R
zaX=1LsyA_VUe+@dg@(x&Yp^wX%1h$y4=Vq7#Op3RuM_~Hb%F)YF*y)90&X}>&;%h!
z0Mv+QTksoV2~DER_eND+(N}kQZT@U2HJCulDq26SproGv&7C~_s3^9}3#{u~qYpzY
zg!MNqZUb4pd62x8mQR|=w>m4LpOD#W$n_irUPfKJHd_g13uCZ*i(p_%hm!T^u`t1e
zw`c6f?|nqmSTLcH#<8oH9)2t*Y_}l3ev^j>bJ8ag(t>>ohVJLXg45B4A#H$T`arMe
zKc}Z|C{EBqZYb_+3?*L!*v7xGcaAmm^7_XQQ6m8Q^6q72bw&L3{aC|2I4Fo*?NWN$
zVaEU~Zs*I?BXn)hs|PM<K@Lm3sD02u=&sN>Qb2#Jw}Qb?>py-00PwO#t;u(mza9V^
zazXtaldY4Of32)N8NjO-Y@c%eb+@A0u>db;aDbb-{^eN!+VU%wFW~=pyW{*afqsP+
zY|i$-ro$SbRD+2S(?8xNKZrG1;Qft>o@KnhJZwOzmh8MD|M~;AOn^=Vn-7y`e|ai^
zQUUeb*nj*%grFS2%G<Npx%_(vgj7!sC^Z9N>aWkEB^_A#O#gbGzdV*esS8$aA%B}U
z0j&HQeAfEk+c^KPOC})Jh-BZ8KtSH#^XKFPKtOn;e&4b>^@egvUQE9IEP{ZnO(+OG
z?RnlAsRO@+^$9g~37<mVggGaDyu#PS*jR3%KV52vG-h`rnyLsByy$)drPDQz5|z5-
z)iZa9A}1(FRp|V14WhgFzRTsl^M1|yp6h@=_u?Xqb|fEo=Sj-W&J2HZNg~9LNDmqd
z3>YZlqYRIaClwU*D^<3|q9iH}EYjQjlcWdjh5#lm+fhVSN&J`LfJCpq|9bU@#UK9v
zD^rpJgqN3B(0g57-Hq;}Xs@S*b$`F-%8Z4<Z>fT<qCHcay28T3WL$?;1;xdwGVmRx
zGr&?x*(&LcKln!^Q_EDYpv-)e`x0J4P%6$sMy64v+etiRh%^Gc<U&ft^qHBNd32m*
zH4qCdC%~_|x*9^IgitP{IjISc=NPcNd1!9#@H%R|-0s+(#p@%gl#s|LEkx7{3lER_
z4&p1-;@v)%(+O7dt<MQ)3-&tSE>S!|BZYNGZvu~{G3VKz?hiT~6zU~HRV$28K`amW
zfRHpd_c1&+GI6!pMjA)Z6{<mAln<s9@cE3Kd^lMK^SY1gnI+(q0GTkECR8f9OqJ{-
z8UoL2W#;9BD;gd@)lj4RHvw){(N0MiL>LryEEO?UKwI4d&o3h>qw5xNo#6X&rN)dP
zLuMHng+#c6Nl6RoQIXKP$*h~cV^PVzY#vnCR~&BjBaxxKd(d-{3JZz3<o+OtR-e;|
zH5qR^A4SEQIrwV2lNNP)-Tr!k5>t?iFpD|S<MijJ5k`<jJ>-Nl{;Zuna9WF9cXwT#
z^S;OWg!G{x*^Y9xa{778xuj1en6)lL<zOq#;uD%?=Vh(7xvv}u(`>SDR)#5YKO&Ui
zZof`*18>AUiCV<?|7uV-=)-IEcvQM`j(7?Q30|~X{hByu@agON`C3<@cl=<8^^nWH
zDb(Fries@t*(L4K>j|$&UI&rjC&@1}_3wn{(4I-~UvPbQxvi$Ozebm+b%w~N0JA4_
z@-&qr+<lCqRx2Yt<#tu}taUst;ypF`eAL%UMO#tVV7saFEkC~iXp^<r-QC&Qn<<p3
zb3C92x&X@xS|+%nao7?-!JkIv%hiqN%h=Mo6K)o=L^v^>&elF_HrtRDE9AzrSuP}(
zDDBnui}L6-;>;9@NYw0Oz$V2ajR=yH7q*Y4ArY(<XV04tf6X71-X)*tDTp1t8i31+
zCGfbt&Zos9M)>wgDiy!eiFsR3Z@cXNM^~rA!<J7gIzeh6RRU>r_Cv#5sk-j4^o*b|
zZtg)L+=0>kops-06nx!O)|d7;WT&$Y<+l4XiqbS*Q}4H0`N`IF%H#D4F&gZTEK0|<
zE_)8hNvls*kdH`G!q+L4#t%y{4p05|8jW7zYpu>S&vVp-ADHro4u7^<^=h?3qY9ZP
zWydGJM802y$X{VUjB7J@!Z5dZU3z)%pG0m)J8oPs?UGWr)viUwrrPqqQ$lUq#}t2D
zEi|<q@Omyns53k^A#<L*$8GS2LQEEy%RH1IWwydJIEkZ?f7qnU$dzN3>=BR2ESY+n
zr#QFFY)zb>R**}1LiqM`_-kMta2gz_iFqJEmk_csZiPnUBlY2)98o~sNfWOOZ4yku
z?)HFc3zU6zI$qb6nt7V1`3b+`e>&~~V1j`6mmpCrbud0$sjt4l=LE>(h9^%PtCypu
zM?hi>X<%U_Oh;!L_<Lw~AGjS1k2>hye$RQ_Vp*XW!oTRe=Fn|z>4y^jBGE3DIl1FC
zbe-k+*vepqQeApK#+Kq<DeDvBn^kPq%*>)~xZ%CFSb|Ou9ugh53V5k{vZ>w3T%?yL
zq5`T6G5!7U$v_ac)|}o05xaX3>akslgwIRKVltipbdUu8YE>x$dKyO<d>`S$qxp!t
zpV!}|ajkfdCy&`|H)J>5c8gIzex&q$UiFl=;@nJDAqv57j)mzh4IMFBDzQh!o=2v6
z=SdTsqH;t8PppDF%u3u(CFm^9<v|eGPA{E-PrRD`9%^*Pp}QZcPgX*@?(uc^o**yU
z^>D|%726fusPLPpxP;|*+#x>zvu#Y3SN0?}ESt$_tWH83fJynX#qBKXLH$BqO*dc7
zx;5(9>w0;JYtkM+KzgJECb8giV$n*k6s(IMlOy_;4(E2G&7zLDf}5rR(rM~mB!*sH
ztfRos_;W5nN^f~D7aTiIN}2tsUW;AvJ1!NOLAe~_`SQgiE|#vidONO~?<kHqLAozT
z0?vBbye^{X2nV97Aa^G|zcjqOU-d{c%+~uX7e9+x-l^w~UFO#=8}+q*m=EFy{~)y~
zBw~CzdTun^#<tQldEeixx{9d8Q0MQXQf#A5$>a?5U2=JC`T2+^G(j<+MO&)ho)4Fp
zr8DkvsdjC6Ki?~+RUH6=Wz*k?SBh(KmzpIoym`i2RkwBh6`U*PB&8+u)abrcoZ*B5
zn*0O$ns}g-gUV1;v))7`B%P7dTXlV_rjBvHJY=q7hX_6j<%wmw004Z2RX=R`pBY2(
zMxz79Y=WsY@-mK>EKtE!n`)u=`uuYp^@YT;ebq~lDOJl<XQxUb9Od)y3Sbp@04VQf
z9PV-(-;sjCa+S@C=w#)j23qNNgfeATi_rMb(85MKsIA19tvtc@s~SADdQ8gJV@tm1
zh8XC(!CWt|ppP-e79O&2PGz_IKt8r>HkL^fhaeG<^SGQOEY}|l1E-}vhjO9I>B>yC
zE&;ZHPnK4@i`?6R??wVp-8vMeVlWU^QfhZ;dD-Xa4w0)QCGfr}rTub;m$NCh0(->^
z$rW;YOKBk7B$dMc_(*UJ;k<pKp<Oyl7au-o9P0S<YL+7QAZ`RsShgg^ZYLI-MW=WF
z=y`kuZAHlKJVUQRL?XJ^(t5ekJF-IPz+Q_Uk!c&E!+wH#xyzkoq(nZ)Ft6apJge^=
zhr>~SEiOGQyUIQPYk_I*8~5-M*WoCD@!(TjIvm$ZEiE#de1*)uFWkT$;I7_S7;=Yj
zl&{qR5{<>90=16^>!Sa3DPH92bw;e@c;e*xaX&N+28y$KsJC|}-`1Bbj?^T#^FGEW
z1=Mh>YM+<h02S*a>BN`DWc^<paHigLC!Q+yTHp&%LB?79i$#s)NrLscY!Ld#9Hin^
zdC{c{jCNBIK%Db47G%hGvsdIR=Urm5q8ZZJdOo#_j%getgmC!2mJr7i^AhdQfQ+i~
zMHrKvtx9~lVzCq>j=^Wn%jLs5y*qeS>ti;vlDmi9?zhiHT{jtJmBq0H$~%Hz8c^9!
z7%^BsV-0zKK>W<SJ1*4TY#smF?po5$*I+<~eSf18gxP<rHQnL-Mb)q*fq=_NkiGg#
zbg*rfQ-Hxn=@*5TneX#4<ZE5|77tIVV|x%74q|kP<Z^L9^TkLw8igRG4~^?N`C(sn
zQ}{L6L18>e=-6DT@*Lgu`TN_u-MBV#N*CA1M7NUl`1spBg7-@V^O=J1m)G<2aySa6
zOZ|KA&$;tlQ@dd>8rCXKB<Y;a+-kGU#>;)~M+tW1qAuc?fwzm{J=x|ML1}T=NZ3r8
zn$72V{Q=n_wYZ2Rq={#9ouN11%W^J}2)eFan!t9D(W*iY4VF86qIa|i@VtILg!i3y
zzdpfnA+ZG~Qbbx_K#Um86?5-Uuy6YScW<GySfzPAOzsv>yiqWw*339cxb9c+5*)rV
z#g&RE)qc3@&adUc>x2%c+|Kb4SS9seQMEWd$v>&<9E65Roq5(GNXla=-@N6%Gu$se
z-R}~U&m&{9AfK@{%}0n`>w%y(+9dgz`<3i4VT6e$meXUj4Qe(XgXFUV_{9Ybw3240
zZa|)6e@_8Hzr+_s%DoBA#uNsDhffBO42J=fLqhlOdDexV-YYcK<!#Kq`|8U!wlRy_
zhUAj-IBYc~k2ER?JTnc(H12PEi+jWV-VUG2pj6fA-3+&5y!S9|`-1UGYH1IqvSz|F
zZQLiJoFa3%oRu&wR8%eI;8PK`+eZfHY4)(@+y|TauJcp%p#tWT6%u;$lm~}cZ8n5s
zaC!4!Y37eotXHLms`ywxBpgv2Vq+tXxV86TR0^Cuj!+Q%;=K+P=%52$X_~rbMnQ4@
z*|?~a{Prp(zLE6$j3j-3w(fwO_~QpM8H0)v|ND!KMy)~NS__IgHT&3Zm=q(o=1|qT
z@sEr6UyRSj0|~(vKf>90K-6cA>S>c^vAmA3o&%5*H5GXV<uU@cX1JNJBNbHW^eG$|
zNO91LWX0lC<sLuM++Lf?A8*-(!30{}pD&ZuhS`6m$)_?9ZsG27JFB48zNjqYL|oQe
z6M7w{WIUn@yCs~?i0qm3uv3m!RfjXwUjvtxiAa<6Ig_yC$WFG-TsW{xWh|*sfA>fI
zh?P}M6Ix(#9nuIm)KvknuKpZFm+By}JJK6~N!Ostr;rsNpJI>3{wkBN-t8|<`G_5;
znyr-4Uw~s^iZPW*r((V4J@E=P^b6K_^DKM7VUN{fMN3=JQ?dAan2-Zl!ZJbrrFL_U
zH|sCg?`7z1n)=!1oLJy2uk*P?MZZWO`f^6!CVTsJ5I{w?K*8X>2yW+Q702>_^0k<t
z2@+<B9R}uWoks}E7Wt>)M)J|pU@?UDgB+|>zs`0WY=0y#@BRWtX2dgS9@1v>VK7Qq
zSkN#U=4W5PS*Bk9=s?eWKO}VZcSzcB7;TBj?(A^Fm&7CaD&^*!s2onQgBS(@H+Aa|
z^-(Q7T+T0mT0>bg&!dG(8Uo)J{;)w%=UJ^z4>}InCl13+a``O6?uUU-S9hzv@dJ^m
z(nB$LKXu>sQXTG2xX6h4JY7<|ygkRBZa>*iObKpi(bw=Y0LGE{V$$rc&RO)J14N(8
zzSWxSG2bquK@H-IvPY>25O`BcAm@1?pbVVQ(n1oE-=ef%%_SYEu0Q;;^_`wP#Q!;R
z+%i1I66R=L@^kMY{yX(5Pd_PYE*juN?UM*w-l!wWiO2V&^XWtFH=a;hCbo+6JR+P2
z>5vYGLjxla)g*%ME9L0890ALa!SahPS~4-&ob<Z@`GEVlfuA`<yOEQ)VX7di-(C!4
z1B5uk!dc7?T?{%9)-lh5vDux%*~Dv(47?PUnQ@tj1bl9t`>V2&1{_T-KSVpqo1>z&
zEm9s(Q`ujKe&_}K7;5(%S};IC8$5M7oBp!U+vutW6GDR=)jJBGcLoR6f2YmtnsSFw
zJn4imWA?d<j6defkH?KagRaHN)D;BBR~BW@QDwaP6-uIY13frR)_YquYI+#}I2+DU
zZ}~ySBqcAM5^Q(9)^Zl1t4xL)Nxu<_E!a><>%_t28Q=88L-|CifV-<jdi;p<zMt<n
z{$QG;9B|Dx42~%$m(fVcWFU-*FfwrNbH7;!^shhe61+zZ7{1wH4(7cK`MyZ+Pw7JM
zT$VOiuYT}-FQ?`sW!<)8VnV*_emh=tczr_12G^2Ieeng3Xq>al(SpbaB8SJVE<QzB
z4C66J6(y|V-n>HCw2Onu2PH(I5XXY+0A#eHZRUr>T4WafSH(#o1Sy%Z(zLnCO^}~^
zTyom4Aa6r5aR;TuoIo?49{(5Guy}%xXdld*%r~Wyv&7QUu<Capl0t|Tuf$rog^7-B
zS388(Nlt!=h{uRat6ML_s82?aAu)$ZN2L95b^--ela(?ANl|VgK8)$nEyH_6NsMZ6
z${x;6vMfr=4*e1$G%T-=CwZ0Qd5KPDeVq4EtJ6yZ>evk8kvV_gGmdfakh73ATuSvO
z+!#)el=0yZ%0*iDAtXIOHn^O#x7u1zw(X~o?2=C4HjdE``gy7k4Xv0Y<Y#6}o+4Y*
z&~d+z0;H!wn|$yCt`+ckGAiZw`Rhyijqp)P47Mk~qK@w%CqlG1WB8|Wj(kwzFxW!e
zA)ZYp-O8YF(;c)SU6YFQZcnSqiicwIr@<T@<wQnXS;HR2GWub)i%L$8$K3$M^hh`3
ztq!Nn6-!ReL`eMp!JtkM9R)Q}_w`6_D>8WXjBln$&ayP1l54~B99*Np3<kra>SlYb
zCAEJOUqbd*)mK}anK^SD-jR`?xL!WA$=~~&^0N`M+oeP4*O8|#ThGw9TMS@@W!<8&
zjMN%Le{$^du~+M6;xP_**8G3%on>59-xl|Ykw%B^Zpi`Z5{7nYkZw>AL`u3F=^l`j
zMpC-FJCyE{E~Vo+-h2Po`|^4He4aNmpIM(XXYX12?6db--``pj&;8PhOJDxL?)c&K
zQi!I?QK&oc6UO)0_hd8HC#)&^t7|z<4)aJv{W74J4i>PQz;uuGsxi8Bc1((MXTDcE
zQVNgETiwbJ4^fSdv)aHsWE2&~mME;0D@{)p9oH6Dn#`d|eBEP628^0HNSR%RZ_Fy!
zpz5Sy(l4m#tn&)}`I9a%^KfFYOfemC0&=bH@4aH$!=)O!g_@rI1V)HS%mV81ojlzx
z#goX(G?4!fgy&?J_$*H$_WFX0v%6rqqK(1q5@B@PD&0`;w^_e9a$gDup+wj=?Up}i
zyz#!k(f8jTw6Cbtf>LvWrXOhK5=h?DBV$>Pd}snu4n5g(DjdUNGxE)Hnx~oH18x@?
zL8g+OQ2yo|!$v&3=ah?#{z3L;POOlO2z!g+Mte>eN*3u*&#$geVLx{^GTmCIL&Js=
z@et!q5xL(#EoKezNZizfD@tjNj`=+BTu)^_u)RtePn=R+_B_u7zwl67cH1$?C7(%3
zHguN&BvveK_lJ+ZCC03Qvdmm=O9fe(ZsZUXCKIT55K3Nj)Dg1Mue51F2)977M`r6J
zvg*RhmjL@tdnU%=G~;5{Dup!3utUQ=(ZqQ<&qCW6SFW%AR$n!cU9p!xBPw7uZc0^o
z^zoJWwoTz{8xGMhrY2T7*Bp$OkW-=e7N=myZRC$wbfs#3`?w)=_{-@dvxx)(Jt~sA
zj=YNYU2ILqEPj3lM;Z^N!XS+oii@cO(r;tFzQfzwm<mYIkpM=lA@huncF1}@W`VCI
zn?%Vl3IB{Dif0*lXw(8Ll1D>?|L{OZli83=B!kIPy$3>=?n0D7%vY*%9R*lUex)4~
zBNq9#A!Ec-*|WAG-rx&6|6rX`Zh|}AmSBYno0hGZ4+b6ODf3K*4|ANFM;7lcAi0*p
zLHBvQH@eE*i=JovnBE`lfPr0AMYCJ$6D=Z@;!o0iMKly<R!Q2da0><MJ+KjJM;x2o
ztxOXceZPYCx^NjMN?cbfV|kbQuBu$F&UAwDo>L%0lwVlR%9+8+x}>2CLp@q@mX^-$
z5F)E542=4#Dkh@g0tp1O82(n>)sfYQLF~oEGy%W6o~_8bLJ`pVjLgrsN9vcmw2HOL
z%bFi<tS7%}DVs0d@m%l<(u=w~jp5u43Rb*IR#GsurOi1j_wmw-c3ep~Tw^6V#EYh5
zEMY`^Td?^qEnYaMfP_GCTfasZd&w@c>2U-VDuyK=Ws67n9LO`Nox$#@4+&8xR<^f%
zT(;pGvA!S^!D@1Go-VXGLK_soh|A~?#@6)DAv2?yPQ9upn^W+E!f0Q@mC^;u@c2<B
z(i?v>;M!vMrrBwFKVW@xco|&3HVZ5y(q5hxKZr8@5z?J0<pW%=v0!v>ruh=Fm7I^d
z17qju-y}@eS3VPdx?w;(ood8_ZrZ7Y7yj14v$UD0PU~$1sB%-ZFzFW+Zcgs*Q1nBY
zz?ncT1#)Tq3Z{XfUY1;}_F3vvh)K&_#^U0Le1pX&?)&;9mR^f6IF~`a&JZ7(`)BI#
znC+2j$s<Wv&aX4FHVw`9EbBIw#5ymS2|wTemNsZW9h)bB5pjrGX?%G12mv)CAaYPP
zFsE}_q{bl}Wq7Xt#F<^+FP4-w)3?uLMakiSU)NxDN{vY`i-GcwgRFxTKJFZ~#4NAK
zymwFyLq8<m$v#!jP*0wGTEE^f#q-{2i0^QVa5CW8;Zjc11YrW)Zsw<|vf^vKRy4g=
zff`snQS(|Fr!4QLA}NG*4ZW|QfGRVRjUI3KRRoXr(&Rd!xIH#Blss-{QiATk;CDMd
z54t-Ei@TkR#_U*>K@tHd%z|?@)^&GVoX7nQjyvByRHk=^_C=!U8B0Q|M%?;1mL@uM
z_X&Frn0MhP4e=~Y1EnXseM|MR=|K{vk~O}kct<HD$(#lVVJX>opd}uTe3FP#zct*>
zw$xcr`1Of?=}I$6fkcFGo$UlZ2Va>wxv3<|NLZgq<8b;8-$BB4ip$v8F6$vyGT23D
zsml6uiB2n9U+$2#16O3bl<dVl@C4-BXuO(@CrDOu+Oqukz@zfoED4w3)187m81F{L
z&8X$_o-DR-<aV1?G3d=U{#4HO9odhPX=)2u!jBo@WU~;(B(i?5PyvcKSzK}33K_`_
zU6xhL#SjP$3_T+ta;`qkPC<v3(UWnoYq2~K(OrKa_Ql!U?x=~6nH~8p5vExR%FC!S
zjJh9b<ziDWq;`Zw+aJt;i2gNgyNwKoWCIDE%g^nxV7vG#jqV^j9vFv6o#{juOrm&k
zQL#pP-?@V4(h0FW!C>C;$UsfQv@;~9)NIdT%saq|)l)O5^2$_XDZgfAUo!SwQ6dbT
zi2FVmE55AdrsIvd<=uL5Ubx2A7*Pb()fa_CE=_1}1W6u7Uy06&X+Vv7V+W~ApvBE`
ze=Nk|;qFPj<+7x&bqNRl`MhzYBOSr<?o?(xI$m#AdX?U?`~EX(6Aq%eXCexIZ5P_6
zouu5paW>I-3_34To-@5Xvh4fL<k(IzgA~2<A>o8rY4j*a0hzAgdJk4B5{xHau87;A
zg#v{*`^K|uvAWbDmCIfXurH-k$vGT#pofh0tT@>*S{h~s=HNPma+~~FI*!H$9p|!l
z2TeqGx7V`P-R_#X{bL+v0xnGuo+l>C5-cZk)2n}UYtCUlCEwoC>W=buVt^#CsIpyA
z@ITo|+An!~)VTpaSB}uXO%7zS^(4G;nVVR|4Dh-p&;3ZRpH^>W6UyVFGHeivt@ZM$
z_gzNc1Xsm!Ge8xzA?<Lf*uIL9G`{UqjXor5NA8-m8BQe{2&14$G4+0LwMp-1ddB66
z1d011WY1;rf`vMIj<P$2eh|H$6SPrW%RZxPlo!-Yfv6Ny?V~?Dt~4d%h-jyENHQSn
zP`k8NzZp2Tq-(WOuacWSI5<3c?JE_05mZZ$<rr9nliD=0PN{zPxw!fE*yWT&;8Nu<
zuXOFM(@pk0>rt0r&$GUh#%j^(^Sg+kGRB8dvO|XNAH2)?z<mCn#8(`x-RCV`nzUwX
z^9}()52N>Gep_5vdpkzOS{ky~^mc`zhWMM&v{JGXd)plL!Ekte#)4M;=Yv<AEzB?)
zL*TJ#QF=D_sbiV&n;<Wx%MCY*==tmK_iIZlRXLJ-;{?v~WUei>La!W(K}VN$m%#`)
zS&;1EVF3n|+T|xKCZxtf{;O9M*u(^hpZPx&o;f4hiZb1-fL{P1>n}8`;6yB#C0z5o
z87+EEeDoQEsO(9w#_6saXV`x7uPO(~zzBz4%{vxV)mSv+t>`P04l*LnWKN@4uiFc{
zCs&OedlV<6d=ZmyJnvQ$WN*rzk?+Gh;SmwQoUrE9uP2^MM`sBBIs?W-g?aFT29c07
z8s7!a;Mj_fAQ+czGxMCg@Yg3}^Vk(Or`+bVRVRrC(5SS6sZ*#M`b#I13GgG}35iJ+
zJ6s?vL})ws&)Y|Iw;<NO`N@BM_?JzD3Q-*<(uQ4%@?WkuLk(~}>(t5T|H5>C@Sv+0
z0RR5~LH{={pj3u=dU|y;Av`|6`c&Q)9a<h5{miiR5ARHYW~qf{R)-a9Z|(?r@#=8&
zEwP?mJAa{3Ny4#wEiP58h0%YBbD0K<*_<BsZ1agTGPke@Tb<yZs-oXF%s0<Jjs7AU
zD~pFmB~EpU`8&Q{$Zwr$o3quAp2?h18o6tf8@MVbrL)}33q5b%4AHJ^K5nPQ&+V5H
zUV92pfSHHTntv<c?JhJbWJLG7`AmMe7z)}ia`S%d7N_TwA4`ZxfXTNdG8QGPG2k6n
zai2)jg!kd%#l^J?5zsSpYkMMl1`UQ0(lG=bAUW65oLqsqOwX<=YK7e>kth{mXqR43
z;}TOCQdAV<l$nNF_AfCMl|<s<zMdc%kOG%Hx<;Ih+Pd5Qc*ZQ4SqqIA!lE_uK9QXs
z3GmqB-q%ffL1^5lZ<>C<Z4J0HtPck-4!ojbR5V>2cZEX2V!w}i@dM0!{^xt=issL*
zKsYCirjo?+O58_p<kr`u1`y;~EQiB(aPUBlDEw$iS)tUYCKX=^fQ$Tu7!(0_g{jX4
zh#`WSBjI34l#cwgSFs7<EO9~Yv;O$NzD`5_d2JE>1DZQ8k&;B}Y!n1E_!PM22bJ_@
z;}b+d&9QK<E8at;#zoPDLVKns5=$GQVN{dYtS-eibNo-N41{~Z%)lB5VKKutjaJVG
zpU9YY&f=nUE-$<3abv>w4&1sy3i8^?T<Wg|r|rIlKtLG5zBuvzYv!_v%An>%xC(DW
z&0!J|9-caEa3{1z*W<|_-u{K86gMx>w+<JtTnpwIfMYf}Zwgbe(x0`!_EVE?50x+K
zv?jW=`_n(m2zewRmD=4tBJ3HTI%X6`T$WH$;>McUIAt3-t#NlQIbWk@Lpz!)9b}>;
z?Yw`mVYNp`aJc*QE07AO_qy5(hOxMG_!63B15E#1o9X~j={c$Pg;4nmF~-W-KKg<1
zOUT4gce>I3^2#-V`0`t;E(^z)Idu}G1{^NaI5M2u1+c5HFFy|6(ltR_V!RWd{E@-w
zS-Md=<Mhg4NA0gN;I$m{oG9ph8!sy5pBoze9}k;X%|a7#K+XPeYEgLGi;}j)uEU?@
zNy#gNCQP)?8XosM7oYqn=k_)r-V5V&3E=ftlL<}{4W@~~L!@IAJgsQMLUaL%q{8jm
zaPJzqE}zS{rI!h}ykShPG9q#&jo<7>U6?-aySrlT@_!_Q*pCB`AXzpvV8T64gVfg?
zXHbfk82X*^0{nmGNOgD_J#QD%nO8S^W!;u7hAHo$X||gGy~4N2tR&wwuAenoZISU!
zLX>qKx<?qZEC0Q1(yWRC7r<#oZFTCu<P?8Y5tPxsIC#+?B)|SwWbyynLGeg0vZJG;
zPpB{vtNyGP7TAbUs&@zOgx(%Y3K?hue8XIWco`0l*|#EnVrTTXVKX>*Kye;o<`qxj
z6wH%hNk2+*T-wC18i~~&mzx(Ot^@u3{g*cvJ<sS?cXmPo^renFCUg{TGB%A}PuMJu
zDIi0+m0YHGDjRmqs31^iTU%RhZoXW8<X8yA-+*4`K(?r;D0l*jCVJ&7U}0|FNtwtg
zOa;Iq&EnTn*N24L4Zo_ZQL{w0T@0mR{{GNhXtM2Ov*v=Q39Q~xueQX9j%X}%<PyGU
zG#wrhCl(OgzZFhoz8_o@7nhcH3%+ggMFTx~G6Ww`r>C!`EgV30i2H<YvGYUG;ozhL
z$*{<ioDiR!4V#oN?#SzgRSeLo47GR^ZRMPatGp5i$A-H9&U@d-q4w38V(rTx1q+a_
z&rlFWm6+S);<Jje{8-cG<0~~?&UxsoI&w0<jvRrDhr8LHVc<YY%)rFtCXV)`#Kcan
zP>TOOV|wF744{*cKghmsBxYaTjXvZuiW&0t#ZaTE@L!bn;bfsT#4{^gSvC1d<zl|E
zcl`TzrRMXQ$mVdk@uc-qc6_yEdOW;PYHOeFH`$8>z0=b_+{0mQF-2cx^YLvC5N`PS
z)1I1VXY-Z;)8qvATzs~5fCy2ET=VNp%#8Q-2ZxP40t$`MjsbZWi@u~thl^?Xog9Zp
zg(q3I_bA*pzg)v2qLPjYhZ7AJ_+B~0DKfqo{Y^_Iw<6I+Uu`PgKtjYsvb(F+@|yi)
zlWhl*>EluQufv1|@9tAV5(4%X)Tc?~;|jP`K2WC0y_!yf<kJ0_fex>x!4{9yb7<b6
z$z;77=I(@x?{tx#(Q6JJ>IJ@%_=JRSb!gbVNX=G5Kh!E6Eaob$pkeG9d!{1TRKlvb
zM~iXCgrn-m?eU}{!1(_(f9eY<2NT1Ql?Rg(yNdfatvLI`%w)|+TwWnOq?7k;K6FXH
z@zfNGww+`%GVLTlo4IfBauCU6;GB`Va4AFnB|wTZld1fpuHc!f!efz2w!akbJ6a&p
zbVTC-N12Ox9M)Vz%Jd36>S_%LR+u7W4|=ycPw>j(@}g7*hM<aYGYJnHlf#C6BYRz*
zuu&PJ;cp9Gl0%6mXC<KSYr73uN!*v8p&}OH-Eu?!s;2m(T$h6>ic(dCl+TteKsI7R
z^U}k|{Z*d<3$|Nyy$xDI+^DF#eADO>K2@<DE8!StRd=pJ&E7kr!eDkiE+%D<taBn8
zxg$3gmw@`HE|KKKqVOzurSg_MEN%bPGY+NT#4$;B#PQmzoN4=<>X?@Cl6BX2YdQr&
zyX1Zuu(_b~Iv|03u}N5&I(@^<8z^tYJt+l-yJLSb?=P%;#=<BP#S!)rOvAmO+oV76
zrYM(Og+?Xd^vvP50(y;l1!aT<KoqswK3L`{tYaEo8x%q!EKYkRk;lu_iFU_pghK~r
z>>|_0%H9}K2;UAlTm`=yXott*qVta)z1QQ4jYx{LZcP>yj(}GPk5h?VUlVO!O>}+x
zuybLv0sCz}eljshUc4*Z_V_{Gzfps7fa5*hQht2KV<kDV)j|_6xiK4QZAN@e=<+@`
zMM;`E?Ee_SbwqWYSK0E9afBAwihgeyYcSahFCQdjLmDhLl}y&h(wJ_t)7+MZrPV%r
zimmxE)Ap=nI3y8DDeJFX6Kd#7%G+fz3rBau#iJzBt&EFe;MgPa>5>*C`kYoL@VHgG
z=I#AZ@9o=LoC_UcgPkgvu0Qo1@=`I#zuzoyIQk{ez{tO`vG{D@wDtL{Ws{OY9w0{$
z(&iaQsI&9*f`OT`YsV9znUr4hEjQ0Pi)%lP&!nfuVeGnw+%V3qwxD3e{p?k=m{?2!
zbYYEy!_7GI0~L^sk2T-W@vxb)yrHJKYT9ry)UBUh^`mR|9#xU=qfmdXiWlmtBBDhX
zvhKGTagZ7(X5@2Fpy)R6*gq?KQ%RN1x|H<O=LKB$DMbt&>gCWcEg#0uGjVX6^G0t~
z{C0t|E^uKoMu6Pe@vrnf-gkot;Kuo%W*RW=Ns{)f3RR9lQPIP+J1&fX5mI6vg(XBE
zFU(Esc(o(>o~b?E>7BgNGQ+B*=X=$%5xefYZy)LRUwdmYhM}Xo07|MnZw=`CDzcd}
z45Bgp3UYB=%qNve^Vr2=Fs>5`w5~189gBtDj}C`}7McWMn#9xEqxKYyPBWEVf|0+=
z)yp#|>#%Ii43m$(C@s08b&*&m%h}oLH_?8rXfL>J@!Ba9GU7<#mn}1Fj45r!(Yk<)
z7690e?bMzh<GYlhGOYhh$TVo#V-=ioJtyn%aIh;vfQ}?j1eTXHd(p}8f-%5Ao}QG3
z`jgb=Y;2bTjJRg0YUQOxj8?h68sR`xry1dJsvk-tbLoPMRQrKSB>HTtRf`fMJxxN!
zKtGB8M|{5wU>YU9<I49OYZooM`Z<|pp1E$}XLXPZrLLMO)6-hF)px-W2UiN$eSr4N
zGt875O8350$QG)oqZm#^zn!p?D?SLos#SW`#8iHFr#RPan}`!HLYlS_8=Pboj)5l+
z6fqLc#<eNvP3t4sx}<{(T7^ErW5Py39lN=sV>x*DV_|$_kn*Wh$(>iOjBEYfW+cDG
z(xpW_T&3kLaHA(eX`Kv8fy1c*kewtPicJEs#nre2-+7@ZXg6yVYv_>jTca<ylZ1B=
zI8fyJpX=8ddhuGOozDO`j+Y}`;^H?r#O>jLg&E=qp<<AWCoI)iYjwWnK1$BoDAD=)
z1J}bi(`KbwqHjLb9&c;hujQN7$n!$>y6?!~*EPkXju9le$^M8nK`a@vuyMC~+$_EJ
zMCZM;5B6K#=u0|+IG{M}o3xO~4C*=>Eshl7SAIj7)P}5IymKScf3cCCeqswcj*5sa
z3I&8As)-x)UuKKo<5WcW__P}8xD((PUI2cJiQQnbs=iIawx*8Oj0GZxKk!>V09b5}
zIj6Ph*Fh;;Ja%Sk9BmGh7<+*-`JXkXFjrx2jtXaH7ap;=A2-93+%h)H$8q`Ec>y7P
zdJ{igUmkZ?DaRC;f~g$l*0NH*S2Zy}888f;OM(j951jKpG*y$-LP2WGQ{#diPl<)d
zStCj3Q5)v7KbMQ(;wkhv#ZQ**;WrAVByNhOa1+PuS;QxmCd_`29$(M)@&JSN>NQgx
zpDDZNd0}7;2I1KBiROZu%({gtSM0H#QVC0Z&;LG@Ozp7?=O_^=8V&M#J&Jq)b$S#G
zG8gBUsn+4Op5d744jiK*SkgA&NGl-MdTKUaXgI#rWI4*;Z!1DSP{Cs3_@?;cr?AQZ
z=zDl7wUHU4qUz|wp;o4eiR&v9le?9E^mwO-jXNhIbN`uAGzYxsAo@NEqGT8-J6)Ii
zLv3*)<OD&ZNY`L{<W6nroB-V04r|D`N9hmNWOagQYD<p-vJ=02<p?%*&>j-z5>>*t
zC`utX-KSI*P1yM%)~@w(1n1^(5uRHyLo<q2F-0unj~Xqixk@+W*Twr+l}Vme4&!SE
z+2UX9nIkM2c?@c7Dwjh}@nMnoclR!vn-e))D4M({@g$%Z7%v)gGTn85VlGy?<>U{l
z$urx~35{Ln8c}rdBY`5lZ3q<tJzU<;NW^M2W8be*_<8_pAWe#_@ILi@Bk)}q&PLp<
z55*+~D$SB_8vW19<L^FM!|A6CH~aR7vIocF*Vp1uh>n*LgoVng;)Pv$<7EP%*?0@}
zco=4(_#6e<A|h}4xc8%Luaxq22>bL2We}##^_M4&q5WcWm@DIbE0hkNWae~2TeRFy
z8yGqd^~%uuu0_CR?~RAitR|cD4i>-3*GevP7HO#OP+FWO-UmE~3d0ta8l2YBq6!xH
zKL}CnO3tW<h2aLPZmcF1vpBY0tChVxbipu_tw+dLJL|}NR5lQ}ue{3Mli=-Qi5?uJ
zX)vRyWLR5GA`h<|->D@ViJ^J1HfQziY9ZyD&&*SByRqB5J*P-^ok~|keQ0u;9{$yL
zV7w5&oV7E*Q#xQP0Y%;fRoP9w<h92jh*?A1UK=#&Wjfw>xmI+yd67@4mcPE)FXB_M
z$;jwb86*9p=Qmjg__aS(6h#2rr2VDJr0KhZXfWB!BAef5dG1&N6WgBGML_8)4f#mx
z=!9&wJY8PRx0V`wr3R&-9l&cD8nb-nvj($#ms(6IC-NDBZu%P@iwnI)L>rF9GldLO
zhHeI7a}K#hZdJmvkj{3C$2{@RL0)ljOt%_F2XyT>eYCxytoS!hVGOs7m)pj#=NNKJ
zrx<n*gFfLhP28xe&S~aNIuoOOPv68<FLT~?X2_2?{=(_q%S6>*Gn7oJ_VgR)_LC2x
zI0hpc!Rfd@8^NqHBO?T`g>GprR<KcTEe;fAKIdGp!0nI~@@}?1?7{K*K+jtCy@x}$
zwc9sSwXaHnjXoryjl}km8tQ4Cic^K#Q;NSI79PLaGeoePgd)~i+9?=z2cDajo(MIz
zy<!I~aVy1SqgLxII&b_6GkaGDY!5zy*Ici?cWEg?IGZ0Fv8_Wz>y<^3M@2Di_UyX@
z2{wx3Q}|k27bT`GW{*4I@xB$3QQ4+}kV_7l2>~ps*&GbAET+w}9~46GE|AS$rp0}R
z#{_cO27SWbKwx&O?C9@r5FfmJMOd`YjL&Kose|aYwrvtYfhLRkrNb$Y^=;AD5bTlT
zJsFwZ)$C&zF>TI(Sdr3-_i{?#3<Q6+a}2yF_&icX6p5nq@Jq|P7|Z+m%k|!ced}ef
z7LiOxd%yiw`_hx$^i!MzE&4^Lb3yu4ZYML?xV{^gZ)6HG)~DYWo%X}_@>|_339CGn
ztZ$9&z!#7(waMeM3_G8AO0OFU77CQ_yN(~@-K~?zAgU3*&+HvAh!9G6cpkKwtJFu|
zR?uBKXA8;RLX(}`m^mWqY37i%o(3E?oH%mPKFxr^-c6U}9Z?ilV!rjkp1DF!{GuC4
zYBwRmZUWC)_PD*Aq#U3yz**?G5r1y2G@uCk8Mc~Xtie`JZObio)Of*P9Ji*zL^OJ%
zizjKB*?75IZhI4O>uk+Od>ObVB1;6`+3X|)n2@-Jd|9V;078Vvwjk(>Vcb^ujyw_)
z8<i&U%b9Nms0W@z$Tj8#ad=N{2YnUws$Z`xS(V(8m~|?;>ejvw=|9{G4HV0zXcqI2
z3x;OwU__S0LfD(%fcW}T(R79g@Hfk67+-C5clouy-J)KjmwNN64lnOp+v8~|dHTNU
z*b&Q$z5m*$A7QBLjyz(%Ul$&rrsibCcZ~I{gJ$kbm05b>R~2Io$>92%jO&RZH288c
z9ww71N^9awC-oUh<my}5L3(u|v)Gz$#hrGuX~iEN?Z#FC+W90@Z3QU2E+x`#9g%q4
zngYEw_7Uj<q~Y3p2l|n-$j|Mo1=HXZNcx6$1LYYRfOa&>zAe_(+ymHMz4{KV<+&AI
za6?2x=24MXX#lh=(6#L~NtX+vOti}_(>KhT^8}Yf{zCa*49xa=Bdr@#%rpzH$jz`g
zSC@^_rsO<bsccVrwF%!8<JO%BeY9AdQvdDc?oKKuj<NN4OS`~QPR|GwaQ{N*TDJPR
z^!j(t!C1p&aaiF)K}LF+nh^hNgZI{_o39=h&^=Dl_}IR$NgN4)`nS-t5lyUSh-fqi
za<{f~h|*($p#P#Tp}7J_XBLv-am_25iTgEN+HmTntaCmy@$C8AF*yt@Rswh#7cKjO
za}1~071`vsvNz(H1#Q`}n;iKXpjj&lEh+OZOOQv@c!Kl|UHX`4ODn_mU4%4CbVvEM
zNq=j1<r(?61p!+Z8bkjwbR%)2Zd@m6urU$wgx=Z6TdHCQ6-p*U)9znN9M$t5_ewmt
zRG+k>_Q-$J?~kj1{7n1w#;v=5*QomwrW6N#%G~cx@jE2FZ{-PxdVD`~kJ-r6H!^=&
z1KA{zBqpCnBu<`VE>yhxy(h#7Uz2ADWNFl&?rwK{DeVJPMojI2_V~Q;HzM(`aC#t5
z@4C`S&T#tual9hb0<-md&wWg+nUk4VZ=F44M7ylxDq@BXkrrZNk|o4H3gmQDap1Pz
zofsHs$LHebxl%xAJj{kWfd_+6zEgCh=DI4$Xk&S%6Ad1mnw(d{xcccC&~}QcLOJ|G
z_zQ%p%?}tA6C?);8}Nvc@AdN*y7&P`6sDarYpu*!d_t(fjdr703=DT^b1VU-GJfFi
zaiBZzC&+VGSXhA;jX6zJ>3tp!CKm|m#Uv5Ke$sU9e$twI7!eynSgEWkpPO}@Ip5uq
zK-`E0qwo~QoDyY>G3}Mu*j|jkt<>EV!~a#4JcFKGM$wqnr|A7!6Yl|mzAs6baxuhT
zubfKIwf*ZxBju6kGcg*LHE#iEWhA0Ok@tf)DXZKQ4uabafQiNGsF1+dG+%o+Ct~W(
ztLEQ1L{TFG8*gmBNnz&FRp&MG-uoK4!k=%}$Yl~UIE-bBJ}kAyKR^FoJfra>@{<^{
z4hhkKcPIO9ikPVJEZRpzZf&?!lB<2kG9V@eHH{83GD;=bQrV(*2vnqG`slOqj_w1S
zB{LZ`VUl~BJKoi1e-0|Ak+fstkHgedd|+W(bQB+9UtGeDFV>+Te{t9DYSx>k<1E$V
zRRM*QX7MG#Bfqc65@N(zy=aypCTC>_FTR6~Bx(oYB+m3lyB(S^3^kjU-5K^U%t(g)
zLF`C@`cS4YeUaR*&-OM2X~8^ihZ0uWX3GTzVu&59+RpY;?T!%-l<Dg<aWbVJh5FbH
ze9?a@)6<hj2a#MJ&0GXu(%at2BXc0t4>=hIT?BjZCSDrB-r5P;fAP=y9GCq;^)*tm
z`sZ#0<x6;ZbA@MG=ER|74=s0N?ELg+mGy@DjSE62RG$9Cj?pxAIemeUrFv&<h2A9_
z(?Mz8?=&3i@~?qhqN3+?L^B7%5iHqF(c!cl%z`_Ri`a0_IKC*sqs7CADUQX3@HrEW
z&xOW~@vEKd8y~xKD-bqa{seujyb(?BGHgi+{oz`4D)J@>2j}9~s7nZM*)<Tkr<yT@
zk;^-*-8}3~LT=W5wrC6{78cIsXQJ=J)VNV%qOzNN*W<lqn%ZboCebR!s*dAhc8<=4
z7_-zK$JdkkDq{jIZm+I>l%9xrU-dPxlwXIfI2u8E)$-eysyrw3?<@7|Ug6)cAIB$X
zG}=3ft*zl)wxkMXM#tL&>35^gT7Gh(cyRYMQ7sCX$KE=>_bEhnQ~g-_{69hEEiA<6
z0*h(y!F(<`O_t~Lnmrji0Ms*OT1WZdv<8Cm3i=%$oU6Z502bQGe*)1ji)h+6pS^iF
z(TY~4sa*Rpa_19Xmi5e}J2y*?U`?RWotWxnN~GYL1%qobnr5Z?KXA}51e_(@Kez7d
zNWRm!PDsbtBRxLK|6g|KhYJOGLzsjW5rCQg!xR11|A2*hwE63Q8V9lnfhaJ91;TtN
z`9C&&fWY7rNeHj}1&<0?K>VHoCC{M$ukBMfz(m$*EqBQN<RktGpa;JUqXC-e&Z@>F
z`D?QWh=ZCw=+N^&SQB_-h5$_@5GOd({Ev+T01ThPv(i8OIn%#S$nXcd;08=`nE$o)
z{2?j!IMwHX_V?eM6q?ly&@DAnmHD85ek&q0tNza~<M4NG{dd>?oG^hHXhH!?p(*CC
z4WG!5NdX4r!2l(*K_5?8Y()?Lr=urGAZ{KWdX`<=q95H%A|kY`<-$PyZ3ScF3Lq<U
z>vxUUo4-BVLh~yrVUt%@j-Q@RP%Hh|+TGpPCwq5~Oi!KVe|4kA3)#xm(Chr0rkS7$
zl2a&5%FWN;v$hg@103JL0t8n+WoB}UaXYN9nwJ09v2HJYbLr{m3??U!)_8NKzupCO
z2M(f#pX=@^oAdu=#(vyE2m|O3(Q$8o$%cvTKf{g3ZTW04{CCiR<Sl?0ZQ`uXYW;I=
zUz!tFV2I9KPive04qH3jA7Y4Rcfk6Om)pUv&45qcnq3!`{`z?p=Z_5}aFO`ery_>H
x@QN5VAKLy;8)$!QNaVMJe>+3TiS$V2m6n(Bp-eOl_!|QRd1)o7GD&0q{{u&r!_WW#

literal 0
HcmV?d00001

diff --git a/docs/developer/architecture/models/alert-history.dsl b/docs/developer/architecture/models/alert-history.dsl
new file mode 100644
index 0000000000..c399229435
--- /dev/null
+++ b/docs/developer/architecture/models/alert-history.dsl
@@ -0,0 +1,39 @@
+workspace "MetalK8s Alert History" "This is a model of the alert history system." {
+    model {
+        user = person "User" "A MetalK8s user."
+        group "MetalK8s Cluster" {
+            logging = softwareSystem "MetalK8s Logging" {
+                fluentbit = container "Fluent Bit" "Service collecting and enriching logs."
+                loki = container "Loki" "Service indexing and storing logs."
+            }
+            monitoring = softwareSystem "MetalK8s Monitoring" {
+                logger = container "Alert Logger" "Service logging alerts received from Alertmanager."
+                alertmanager = container "Alertmanager" "Service deduplicating, grouping and forwarding alerts."
+                prometheus = container "Prometheus" "Service monitoring the cluster components."
+                grafana = container "Grafana" "Service displaying metrics and logs through dashboards."
+            }
+        }
+
+        prometheus -> alertmanager "Sends alerts to"
+        alertmanager -> logger "Forwards alerts to"
+        fluentbit -> logger "Reads logs from"
+        fluentbit -> loki "Forwards logs to"
+        user -> grafana "Consults alerts dashboard"
+        grafana -> prometheus "Queries metrics from"
+        grafana -> loki "Queries logs (alerts) from"
+    }
+
+    views {
+        systemContext monitoring "SystemContext" "An overview of the alert history system." {
+            title "Alert history - System Context"
+            include *
+            autoLayout
+        }
+
+        container monitoring "Container" "A detailed view of the alert history system." {
+            title "Alert history - Containers"
+            include *
+        }
+
+    }
+}
\ No newline at end of file

From 217bd5ab00e978120816a1b1a19af4db773bae5a Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 19 Mar 2021 12:08:18 +0100
Subject: [PATCH 03/17] docs: Add alert-history to architecture doc index

Also sort the document by ascii order
---
 docs/developer/architecture/index.rst | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/docs/developer/architecture/index.rst b/docs/developer/architecture/index.rst
index ffd5e0e77f..aeb173f661 100644
--- a/docs/developer/architecture/index.rst
+++ b/docs/developer/architecture/index.rst
@@ -3,15 +3,16 @@ Architecture Documents
 
 .. toctree::
 
-   authentication
-   deployment
-   monitoring
-   configurations
+   alert-history
    alerting
+   authentication
    centralized-cli
+   ci
+   configurations
+   deployment
+   logs
    metalk8s-ui
+   monitoring
    requirements
    solutions
-   ci
    volume
-   logs

From 0db7354310ac86e24ddd4a0531580e7a371c528e Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 11:18:08 +0100
Subject: [PATCH 04/17] images: Add metalk8s-alert-logger

This is a simple HTTP server, listening
on a port (default to 19094), waiting for
HTTP post request from alertmanager.
It then logs the content of these requests
to stdout.

Refs: #3180
---
 images/metalk8s-alert-logger/go.mod  |  5 +++
 images/metalk8s-alert-logger/main.go | 50 ++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 images/metalk8s-alert-logger/go.mod
 create mode 100644 images/metalk8s-alert-logger/main.go

diff --git a/images/metalk8s-alert-logger/go.mod b/images/metalk8s-alert-logger/go.mod
new file mode 100644
index 0000000000..bccee28c4b
--- /dev/null
+++ b/images/metalk8s-alert-logger/go.mod
@@ -0,0 +1,5 @@
+module metalk8s-alert-logger
+
+go 1.16
+
+require github.com/prometheus/alertmanager @@ALERTMANAGER_VERSION@@
diff --git a/images/metalk8s-alert-logger/main.go b/images/metalk8s-alert-logger/main.go
new file mode 100644
index 0000000000..6d4f41f679
--- /dev/null
+++ b/images/metalk8s-alert-logger/main.go
@@ -0,0 +1,50 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"log"
+	"net/http"
+	"os"
+
+	"github.com/prometheus/alertmanager/template"
+)
+
+func main() {
+	address := flag.String("address", ":19094", "address and port of service")
+	flag.Parse()
+
+	log.SetFlags(log.Flags() &^ (log.Ldate | log.Ltime))
+
+	http.HandleFunc("/", logAlert)
+	http.HandleFunc("/ready", serverIsRunning)
+	http.HandleFunc("/health", serverIsRunning)
+	if err := http.ListenAndServe(*address, nil); err != nil {
+		log.Fatalf("Failed to start HTTP server: %v", err)
+	}
+}
+
+func serverIsRunning(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusNoContent)
+}
+
+func logAlert(w http.ResponseWriter, r *http.Request) {
+	var alerts template.Data
+
+	if err := json.NewDecoder(r.Body).Decode(&alerts); err != nil {
+		log.Printf("Unable to parse HTTP body: %s", err)
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	for _, alert := range alerts.Alerts {
+		encoded_alert, err := json.Marshal(alert)
+		if err != nil {
+			log.Println(os.Stderr, "Invalid alert format: %v", err)
+		} else {
+			log.Println(string(encoded_alert))
+		}
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}

From 91f3eb32938b64664f5c0cec786bb3dab75791a4 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 5 Mar 2021 11:47:23 +0100
Subject: [PATCH 05/17] images: Add metalk8s-alert-logger container image

This container image is used for alert history.

Refs: #3180
---
 images/metalk8s-alert-logger/Dockerfile | 30 +++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 images/metalk8s-alert-logger/Dockerfile

diff --git a/images/metalk8s-alert-logger/Dockerfile b/images/metalk8s-alert-logger/Dockerfile
new file mode 100644
index 0000000000..823de2d3c3
--- /dev/null
+++ b/images/metalk8s-alert-logger/Dockerfile
@@ -0,0 +1,30 @@
+ARG BUILD_IMAGE_NAME=golang
+ARG BUILD_IMAGE_TAG=1.16.0-alpine
+ARG RUN_IMAGE_NAME=alpine
+ARG RUN_IMAGE_TAG=3.13.2
+FROM ${BUILD_IMAGE_NAME}:${BUILD_IMAGE_TAG} AS builder
+
+ENV CGO_ENABLED=0
+
+ARG ALERTMANAGER_VERSION=latest
+ARG PKG_PATH=/go/src/metalk8s-alert-logger/
+
+RUN mkdir -p "$PKG_PATH"
+
+COPY main.go go.mod "$PKG_PATH"
+
+WORKDIR "$PKG_PATH"
+
+RUN sed -i "s/@@ALERTMANAGER_VERSION@@/$ALERTMANAGER_VERSION/g" go.mod \
+  && go mod tidy \
+  && go install
+
+FROM ${RUN_IMAGE_NAME}:${RUN_IMAGE_TAG}
+
+MAINTAINER moonshot-platform <moonshot-platform@scality.com>
+
+COPY --from=builder /go/bin/ /usr/bin/
+
+EXPOSE 19094
+
+ENTRYPOINT ["metalk8s-alert-logger"]

From acc2e536d79185f6bdbcc2aafa3b317884b678ad Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 11:21:12 +0100
Subject: [PATCH 06/17] build: Add build of metalk8s-alert-logger container
 image

Refs: #3180
---
 buildchain/buildchain/image.py    | 3 +++
 buildchain/buildchain/versions.py | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/buildchain/buildchain/image.py b/buildchain/buildchain/image.py
index 182ae6a8d8..1c69bea945 100644
--- a/buildchain/buildchain/image.py
+++ b/buildchain/buildchain/image.py
@@ -236,6 +236,9 @@ def _operator_image(name: str, **kwargs: Any) -> targets.OperatorImage:
 # }}}
 # Container images to build {{{
 TO_BUILD: Tuple[targets.LocalImage, ...] = (
+    _local_image(
+        name="metalk8s-alert-logger",
+    ),
     _local_image(
         name="salt-master",
         build_args={"SALT_VERSION": versions.SALT_VERSION},
diff --git a/buildchain/buildchain/versions.py b/buildchain/buildchain/versions.py
index 6c2007797f..2bf17325a9 100644
--- a/buildchain/buildchain/versions.py
+++ b/buildchain/buildchain/versions.py
@@ -205,6 +205,11 @@ def _version_prefix(version: str, prefix: str = "v") -> str:
         digest="sha256:240b10b07e15e95c3009da938e3abb8bef2fa47ea1f719ae58f7dd116bcb2f10",
     ),
     # Local images
+    Image(
+        name="metalk8s-alert-logger",
+        version=VERSION,
+        digest=None,
+    ),
     Image(
         name="metalk8s-ui",
         version=VERSION,

From 4a23e507cf4cf4f13af15adc073e69edde276c0e Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 15:49:58 +0100
Subject: [PATCH 07/17] salt: Add metalk8s-alert-logger deployment

Refs: #3180
---
 buildchain/buildchain/salt_tree.py            |  3 +
 .../alert-logger/deployed/deployment.sls      | 58 +++++++++++++++++++
 .../addons/alert-logger/deployed/init.sls     |  4 ++
 .../addons/alert-logger/deployed/service.sls  | 21 +++++++
 salt/metalk8s/deployed.sls                    |  1 +
 5 files changed, 87 insertions(+)
 create mode 100644 salt/metalk8s/addons/alert-logger/deployed/deployment.sls
 create mode 100644 salt/metalk8s/addons/alert-logger/deployed/init.sls
 create mode 100644 salt/metalk8s/addons/alert-logger/deployed/service.sls

diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
index 8cc496bf88..8a5859db4f 100644
--- a/buildchain/buildchain/salt_tree.py
+++ b/buildchain/buildchain/salt_tree.py
@@ -206,6 +206,9 @@ def _get_parts(self) -> Iterator[str]:
         data=versions.SALT_VERSIONS_JSON,
         renderer=targets.Renderer.JSON,
     ),
+    Path("salt/metalk8s/addons/alert-logger/deployed/deployment.sls"),
+    Path("salt/metalk8s/addons/alert-logger/deployed/init.sls"),
+    Path("salt/metalk8s/addons/alert-logger/deployed/service.sls"),
     Path("salt/metalk8s/addons/dex/ca/init.sls"),
     Path("salt/metalk8s/addons/dex/ca/installed.sls"),
     Path("salt/metalk8s/addons/dex/ca/advertised.sls"),
diff --git a/salt/metalk8s/addons/alert-logger/deployed/deployment.sls b/salt/metalk8s/addons/alert-logger/deployed/deployment.sls
new file mode 100644
index 0000000000..5a7e1f0dc1
--- /dev/null
+++ b/salt/metalk8s/addons/alert-logger/deployed/deployment.sls
@@ -0,0 +1,58 @@
+#!jinja | metalk8s_kubernetes
+
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+{%- raw %}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: metalk8s-alert-logger
+  namespace: metalk8s-monitoring
+  labels:
+    app: metalk8s-alert-logger
+    heritage: metalk8s
+    app.kubernetes.io/name: metalk8s-alert-logger
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/managed-by: salt
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: metalk8s-alert-logger
+  template:
+    metadata:
+      labels:
+        app: metalk8s-alert-logger
+        heritage: metalk8s
+        app.kubernetes.io/name: metalk8s-alert-logger
+        app.kubernetes.io/part-of: metalk8s
+        app.kubernetes.io/managed-by: salt
+    spec:
+      tolerations:
+      - key: "node-role.kubernetes.io/bootstrap"
+        operator: "Exists"
+        effect: "NoSchedule"
+      - key: "node-role.kubernetes.io/infra"
+        operator: "Exists"
+        effect: "NoSchedule"
+      nodeSelector:
+        node-role.kubernetes.io/infra: ''
+      containers:
+        - name: metalk8s-alert-logger
+          image: {% endraw %}{{ build_image_name('metalk8s-alert-logger') }}{% raw %}
+          imagePullPolicy: IfNotPresent
+          ports:
+          - containerPort: 19094
+            name: http
+            protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+              scheme: HTTP
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+              scheme: HTTP
+{%- endraw %}
diff --git a/salt/metalk8s/addons/alert-logger/deployed/init.sls b/salt/metalk8s/addons/alert-logger/deployed/init.sls
new file mode 100644
index 0000000000..4aed65398e
--- /dev/null
+++ b/salt/metalk8s/addons/alert-logger/deployed/init.sls
@@ -0,0 +1,4 @@
+include:
+- metalk8s.addons.prometheus-operator.deployed.namespace
+- .service
+- .deployment
diff --git a/salt/metalk8s/addons/alert-logger/deployed/service.sls b/salt/metalk8s/addons/alert-logger/deployed/service.sls
new file mode 100644
index 0000000000..dc785d7d0a
--- /dev/null
+++ b/salt/metalk8s/addons/alert-logger/deployed/service.sls
@@ -0,0 +1,21 @@
+#!metalk8s_kubernetes
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: metalk8s-alert-logger
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: metalk8s-alert-logger
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+  name: metalk8s-alert-logger
+  namespace: metalk8s-monitoring
+spec:
+  ports:
+  - port: 19094
+    protocol: TCP
+    targetPort: http
+  selector:
+    app: metalk8s-alert-logger
+  type: ClusterIP
diff --git a/salt/metalk8s/deployed.sls b/salt/metalk8s/deployed.sls
index 8310ea1418..ed61a5bbad 100644
--- a/salt/metalk8s/deployed.sls
+++ b/salt/metalk8s/deployed.sls
@@ -4,6 +4,7 @@ include:
   - metalk8s.kubernetes.coredns.deployed
   - metalk8s.repo.deployed
   - metalk8s.salt.master.deployed
+  - metalk8s.addons.alert-logger.deployed
   - metalk8s.addons.prometheus-operator.deployed
   - metalk8s.addons.nginx-ingress.deployed
   - metalk8s.addons.nginx-ingress-control-plane.deployed

From 73f46cf1e28d0d1e31098a36b49e31acdfadc09b Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 15:56:16 +0100
Subject: [PATCH 08/17] salt: Improve fluent-bit parser

Remove the date from the logs once parsed by
fluent-bit as we do not need it anymore and
it allows to improve the logs readability.
Plus, it is also need by the alert history
feature, this way we only end up with a JSON
formatted alert in logs which makes it easier
to parse/use by other components.

Refs: #3180
---
 .../logging/fluent-bit/deployed/configmap.sls      | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls b/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls
index ab64bbe076..ec3ba907d7 100644
--- a/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls
+++ b/salt/metalk8s/addons/logging/fluent-bit/deployed/configmap.sls
@@ -39,7 +39,7 @@ Create fluent-bit ConfigMap:
                 Name           tail
                 Tag            kube.*
                 Path           /var/log/containers/*.log
-                Parser         docker
+                Parser         container
                 DB             /run/fluent-bit/flb_kube.db
                 Mem_Buf_Limit  5MB
             [INPUT]
@@ -76,6 +76,10 @@ Create fluent-bit ConfigMap:
                 Remove         BOOT_ID
                 Remove         UID
                 Remove         GID
+            [FILTER]
+                Name           modify
+                Match          kube.*
+                Remove         logtag
 {%- for index in range(loki.spec.deployment.replicas) %}
             [Output]
                 Name           loki
@@ -109,7 +113,9 @@ Create fluent-bit ConfigMap:
             }
           parsers.conf: |-
             [PARSER]
-                Name        docker
-                Format      json
+                Name        container
+                Format      regex
+                Regex       ^(?<time>[^ ]+) (?<stream>stdout|stderr) (?<logtag>[^ ]+) (?<message>.+)$
                 Time_Key    time
-                Time_Format %Y-%m-%dT%H:%M:%S.%L
+                Time_Format %Y-%m-%dT%H:%M:%S.%L%z
+                Time_Keep   Off

From e0e7e1163941c4075b9893cd9e022551e67b313b Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 16:20:31 +0100
Subject: [PATCH 09/17] salt: Update alertmanager default configuration

We now send all the alerts to the alert-logger
receiver.

Refs: #3180
---
 .../prometheus-operator/config/alertmanager.yaml     | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/salt/metalk8s/addons/prometheus-operator/config/alertmanager.yaml b/salt/metalk8s/addons/prometheus-operator/config/alertmanager.yaml
index 893c21409f..29f12b93f3 100644
--- a/salt/metalk8s/addons/prometheus-operator/config/alertmanager.yaml
+++ b/salt/metalk8s/addons/prometheus-operator/config/alertmanager.yaml
@@ -17,11 +17,13 @@ spec:
         group_wait: 30s
         group_interval: 5m
         repeat_interval: 12h
-        receiver: 'null'
+        receiver: 'metalk8s-alert-logger'
         routes:
-        - match:
-            alertname: Watchdog
-          receiver: 'null'
+        - receiver: 'metalk8s-alert-logger'
+          continue: True
       receivers:
-        - name: 'null'
+        - name: 'metalk8s-alert-logger'
+          webhook_configs:
+            - send_resolved: True
+              url: 'http://metalk8s-alert-logger:19094/'
       inhibit_rules: []

From 42fe9a6bef58fa0772476f2eff49b6321606b62e Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Mon, 8 Mar 2021 17:47:16 +0100
Subject: [PATCH 10/17] salt: Expose Loki API to metalk8s-ui

We also need to enable CORS to allow Cross Origin
requests coming from the web UI.

Refs: #3180
---
 .../addons/ui/deployed/dependencies.sls        | 18 ++++++++++++++++++
 salt/metalk8s/addons/ui/deployed/ingress.sls   | 10 ++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/salt/metalk8s/addons/ui/deployed/dependencies.sls b/salt/metalk8s/addons/ui/deployed/dependencies.sls
index 2b7615102a..20b6012d0c 100644
--- a/salt/metalk8s/addons/ui/deployed/dependencies.sls
+++ b/salt/metalk8s/addons/ui/deployed/dependencies.sls
@@ -71,3 +71,21 @@ spec:
   ports:
     - name: http
       port: 9093
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: loki-api
+  namespace: metalk8s-ui
+  labels:
+    app: metalk8s-ui
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: metalk8s-ui
+    app.kubernetes.io/part-of: metalk8s
+    heritage: metalk8s
+spec:
+  type: ExternalName
+  externalName: loki.metalk8s-logging.svc.cluster.local
+  ports:
+    - name: http
+      port: 3100
diff --git a/salt/metalk8s/addons/ui/deployed/ingress.sls b/salt/metalk8s/addons/ui/deployed/ingress.sls
index 21d9c8e3c1..f4adf238b1 100644
--- a/salt/metalk8s/addons/ui/deployed/ingress.sls
+++ b/salt/metalk8s/addons/ui/deployed/ingress.sls
@@ -51,10 +51,12 @@ metadata:
     app.kubernetes.io/part-of: metalk8s
     heritage: metalk8s
   annotations:
+    kubernetes.io/ingress.class: "nginx-control-plane"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "Access-Control-Allow-Origin"
+    nginx.ingress.kubernetes.io/enable-cors: "true"
     nginx.ingress.kubernetes.io/rewrite-target: '/$2'
     nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-    kubernetes.io/ingress.class: "nginx-control-plane"
 spec:
   rules:
   - http:
@@ -67,6 +69,10 @@ spec:
         backend:
           serviceName: alertmanager-api
           servicePort: 9093
+      - path: /api/loki(/|$)(.*)
+        backend:
+          serviceName: loki-api
+          servicePort: 3100
 ---
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress

From 3fd62bc2125d25af98716087287aad19d0f29d0c Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Tue, 9 Mar 2021 09:37:04 +0100
Subject: [PATCH 11/17] tests: Add a scenario for alert history feature

This scenario checks that we can retrieve the
cluster alerts from the Loki API.

Refs: #3180
---
 tests/post/features/logging.feature |  5 +++++
 tests/post/steps/test_logging.py    | 31 ++++++++++++++++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/tests/post/features/logging.feature b/tests/post/features/logging.feature
index 00de2e68be..22cf38c50d 100644
--- a/tests/post/features/logging.feature
+++ b/tests/post/features/logging.feature
@@ -20,3 +20,8 @@ Feature: Logging stack is up and running
     And the Loki API is available
     And we have set up a logger pod
     Then we can retrieve logs from logger pod in Loki API
+
+  Scenario: Retrieve cluster alerts from Loki
+    Given the Kubernetes API is available
+    And the Loki API is available
+    Then we can retrieve 'Watchdog' alert from Loki API
diff --git a/tests/post/steps/test_logging.py b/tests/post/steps/test_logging.py
index 43c7293d22..40afb9b07c 100644
--- a/tests/post/steps/test_logging.py
+++ b/tests/post/steps/test_logging.py
@@ -170,7 +170,7 @@ def _check_example_log():
 
 
 @then("we can retrieve logs from logger pod in Loki API")
-def retrieve_pod_logs_from_loki(k8s_client, nodename, pod_creation_ts):
+def retrieve_pod_logs_from_loki(k8s_client, pod_creation_ts):
     query = {
         "query": '{pod="logger"}',
         "start": pod_creation_ts,
@@ -194,6 +194,35 @@ def _check_log_line_exists():
     )
 
 
+@then(parsers.parse("we can retrieve '{alertname}' alert from Loki API"))
+def retrieve_alert_from_loki(k8s_client, alertname):
+    query = {
+        "query": '{app="metalk8s-alert-logger"}',
+    }
+
+    def _check_alert_exists():
+        response = query_loki_api(k8s_client, query, route="query_range")
+        try:
+            alerts = response[0]["data"]["result"][0]["values"]
+        except (IndexError, KeyError):
+            alerts = []
+
+        alert_found = False
+        for element in alerts:
+            alert = json.loads(element[1])
+            if alert.get("labels", []).get("alertname") == alertname:
+                alert_found = True
+
+        assert alert_found, "No '{0}' alert found in Loki".format(alertname)
+
+    utils.retry(
+        _check_alert_exists,
+        times=40,
+        wait=5,
+        name="check that cluster alerts are logged in Loki",
+    )
+
+
 # }}}
 
 # Helpers {{{

From 2f41e1ce7dd72acbb146869e5a3b00e77db8db56 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Wed, 17 Mar 2021 11:58:01 +0100
Subject: [PATCH 12/17] Add CHANGELOG entry for alert history feature

Refs: #3180
---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4842427c53..61cabc22e6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,11 @@
 # CHANGELOG
 
 ## Release 2.9.0 (in development)
+### Features Added
+- [#3180](https://github.com/scality/metalk8s/issues/3180) - All alerts from
+  Alertmanager are now stored in Loki database for persistence
+  (PR[#3191](https://github.com/scality/metalk8s/pull/))
+
 ### Enhancements
 - Bump Kubernetes version to 1.20.4 (PR[#3139](https://github.com/scality/metalk8s/pull/3139))
 

From ba95694b9460b03c6c2b3e70f2bde3cd541ac368 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 26 Mar 2021 12:00:10 +0100
Subject: [PATCH 13/17] build: Fix format:go target

We were passing a CmdAction object to target
actions, so doit was not doing anything.
We now pass the execute method of the object.
---
 buildchain/buildchain/format.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buildchain/buildchain/format.py b/buildchain/buildchain/format.py
index a727c21d09..721d8d1df1 100644
--- a/buildchain/buildchain/format.py
+++ b/buildchain/buildchain/format.py
@@ -40,7 +40,7 @@ def format_go() -> types.TaskDict:
         "name": "go",
         "title": utils.title_with_subtask_name("FORMAT"),
         "doc": format_go.__doc__,
-        "actions": [doit.action.CmdAction(cmd, cwd=cwd)],
+        "actions": [doit.action.CmdAction(cmd, cwd=constants.ROOT).execute],
         "task_dep": ["check_for:gofmt"],
         "file_dep": list(constants.STORAGE_OPERATOR_SOURCES),
     }

From f5ede68386d675e5d0d36d0959a0286ff649763c Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 26 Mar 2021 12:31:37 +0100
Subject: [PATCH 14/17] build: Add go linting on every go file

---
 buildchain/buildchain/constants.py | 1 +
 buildchain/buildchain/format.py    | 5 ++---
 buildchain/buildchain/lint.py      | 7 +++----
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/buildchain/buildchain/constants.py b/buildchain/buildchain/constants.py
index 3246fe7b0b..8e1b5d14ad 100644
--- a/buildchain/buildchain/constants.py
+++ b/buildchain/buildchain/constants.py
@@ -130,6 +130,7 @@ def git_ref() -> Optional[str]:
 STORAGE_OPERATOR_SOURCES: FrozenSet[Path] = frozenset(
     filepath for filepath in STORAGE_OPERATOR_ROOT.rglob("*.go")
 )
+GO_SOURCES: FrozenSet[Path] = frozenset(filepath for filepath in ROOT.rglob("*.go"))
 
 # For mypy, see `--no-implicit-reexport` documentation.
 __all__ = ["ROOT"]
diff --git a/buildchain/buildchain/format.py b/buildchain/buildchain/format.py
index 721d8d1df1..40ee95f5d2 100644
--- a/buildchain/buildchain/format.py
+++ b/buildchain/buildchain/format.py
@@ -23,7 +23,6 @@ def task_format() -> Iterator[types.TaskDict]:
 
 def format_go() -> types.TaskDict:
     """Format Go code using gofmt."""
-    cwd = constants.STORAGE_OPERATOR_ROOT
     cmd = " ".join(
         map(
             shlex.quote,
@@ -31,7 +30,7 @@ def format_go() -> types.TaskDict:
                 config.ExtCommand.GOFMT.value,
                 "-s",
                 "-w",
-                *tuple(constants.STORAGE_OPERATOR_FMT_ARGS),
+                *tuple(str(path) for path in constants.GO_SOURCES),
             ],
         )
     )
@@ -42,7 +41,7 @@ def format_go() -> types.TaskDict:
         "doc": format_go.__doc__,
         "actions": [doit.action.CmdAction(cmd, cwd=constants.ROOT).execute],
         "task_dep": ["check_for:gofmt"],
-        "file_dep": list(constants.STORAGE_OPERATOR_SOURCES),
+        "file_dep": list(constants.GO_SOURCES),
     }
 
 
diff --git a/buildchain/buildchain/lint.py b/buildchain/buildchain/lint.py
index d1ca6ded48..cb2c6b65e8 100644
--- a/buildchain/buildchain/lint.py
+++ b/buildchain/buildchain/lint.py
@@ -140,14 +140,13 @@ def lint_sls() -> types.TaskDict:
 
 def check_go_fmt() -> Optional[doit.exceptions.TaskError]:
     """Check if Go code is properly formatted."""
-    cwd = constants.STORAGE_OPERATOR_ROOT
     cmd = [
         config.ExtCommand.GOFMT.value,
         "-s",
         "-d",
-        *tuple(constants.STORAGE_OPERATOR_FMT_ARGS),
+        *tuple(str(path) for path in constants.GO_SOURCES),
     ]
-    diff = subprocess.check_output(cmd, cwd=cwd)
+    diff = subprocess.check_output(cmd, cwd=constants.ROOT)
     if diff:
         return doit.exceptions.TaskError(
             msg="badly formatted Go code, please run `doit.sh format:go`"
@@ -181,7 +180,7 @@ def lint_go() -> types.TaskDict:
         "doc": lint_go.__doc__,
         "actions": [check_go_fmt, check_go_codegen],
         "task_dep": ["check_for:gofmt", "check_for:operator-sdk", "check_for:git"],
-        "file_dep": list(constants.STORAGE_OPERATOR_SOURCES),
+        "file_dep": list(constants.GO_SOURCES),
     }
 
 

From 85f71259172b0e9c3480a38c580d96446997c9c9 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Fri, 26 Mar 2021 12:34:37 +0100
Subject: [PATCH 15/17] lint: Apply go format on all go files

---
 .../pkg/config/config_test.go                    | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/go/solution-operator-lib/pkg/config/config_test.go b/go/solution-operator-lib/pkg/config/config_test.go
index 8744e7ebfe..efce0115a6 100644
--- a/go/solution-operator-lib/pkg/config/config_test.go
+++ b/go/solution-operator-lib/pkg/config/config_test.go
@@ -21,16 +21,16 @@ func TestLoadConfigurationFromFile(t *testing.T) {
 				APIVersion: expectedAPIVersion,
 				Kind:       expectedKind,
 				Repositories: map[string][]Repository{
-					"1.0.0": []Repository{
-						Repository{
+					"1.0.0": {
+						{
 							Endpoint: "docker.io/grafana",
 							Images:   []string{"grafana:6.7.4"},
 						},
-						Repository{
+						{
 							Endpoint: "docker.io/prom",
 							Images:   []string{"prometheus:v2.16.0"},
 						},
-						Repository{
+						{
 							Endpoint: "docker.io/bitnami",
 							Images:   []string{"prometheus-operator:v0.38.1"},
 						},
@@ -45,8 +45,8 @@ func TestLoadConfigurationFromFile(t *testing.T) {
 				APIVersion: expectedAPIVersion,
 				Kind:       expectedKind,
 				Repositories: map[string][]Repository{
-					"1.0.0": []Repository{
-						Repository{
+					"1.0.0": {
+						{
 							Endpoint: "metalk8s-registry-from-config.invalid/my-solution-1.0.0",
 							Images: []string{
 								"grafana:6.7.4",
@@ -55,8 +55,8 @@ func TestLoadConfigurationFromFile(t *testing.T) {
 							},
 						},
 					},
-					"1.1.0": []Repository{
-						Repository{
+					"1.1.0": {
+						{
 							Endpoint: "metalk8s-registry-from-config.invalid/my-solution-1.1.0",
 							Images: []string{
 								"grafana:7.2.1",

From bf410da6ed7cce4ba3000ca5eab6b8be367b99b3 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Thu, 1 Apr 2021 15:58:01 +0200
Subject: [PATCH 16/17] docs: Use ubuntu:20.04 to build doc

We need a more recent version of plantuml
to be able to build alert-history diagram
and this version is not shipped in ubuntu:18.04
---
 docs/Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/Dockerfile b/docs/Dockerfile
index ac903c4ed0..60805c377f 100644
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -3,7 +3,7 @@
 # NOTE: the MetalK8s repository root is supposed to be mounted at
 # `/usr/src/metalk8s` when running the container
 
-FROM docker.io/ubuntu:18.04
+FROM docker.io/ubuntu:20.04
 
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
@@ -16,8 +16,8 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         make \
         plantuml \
         graphviz \
-        python3.6 \
         python3-buildbot-worker \
+        python3 \
         python3-pip \
         python3-setuptools \
         texlive-fonts-extra \
@@ -30,7 +30,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
 
 # NOTE: the tox package available is too old; we want tox >= 3.4, for the
 # `commands_pre` syntax
-RUN python3.6 -m pip install six==1.14.0 tox==3.14.3 && \
+RUN python3 -m pip install six==1.14.0 tox==3.14.3 && \
     rm -rf ~/.cache/pip
 
 WORKDIR /usr/src/metalk8s

From b7d65df0b3059f9987973e3274c7410168a8bec4 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Thu, 1 Apr 2021 17:09:01 +0200
Subject: [PATCH 17/17] docs: Pre-install missing fonts in entrypoint

There is an issue with mktexpk not being able
to create a directory, so wo create these fonts
prior to launch the build.
Also fix an issue by always changing ownership
of doc build artifacts to avoid having root
owned files when doc build fails.
---
 docs/entrypoint.sh | 18 +++++++++++++-----
 eve/main.yml       |  4 +++-
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/docs/entrypoint.sh b/docs/entrypoint.sh
index 37051058a6..19d68d8ba4 100755
--- a/docs/entrypoint.sh
+++ b/docs/entrypoint.sh
@@ -1,8 +1,16 @@
 #!/bin/bash
 
-set -e
-set -u
-set -o pipefail
+BUILD_DIR=${BUILD_DIR:-/usr/src/metalk8s/docs/_build}
 
-tox --workdir /tmp/tox -e docs -- "$@" 1>&2
-chown -R "${TARGET_UID}:${TARGET_GID}" /usr/src/metalk8s/docs/_build
+change_build_ownership() {
+    chown -R "${TARGET_UID:-}:${TARGET_GID:-}" "$BUILD_DIR"
+}
+
+trap change_build_ownership EXIT
+
+for font in tctt0900 tcit0900; do
+    mktexpk --destdir "$BUILD_DIR/latex/.texlive2019/texmf-var/fonts/pk/ljfour/jknappen/ec/" \
+        --mfmode / --bdpi 600 --mag 1+0/600 --dpi 600 "$font"
+done
+
+tox --workdir /tmp/tox -e docs -- "$@"
diff --git a/eve/main.yml b/eve/main.yml
index f8186dab01..a5b32f29ca 100644
--- a/eve/main.yml
+++ b/eve/main.yml
@@ -1111,7 +1111,9 @@ stages:
           name: Build documentation with Scality theme
           command: >-
             rm -rf docs/_build &&
-            tox --workdir /tmp/tox -e docs -- html latexpdf
+            ./docs/entrypoint.sh html latexpdf
+          env:
+            BUILD_DIR: "%(prop:builddir)s/build/docs/_build"
           haltOnFailure: true
       - ShellCommand:
           <<: *copy_artifacts