search

TremoloSecurity / OpenUnison

Unified Identity Management
Apache License 2.0
76 stars 9 forks source link

jetstack_oidc_proxy kubectl commands fail #617

Open brackend opened 2 years ago

brackend commented 2 years ago

I've tried jetstack_oidc_proxy several times on different charts and have never been able to get spddy commands working.

With the latest attempt and the latest charts and images gives me an internal error; I0217 21:14:29.332655 24916 loader.go:372] Config loaded from file: C:\Users\F2NI2LE.kube\config I0217 21:14:29.337134 24916 round_trippers.go:432] GET https://ouapi.webpage/api?timeout=32s I0217 21:14:29.337134 24916 round_trippers.go:438] Request Headers: I0217 21:14:29.337640 24916 round_trippers.go:442] Accept: application/json, / I0217 21:14:29.337640 24916 round_trippers.go:442] User-Agent: kubectl.exe/v1.21.0 (windows/amd64) kubernetes/cb303e6 I0217 21:14:30.881784 24916 round_trippers.go:457] Response Status: 500 Internal Server Error in 1544 milliseconds I0217 21:14:30.882292 24916 round_trippers.go:460] Response Headers: I0217 21:14:30.882292 24916 round_trippers.go:463] Content-Type: text/plain; charset=utf-8 I0217 21:14:30.882292 24916 round_trippers.go:463] Content-Length: 21 I0217 21:14:30.882292 24916 round_trippers.go:463] Date: Thu, 17 Feb 2022 21:14:31 GMT I0217 21:14:30.897731 24916 request.go:1123] Response Body: Internal Server Error I0217 21:14:30.903191 24916 request.go:1347] body was not decodable (unable to check for Status): couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" } I0217 21:14:30.903739 24916 cached_discovery.go:121] skipped caching discovery info due to an error on the server ("Internal Server Error") has prevented the request from succeedin

the proxy logs don't change from when the pod started: I0217 21:01:05.020353 1 dynamic_serving_content.go:131] "Starting controller" name="serving-cert::/etc/oidc/tls/crt.pem::/etc/oidc/tls/key.pem" I0217 21:01:05.020453 1 secure_serving.go:200] Serving securely on [::]:8443 I0217 21:01:05.020541 1 tlsconfig.go:240] "Starting DynamicServingCertificateController" I0217 21:01:22.476807 1 probe.go:70] OIDC provider initialized, proxy ready

The only configurtion changes I make are to enable jetstack and explicit_certificate_trust: true and finally for ouapi ingress( traefik)

mlbiam commented 2 years ago

I've tried jetstack_oidc_proxy several times on different charts and have never been able to get spddy commands working.

Please provide your values.yaml

Also, what are you using for your load balancer? Does it allow the SPDY protocol?

I0217 21:14:29.332655 24916 loader.go:372] Config loaded from file: C:\Users\F2NI2LE.kube\config I0217 21:14:29.337134 24916 round_trippers.go:432] GET https://ouapi.webpage/api?timeout=32s I0217 21:14:29.337134 24916 round_trippers.go:438] Request Headers: I0217 21:14:29.337640 24916 round_trippers.go:442] Accept: application/json, /

this is coming from inside of the tremolosecurity/kube-oidc-proxy container? What distro of k8s are you using?

brackend commented 2 years ago

There is another tool used to connect through the load balancer that works fine with SPDY protocol. But I'll take a closer look at that.

orchestra:
  network:
    openunison_host: "ou.url"
    dashboard_host: "oudb.url"
    api_server_host: "ouapi.url"
    session_inactivity_timeout_seconds: 36000
    k8s_url: https://k8surl
    createIngressCertificate: false
    ingress_type: none
    ingress_annotations:
      kubernetes.io/ingress.class: nginx
    force_redirect_to_tls: false
    istio:
      selectors:
        istio: ingressgateway
    ingress_certificate: ou-tls-cert

  cert_template:
    ou: "Kubernetes"
    o: "MyOrg"
    l: "My Cluster"
    st: "State of Cluster"
    c: "MyCountry"

  image: tremolosecurity/openunison-k8s:latest (Dockerhub  Feb 2022)
  amq_image: tremolosecurity/activemq-docker:latest (Dockerhub  Feb 2022)
  myvd_configmap: "WEB-INF/myvd.conf"
  k8s_cluster_name: unique-cluster-name
  enable_impersonation: true
  myvd_configmap: myvd

  oidc:
    client_id: 
    auth_url: 
    token_url: 
    user_in_idtoken: false
    userinfo_url: 
    domain: ""
    scopes: 
    claims:
      sub: 
      email:
      given_name: 
      groups: 
      family_name: 
      display_name: 
    forceauthentication: false

  trusted_certs:
    - name: unison-ca
      pem_b64: 
    - name: unison-tls
      pem_b64: 
    - name: ldaps 
      pem_b64: 

  cert_update_image: tremolosecurity/kubernetes-artifact-deployment:1.1.0

  impersonation:
    use_jetstack: true
    jetstack_oidc_proxy_image: tremolosecurity/kube-oidc-proxy:latest (Dockerhub jan 2022)
    explicit_certificate_trust: true
    ca_secret_name: ou-tls-certificate

  openunison:
    replicas: 1
    non_secret_data:
      SHOW_PORTAL_ORGS: "true"
      K8S_DEPLOYMENT_NAME: "a cluster"
      K8S_DEPLOYMENT_DESC: "description of a cluster"
    secrets: []
    html:
      image: tremolosecurity/openunison-k8s-html:latest (Dockerhub Feb 2022)  
      logosConfigMap: custom-logos
    enable_provisioning: false
    enable_activemq: false
    az_groups: []
    precheck:
      image: tremolosecurity/python3
    use_standard_jit_workflow: true
    naas:
      forms:
        new_namespace:
          use_default: true
      workflows:
        new_namespace:
          use_default: true
      groups:
        internal:
          enabled: true
          suffix: "-internal"
        external:
          suffix: "-external"
          enabled: true
          admin_group: "CN=openunison-admins,CN=Users,DC=ent2k12,DC=domain,DC=com"
          cluster_admin_group: "CN=k8s_login_ckuster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com"

  dashboard:
    namespace: "kubernetes-dashboard"
    cert_name: "kubernetes-dashboard-certs"
    label: "k8s-app=kubernetes-dashboard"
    service_name: kubernetes-dashboard
  certs:
    use_k8s_cm: false

  cert_update_image: tremolosecurity/kubernetes-artifact-deployment:1.1.0

  network_policies:
    enabled: false
    ingress:
      enabled: true
      labels:
        app.kubernetes.io/name: ingress-traefik
    monitoring:
      enabled: true
      labels:
        app.kubernetes.io/name: monitoring
    apiserver:
      enabled: false
      labels:
        app.kubernetes.io/name: kube-system

  services:
    enable_tokenrequest: false
    token_request_audience: api
    token_request_expiration_seconds: 36000
    node_selectors: []
    pullSecret: ""
brackend commented 2 years ago
chart | version -- | -- openunison-operator | 2.0.4 orchestra | 2.5.0 orchestra-login-portal | 2.2.2

|

mlbiam commented 2 years ago 
network:
  ingress_type: none
  ingress_annotations:
    kubernetes.io/ingress.class: nginx

what Ingress type are you using? Is the chart generating any Ingress objects? Are you using Traefik? Can you post your Ingress object?

brackend commented 2 years ago

Yes Traefik

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: openunison
    argocd.argoproj.io/instance: orchestra
  name: ingress-openunison
  namespace: openunison
spec:
  rules:
    - host: ou.url
      http:
        paths:
          - backend:
              serviceName: openunison-orchestra
              servicePort: 443
            path: /
            pathType: ImplementationSpecific
          - backend:
              serviceName: openunison-orchestra
              servicePort: 80
            path: /
            pathType: ImplementationSpecific
    - host: oudb.url
      http:
        paths:
          - backend:
              serviceName: openunison-orchestra
              servicePort: 443
            path: /
            pathType: ImplementationSpecific
          - backend:
              serviceName: openunison-orchestra
              servicePort: 80
            path: /
            pathType: ImplementationSpecific
    - host: ouapi.url
      http:
        paths:
          - backend:
              serviceName: `kube-oidc-proxy-orchestra`
              servicePort: 443
            path: /
            pathType: ImplementationSpecific
          - backend:
              serviceName: `kube-oidc-proxy-orchestra`
              servicePort: 80
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - ou.url
        - oudb.url
        - ouapi.url
      secretName: ou-tls-certificate
status:
  loadBalancer:
    ingress:
      - hostname: >-
          internal
brackend commented 2 years ago

Looked up about ingress on your prompting and saw this comment , "but since AWS ALBs do not support the SPDY protocol". To make it worse the ingress is classic.

mlbiam commented 2 years ago

AWS ALB doesn't support SPDY, classic does though i think. Is TLS hosted by your load balancer or by your Ingress controller?

brackend commented 2 years ago

that would make sense - given it operates at layer 4.
Hosted on the ingress controller. I might try removing the tls entries as it should be handled by the contoller

mlbiam commented 2 years ago

it looks OK. it doesn't appear that requests are making it to your kube-oidc-proxy pod. I'm going to get Traefik added as a first-class citizen over the weekend. Can't imagine it will be that hard.

mlbiam commented 2 years ago

tracked down the issue. kube-oidc-proxy only provides healthchecks over HTTP. API proxy is only served on HTTPS. Will get new charts and docs published tomorrow.

mlbiam commented 2 years ago

this is turning out to be much more painful than i thought. Even though traefik is supposed to use SPDY and has a patch to downgrade to http 1.1 when it sees the upgrade header, the version i'm using won't. What version of traefik are you running? I'm also getting different results from trying to get traefik 1.7 vs 2.x working

brackend commented 2 years ago

chart: traefik-traefik-10.9.1 v2.5.7

mlbiam commented 2 years ago

Assuming you don't need any customization, you'll need to:

  1. Either configure Traefik to trust the unison-tls Secret in the openunison namespace OR configure Traefik to skip verification of downstream certs
  2. Switch your repo from tremolo to tremolo-betas
  3. Make sure your orchestra chart is at 2.7.0
  4. Set network.ingress_type: traefik

This assumes that your insecure entrypoint is called web and your secure entrypoint is called websecure. If you want you can customize these values:

netowork:
  traefik:
    secure: true
    entrypoints:
      plaintext: web
      tls: websecure

i'm going to work on instructions on how to expose the traefik dashboard securely.

mlbiam commented 2 years ago

Here's how to expose the dashboard:

  1. Enable the dashboard and api in traefik
  2. Create a Service to port 9000
  3. Add the following to your deployment, with customizations as noted:
---
apiVersion: openunison.tremolo.io/v1
kind: Application
metadata:
  name: traefik-dashboard
  namespace: openunison
spec:
  azTimeoutMillis: 3000
  isApp: true
  urls:
  - hosts:
    - "#[OU_HOST]"
    filterChain: []
    uri: "/dashboard"
    proxyTo: "http://traefik-dashboard.kube-system.svc:9000${fullURI}"
    authChain: login-service
    azRules:
    - scope: filter
      constraint: (groups=admins)
    results:
      azFail: default-login-failure
  - hosts:
    - "#[OU_HOST]"
    filterChain: []
    uri: "/api"
    proxyTo: "http://traefik-dashboard.kube-system.svc:9000${fullURI}"
    authChain: login-service
    azRules:
    - scope: filter
      constraint: (groups=admins)
    results:
      azFail: default-login-failure
  cookieConfig:
    sessionCookieName: tremolosession
    domain: "#[OU_HOST]"
    secure: true
    httpOnly: true
    logoutURI: "/logout"
    keyAlias: session-unison
---
apiVersion: openunison.tremolo.io/v1
kind: PortalUrl
metadata:
  name: traefik-dashboard
  namespace: openunison
spec:
  label: Dashboard
  org: B158BD40-0C1B-11E3-8FFD-0800200C9A66
  url: https://#[OU_HOST]/dashboard/
  icon: iVBORw0KGgoAAAANSUhEUgAAANIAAADwCAYAAAB1/Tp/AAABg2lDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw0AcxV9TRZFKB4uIOGSoThZEizhqFYpQIdQKrTqYXPoFTRqSFBdHwbXg4Mdi1cHFWVcHV0EQ/ABxdHJSdJES/5cUWsR4cNyPd/ced+8AoVFhmtU1AWi6baaTCTGbWxV7XiFgEGHEEZOZZcxJUgq+4+seAb7exXiW/7k/R7+atxgQEIlnmWHaxBvE05u2wXmfOMJKskp8Tjxu0gWJH7muePzGueiywDMjZiY9TxwhFosdrHQwK5kacZw4qmo65QtZj1XOW5y1So217slfGMrrK8tcpzmCJBaxBAkiFNRQRgU2YrTqpFhI037Cxz/s+iVyKeQqg5FjAVVokF0/+B/87tYqTE16SaEE0P3iOB+jQM8u0Kw7zvex4zRPgOAzcKW3/dUGMPNJer2tRY+A8DZwcd3WlD3gcgcYejJkU3alIE2hUADez+ibcsDALdC35vXW2sfpA5ChrlI3wMEhMFak7HWfd/d29vbvmVZ/P8LNcscukfolAAAABmJLR0QAAAAAAAD5Q7t/AAAACXBIWXMAAA3XAAAN1wFCKJt4AAAAB3RJTUUH5gIWEBMj3NWajAAAIABJREFUeNrtnXl4lNX59z/3MzNJWAWpC7gCCaCidau2CklQW221i120KiQB11ZttdW2dnOr1rq11tYFBZIAbrV2cW1VsuD+c6tLK2QCLoiCsgtZZua53z/OyZsYZpJM8kwySc73uuZSksmznHO+517OvQgOWYeCRUsjmvBHASOBPCAMKBAToUF9NhL3NkfPmO670coOiBuC7EH+3U/maCxcLMpRwCHAJGBnSyaALcBq4A3gRUEeristfN2NnCOSAzB1/nPS5MWmqPhXAtOBnbowN3FLqgcJ+ZdGZ85Y50bSEWnQYvLdS7x4LFQsylxgQjfmJAG8hnI+4j8bLZ3h1L0+gOeGoG8Rbw4dJ8rdwMRubmwh4CCEBUhohhtRJ5EGn01UXnMAwmJgakCXjPq+HrtidvEKN7pOIg0KFFTWDkE4I0ASAUzwRK4puPPJHDfCjkiDxjwCSgKfT6FII+HpbngdkQY8JpbXiO/rLGCHDFx+J+CIyRVPhNxIOyINaIRUdhaPmRm0e/N9coe6ke49hN0Q9LJtVFEz0kcvR/lMBm8zQsV3c+sk0gBV6SpqpirMA0ozPPbbRCXhRtxJpAGDfe6qDTXF2dnz9Wzgh5j4uUxvYCs1lNjmRt8RaUBgUkXVZ+Jx/Zqn/ADhs7102w0CL9TNnBF3M+CI1L/toMqaiCrH+3A+yheAIb10awVejHtetZuF3oWLbAgQ+ZW1OZ4v433xLwG+YwnUm2O8TpTj6sqKXnSz4SRSP1Xjqif6qjN90fMgox651CRCflxXVuhI5IjU/zBx4ZKRkgid7cNpmHCfvjgIfQ/0pwn8+92MONWufxGovGYYcIQIVwEHALm9/Ag+sA2oVdEfSYJodHaxc3k7IvUPTKioiniEDgU9GyOFgpbqcWAl0IBxlY8BhltHwjZgI7AK+B/KYl+96hWzpzsCOSL1HxQsqBqvnvcj4JvAuAzc4iVBblZ4WdFGYKSHjFF0+P+XQMom8XhvJGs+eKnkJHWz4mykfoHJi54TTTTskBDvZFV+AYwNeNx8YJ0ityH+reF4aM1bc6a5LFcnkQYO8itqdwAKQS8AZmRgvD4C/Zeod0NdWeGrWff+5TW7IeytMFygQUVWjW4esfLFMw5yktARqXPsdeezEg7HCkX0fOBYa6MECQX+DtyaE9Ha/55a3JRVKmzl0p1U/bOArwAF1lbbZmw3qRbRP9eVFLksXEek5Ji4sCYUintjNeT/RJVZBB8XFwdWIPJrlEebE7Et7845Oit29z0XL5WcmD8M5IuIXo4pBZab4h1Wofp7kIWRkGz836xCdURyMGpMZfVYVE4ELgLGZ+AWK4C/KPqH+tLiD7PLiVI71Pf08wLnA19PY13UClzni9TWlxRudkQaxNi78skhEY2cpGgZpqZc0AeqnwALBCrqSoteysIN5DBUzgWOx7jau/N+j6lyS31ZUZUj0qBzJNREBN1fkSuAYmBYwDZQDLQW9BLFe7O+tKgha1TYyqUh/MRYEbkY+C4mpMnr4fuuF+EBH64K+axaXlaUcEQawBj/4HOet755shgJdG7ABGqxIV4Fbkbk3mhJYVOWbSB7gHwZ9GIgPwO3eEfgdwoPRUuL3nNEGoCYsKB6Z8+TszARCVMycIuVwC0Cf60rLVqZTe8+Zf5TQ2KhxCkCs4EjMzz3CjwNzI/H8u5++4zDGx2R+jmmVj4ujUSGot4JoL/EuHNzA14020AXich1voTeqZ81LZ49m0dN2AvpNFSuAj6bAQncEbYCz4noz9WXl6NlRXFHpH6IiYtq8ryEHqzIxcDXCD7FewuwVESvqispfiarpG/l0xFP4weo8n0RTqH3kguTYRtwJ3CnRoa+WX/q53xHpH6Cgsraqap6DnAymckPqgVu8xOhh1fMmZZVrt+JFTX7CJwBfBvYM4seLQosFnR+XWnxu45IWYrJlVUST3ijxZPzQM8CdiVYd7YPrBb4LfBAuCmy5n9nHZEVh5ETF1ZJJB4ZEZPEWSKcC+xB3+RGdYYYUIfqtcC9GtKm+lkz1BEpW3bh8poxnmixIr8C9s+AGvehCA/6vlxdX1b4dja9e3557Y6IHgVyKeh+/WReFfQxFfmtqr60orR4myNSn9oC1RFP+TLIHExsWCTgWzQB9ynMrz98Sg1Tdsma3XPyXTUjEzE9DqQEOIbMJBeuBT7EdA7cNQPX3wD8BdW50bLilxyRetsGqqjxfNF88bkCkWOBUQHfwgeeE/RS8J6vKy3c0qtSpqI2pF58nCS8Y0SkWJW9EXYEQijr8GhC2RXYneBriPvAeuA6hH+g8gnoULtR/cySygv4fqtAF6Pye/X04/qSYnVEyiCOeHSJfLTW21ORbwOXADsG/B4JaxQvAL0tWlq8qTffb9L8pbl+2D8YlVLQmbRWIuqtuVoD8pgnekVCWVlfWqRtpL+EE6HdNOT/TJXvWEIFjWWgl3nw+PLS4nWOSBmxBWp2FOEUNYeKh2TgFqsVKkSpiJYVLet1KVtZs5sqP8R43Eb38u23Ag8gMj8RDy1dOefIlCE+e96xJJSTEyq0z/lNWptFB7mZPSpw5/DmIQ+9cuZhCUekIBwJFbURoFjMgernCP5MJAZyv6peI8hb0bLC5t4nUe1eqnor8EV6N3M5BrwEchmqz0bLijanMS87eMhhin8pcHgGnns9UIPoldrsvVp/Rvama2Q1kSaU10TCyJSE6EUCp9iJCvKZG4CXEbkK5YloaWGsTyRtRc0Y4HbgW71422YgiugfkdxK0XhjXcn0bi3U8QuqRoTEOwfhHMy5VZCEUmAdyh8UFo9sHPLOK+ccpo5IXV1cdyzJIyd0DiY/aLcM3OIlkAUiek9dSVGf6uL5FTUXA9f24i2XAxWoVETLCt8P0AFUoEbdKyEzHr6XUX4f9/373p4zo9kRqSuLq7L2V6j+DAiyYZYCmxD+AFTKmo1v11389T7d3SZUVhV46j2VIcO9PTaBzgO5jZCsjM4sDDz2bUJFVW5IQ5NV9ELgVCDofrYbgAtDwqJlJdmTqpGVVYQmltccgeqPAySRApsEHk8gl4bQZXUlRVkR7+WpdzLG85hJbACeFvSy3DxefePkzC3AFaUzmoDX8hfUnENI7ke15YA8qLkcDVzpmxCtlY5IHYvJmQRXcESB14FLfZ+HVswuzLYI5CPJXChPDFgKcguRYf+oO/WQXnv36OyiJuDhiZVVz4h6pcAPCC6Ffw9VvgVc74iUAnvPq81DdHKAiyuB8KtoSdE/s+1dJ89fMixhdthMqdhvC5xRV1rYZzt3fcmMDRMW1PzR8/CBawjO43p0NhEp61pfhkKSQ8BhPoquykbJ2+xFWiRmpvBxNiQYrphd5IO8g/GSBoWdsmkus45I9WXTNwMfB7jAPFH5UUFlzW7Z9q4ry6ZvtfZLJsikwNtZIXkXLh2DqU4UZCjTSkekzvEo5pwjqHc8SZV/5FfUlo5b/FhWqbOCPoU5yQ8aCYEn+/LdDql8OJRfWf2NhO//A/TUgG3BvzkidQK/OXYXwvMBXjICHAI6d1h8yGMFFdVH5FfWDMmGd03g3Y3pMBE0PvBjiQf64p0KFlbnTSxfesAmHX4PKouBIwg2Mv0ZVB93ROpMpz7zmK0gZwJVmMjgoJCjcLQij6BcV1BZ8/nQv+b36VnaCuMIuCZg9S4myq9DkfDG3n6f/IrafdWXy0T8JZgM3aEBO1NeE/hJjjR9nF2aRRYjv6JmHOak/EKCT5MAeBvhAUno9XWziz/oq/csWLB0tHr+bcBJgQg5qBD1Lqwz9mavYPyC6h1DnncB6MmYMl9Bb9LNwCJUb9hxWM7/XvjOEeqIlA6ZKmvCov7einc5cAIwguDTJt5XuFrCoXu9uG5eXjq91w9rCxZW766+zMUk6HXXa9kEPIKGzoqWTcv4jr3nbcskkrd2BxH/WOAKYALBH6lsA14TkUtVWRotLWzIxnXab9Io8uc/GyYcOx7VszEtVoIO3feNKim3JMKxf6087eitvS+Bq3cG+Qkwi/RDht4H5qGxG6Nlx2Q8h2p8ee2wkHC07Vx4XAYkUAJ4UaA8TmjhytJpW7N5ffa7xL78ytrPoHoMyk8QDszAO2wEahG9nrxdn4qeNKVXVYh9K56MNBM+HPS7IC0dMTrCOqACuDcWir/8zsyjMxq9UHD3UiHmH67KxcBRmVG5ZZWIXgfyt7qSwn5RrbVfpppPrKzyvERoBw3530PlPMzhXNCh+5uARSp6naehD+pKp/daikX+4irRuOREwrJDPE4hylEI40F2BfWBDxHqVeVxwt6zEk9sjpYWNWd2zGvDSGI3fO8igVJMoUkv4DFfD9yt8FvPY23drP5TULLfFz8pWFidr778wHqIxmbgFqtA/ujDfStKC99hECK/snpPVfmWbfuSiZY3m4B/i/Cnj8Z8sHTj8d/td+W5BkQ5rvELl+R4idAhIpyJCd0PuppOHHgNpCKWiN/xzpyjGgYDgSZW1gwXpdTabIdkwJGQAB5X+BPi19SXzPikv47VgCoQOamidoii0xWuBvYl+JT0RkyniUtUeaG+rGjbACXQEA/vc6r+FcAXCD6nKAasVOUa9XPv82Trtujso/t1kcgBWbJ4vzufGdoUic0GTscUjvcyQKhF4skdIUm88tbMGbGBMG773v1yKBbbcpjCGZjWn5EM3GYZ8Bffk5tXzCpcO1DW3IAuol9QsXS84p+MyYXJkP2k/xDfu75udnZVX03bDlpYPQlffgh8FVPuOGhsUJjrCYvrJr7yBkdeMKD6zg74ti4TK2sjJLw98RK/EDgRE4Ec5HvHgTUq3Chxf37uEG/zm6cU9YtuCxMqlnoe/o4YL9wPgXEEG1hqWt4o/1bhMlV5a0UfVGhyRAoQ37znUnmt6agZmGIq0wkuA7ftonlW4PqEULWipGhjNo9HfnnNTghfsgT6XAZu0Qg8pcrt9cNW/5XvnDKgO58PutaXExdU7yAep4FcTmbavWwFHkf5cyyuS945ozirpNO4eU94QyORb6GcZTeUTNQLTwCX+h63rZhVtG4wrKtB2Yx550UPeCMTYx7DxLVlYgwU2AJyv6/+lZ4nq6IlfXu4OHHxUxGJ+1NBrwQKrUTOyPwrvCswJZpFDagzDW8wEimPMZl+bwFGgs7xRJ5FuTC/omZ8X7zrfnc9F8qvqJkq8cSVoEuA4wk+8Lf9y+dpODRiMK2pQSeR8u+oGkaOdx6mq8KoXrqtAi8BlQlJVK4sOapXCvMXLKzeVX35HvBdYFIvDrMC96vIb+pLCl9zRBoodtG9S0W35uR64cYi4AqU/embnqoNwBvg/0JFltaXFAfe7Xvi3bUS8iNDNN78LYVfAXsR/IFqV+2kj4G7fNXrPM9bGy0pTDgi9VNMqqga6Yt3OKbLw5fIzCFj2otMhbtF+ZN44VfrZh3ZFIi0XVA1nJB3BHARygyyp9zaKuD3wEPR0qLljkj9CHstfDIc9sNfFCjD5MuMzMLH/BC4H9HboyXFb3T3InvMrfZyc71ptm/u8b2osqaLN0Du9dWvWFFW/J4jUjbbQBW1YREOVPV/BnKMJVA2v2cCk5R3q6jO9Txvw7KSrrUvKaisCXkJb2zC839q7aAx/WBOm4EVoDdrbqSSpti2+tJi3xEpS7DPgqqceMibqipzQMsw+TL9DS8L/EZhabS0qMNU8fyFNXuKz4lqnCa79tNpe0HhOoXqFZ28ryNSr0ih6sNASq1as1cGd9K3MSE0e5PZet3/Am77YO3Bj2y9eMSnpNP4yiWjQoROs0Glh2V4Dl8EnrFS82BMWa1MNLuuAqkMJWJ/Xzbn6AZHpF5EQXl1SCW0G+r/DOFEgm8QDMaN24DyMHg3Iv57eALofvj8Cvh8hgx6xaS8P4En10Y8fSMWJ6xwnMCPgQMItt1NW/jAakGuVPQfiG5CRRFGoBwJXIrpLhH0e28GXlTkCoHnoqWFTY5IGcTuc//Py8vdNhHlJIQLMmgXbAKeR/T6LYcVPLFmym6fkgx73flybjiypUzgHGA/MucNTGDqMuT2gr33IcI/Ee/qkOS8u2zm4dvZagfcVzNkW4PMAZ1j3zvoEKMYyn3An1T09frS4q2OSAFjYnnt3ojOEjjZTmKmFu5jQHkoxKPLZhZt7eSZ9hTRUzENoifRP9EA/B2kfMuotU+s+fq3/S7MxVgR/TYmezYTQa/rzTNRES0tqnVE6il5Kms8P547LBRuOh3lbGBihnb/GMY9ezno09E0jN/J858K++HERFXOw6QkDO8nm1QCeEvh1+LJ49FZhVvS+eN9763yYo0yTpFvYpweuxB8QZQ1wOOi+ltfWV4/uzjhiJSuHbSwdrTv61dBfy7IpAw9bwPwlii3xNRfHAlFGutKpnWvKXF5rYQ9naYqvwL9PCamLRvhG8eJzveVm0S8rfWl3e8YPql8iSS8yDhR/2Lgm5iev0Hbq+uAP+LJ/OiswlWOSF2VRIuqdpWEdzPwDTJ3Qv8csEjx7qsvnf5RUBfNX/TMUPzYN1FOB4qzbGjXAQtFmV9XVvR60BfPr6g+GGQmRv0el4HnrwX9frS0+E1HpE6w94KqSFi8xQjfzsAz+sBKQX6nqo/EQzkfvD3rC4EfCO734L+laV3uLnicgPILjFu+L8e7GfgXnlzlx/3/rJgdfJxfCyZUVuV56k0GzgVOwZzpBfXuCvxThLK6LEqezEoi5VfUfhN0IcG6eH3gPUXuFY/fe8qa5SWFGc/azF9YI35CdvfE/xnIiZjD094c9yagDvh9KBFavGzOtF5zK0+oqPXCJA7y8S61kjkwVddTjl1eVvRvR6SOFl95zUKEUwPWs5coXFBfGrw602V1tbxmuginA98i+FT3ZKgHnQ/egmhpYZ9125h4x/M5ktP4C+AnBFez/Y5oadFZ2bJmsy6xb/y86jyEcQE/21bg7r4kEUB9WdFSRM4X1a9jej9lSiJuA25S9b6S8BLX9iWJAOrPPLxZ0YcxaRVBoSCb1m3WEWl4bk6c4FtBhoFRkxY91ecSOFpSuCWkWgX6Vcxh7n8xrvcg8AlQDRzn+XJxfdn05StnHd3n9bPzK5Z6KPkEGP+oQlYVl8lSG6nmFuAsgo1nWwZ6bVjk3rdKirLmtLygvHpvFSmzRnl3D3QVeElgrmrsrmjZMdnzfpU1IxT5DqoXAfsEdmHlomhZ0Q2OSB0RqbJ2GqqPEPw5zBbgaYHfRPL8Z/978oysCN+fsviFUDzeMBn0+yCnp2lHfIzwO1W9NxGLr3r7jGOyouzVxMqnwx6JYlW9BBP5EORcrlZlen1Z0QpHpA53saXi418hyk8JPopBgS0K5Yj+gUTovfrZ07OifUh+RXVYRA5CuVJhWieq0AbgcfH0V6hXX5cladwTFtXmhOPs4Yv+CJNUOSTgdfaJwEWe789bNntG3BGps0U178lhhEO/tE2Zx2ToNnUotyLcHS0t+jBr3n1h9TD1OUmQEkwR+9x2dlCVwB2hWOzRt844JmsW04SK2r08dCZwNpkpe7wcuJlE4s7onKMas2m9ZnWI0ISKJXkhQp9T4zY9PkPP2wS8ruhNI6XhnldKvpw1CzO/onoc4k0FPUSUnYH3FF5S33+jfvaMrCm8OKHymbwQsTJVvg9MyYAWsQWYBzrP94b8d8Wsw7MuozbrAyv3XVgrzb4OwYQKXWIN8kxUxWkAqlW9S1USr68oLc6KHW/iPU+L1xz38NUDz/c89ZeVFGWFHTSponqIqvdZ9fQ3KNMIPqViG/CSwi8ZlvtM/bc/n7Ud/PpVGkV+ZfWuIGejfNfufJnABmCeIAvrSgdHTbZ0sd+iGmlKcCAmhWIOpjFB0HgBWBDJ0Yr/nVKc9Vmz/S6xb/97/yeNTWv3VSjFqBKZqM2gQBRY7PneH5bPnr7J0adFCi3ZMSGhC0U5jcy0wVyNcB0qf4v2o1aj/TbVfOLCmoj4HAJchUn5zkTqdRxYpiqXoaHHkMTW+rJCHYwEmlxeM8IXvqLCVSh7EXzz6w3AQ+rJ5Xi8U39a/yom2e+Ln+RXVg0B7xSU2cCRGXqnZuBvIHc05zXUvHvysfHBQqAp857MiYfDxcCZwNcz4EhoAJ4E/hwtLXqsv47TgCnHVVBRs4cKX0P5cYZUDjAFHR8R4dq6kqJlA51EBRW1+yj6M0yBzZ0zcItXgN8p3r/rS6dv6M9jNaAKROYvqg6RkL0wNa+/QfDd+cCkY6xRuFZyQhUai2+qL+n/BQ7b2ECe+OEdfU/PUrgQ2JFgYzITdkP6s0ZCt0pzbHO0bIYrEJm9Kl/NUSjnY+p9D83Q6D2HcpNK6JH6kmmb+z2JFlSN8j3vBEwXv0MzJNH/CfwxWlr05kBabwO6iP6k8tod1POPUpULMd3pMoFPgBrgxmhp0ZL+OE6H/eEVb92Om48V5QJrZwbtCY1ZAv0pJ+Q9/d+Z02MDba0N+G4UkyuelAThMcDpwPmYDNWgq6S2FHS8Vz3vGvET70dLi7PeITGpoiqChvb0RX9tVeGgG5A1A1GFy8kJPSgNzY3ROUcNSK/noGo0ll9ZPRn1fgx6AjA2Q7d5B/g9eA9ES6dnbceFgvKavRD9tqr8yCZSBo23gLsVbq4vLdow0NfWoOvYt9/8p8LN4cQXFM5GOYXMJDcmMHWzb4slEgvfmXNU1pyJTL3j2dyG3ObZopwBHJgB6bwOuB3k7mhp4RuDZV0NymbM+1b8S5okb6hAIcpVwFQyU3RyG/CcIj8nxCv1Mwub+0zFLa/J9YXDFX4LHETwHQu3AU+r8ksPfbWurLh5MK2pQUmkdureGNQ7F/RkYN8M3WYTMBekMrpx3Zv88MResxP2ufOJUDwS2R+0TE3SYNBFV2JW+s5tTiQWvptF0tcRqS9shoqaqSqcassi75ih27wF3KVwS31pUcbTICaVL93VF/98TBOyCRm4xXKQm1T07/UlRasH8/pxRPq0dMoB2QfkSlS/hEnXCHqMjCdLuYKhkb97Wxqb604PzpM1qWKJeH54SEz0GyJchunlFKTa2hIXVwHc6Hneh8tnTY8P9rXjiJScUBFUTgK+j2nmlYmSyTHgr8Atcd9//u3ZM3psU0xaUDVEPe8IRS8AOY7M9DBqOTOrdivFEamLu3vNOF84EeVcgqyA82l8iGlf8udoadEb3Sd/7SGong+cQGZS86tAbvXD8YdXnHbUNrc6HJHSVZVCvoR2Bzkf1TPITLOvBLAauB34k+d5m5fPmq5deDZP/MiohPjnIZxD8G1VEsAqRK9B5Z5QKLR52cxpvlsVjkg9VfmOQL1LQAstoTKB50XkGh+/qr6keFNqR0L1GBW+pPALkEw0XVsN/A1fr4vOLn7Hzb4jUqCYUl47LOHpl1U5Bzg6Q7fZhmnIPLd9js4RN7zurdlp/ddEOQuYQXC1tNve+z6Qinh4ZO3bpx3oJJAjUmawX/m/pNHLG+Mh37EFEDPRWEsxUQKPCDIXn5W+p1PFtEqZDowO2vmh6Cse3i8UfTZaWrTVzbQjUm+qe+NR7+egX7aEyhQ0Q/PlY863FtAcuyV65jHOkeCI1HcoqKgpVOF0lJMJvixVpvABcKcIiwdDxq8jUj/BxMrq4aLyeeBKzPmTl4WPqZg6CQ8BV/s+/1sxu6jZzZ4jUjaqeyNR+R6m9vWkLCJUA/AqcMOQYWP/9vq3JzlHgiNSv1D39lGhBKWUzOU/dRWvAbcL3FvXC3F+jkgOwZKpsipH8fZF+RlwIiburbfGXYH1IDeZ7hvx1fUlgzM62xFpwEin6hBwrCK/BA7uBYfEeqAG5DfhyNBX3zr1UKfGOSINHEwqr93J9/RUlDJMhmrQiAOPizAvlJf451snHRVzo+6INCCxb8W/vSbJ3UuM7XQ+5nC1p3OhQD3I5Yo8Wl863dlBjkiDAxMqlkqY+FRfvSsRioBR3STQ+8A9kTC/S8Rl3fLSwVmf3BFpkGPq/GciTaHYN9SUDPtSGvOyCbhfhPl1JUXPuJF0RHIAJlbW7Oz5+iUV+TVQ0IkdtFThN6Kh56Nl01xcnCOSQ1sUlFeLiO7iq/dThBMxxevzMDFxnwCrBP44dJhWbNgize/OLnJqnCOSQ8ekqt0P0UI1wbANiNR5JJ5cXjLDORIcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwc+ilcYp9D+/WQi2lCHcKUWm6/RhKYTN1Yu78bav9W7O+2YVLiUyECDLP3aAa2Ygq5ODj0a+wKfBO4DVMffB0mvV3bfVZjejS1dEoPAUWYovybLYn+A5wDDE9xrx2BS4AVlpSPY5qmOTj0aylUCPwbaExCnGSft4Ap9u8nA/9N8p2tmKpI7SVaCPiBlULtr7l7fx1Ez62jQU+iYuAe4Bi6XkbZb6P2fZbkHd+HAkcBI5L8/LA2Eq0FY4FD+utAht1aGtTYHZhH6k4ZG62t07Zu+Bag0koQ6WQNhVNIpLwUm/pIR6SeIWJ3o7GY9iP1bo33Cs4F9kzy8/XATcCL1u7x25HrrTY/exN4D9ij3TWagecs8Rx6AcOAG4CPMJVDV1qj16mdmcVY4KUktk2TtW26quaFgO9Yx8FWK8E2ANclUevAlGW+P8l9twCz3LR0H1OSGJ5vpJgEh+BQjPHAtV/QLwMTu3G94cAR1i7qqKnagCRSNqh2E5IYnvs6+y3j2Avjhm6P1cDablzvE2DQ1h/PBvVp1yQ/cwfFmYUAO6VQ3zY4u6b/EUmAz7hp6HWESH5Y2tLx3KEfSqQxbhr6ZN6HJvm5bx0GDv2QSDu6aegTTSDsiOQkkkNmoBgPqkM/I5J2YCPF3fRkDHE+fcjaXio5pInedDFPAn6IaZzVFlNTfH9Rit3RB5YCC5KoITnAF4ETMCfwd2HOpDSFarM/Juo439oM1cB9Hag3IYynaz/gUEyuYFqrAAAUA0lEQVRXvRF2Q2rCeLvewZz8v4Y5YE50cXF69pkmA1/AnK+NxoTTbAQ+Bl4HXsC4qONduG4IE0N3Cubgu+299k+xHk4BDuDTnlMfExE+FxMVnkxVLABm22d+GHi0lzdDr816TtjPgMSzdkH77T6pIoz9Dj6NmMM7abcIfmEXdMv33rOLsu338oBjgScxIf+JNt+PAWfbBdieoPsBl2HCl+Lt/q7tp2USt1hift+SI9LBZjYZuAgTRR3r5NrNQK19zvGdaBUFwNsprqXdGPuLUmy+x1pyt3yvGfhNimfLxIFsHjATWGbf9xJSp3D0e6ymayH6Xf1c0G7B72J37vbfW9TmezsA12LOSlJdt7bd7j3cEvTdHjzrSuBqYFwSR8tPgeXdvO6rmJSEISnGfH/MQWlQY34t2589DQPuTvHOU3qBSMOAyzFu+5ZrNWLiCAdkmNlMKyGa7I7V8kk1ac0pPo3AY1Yda4uDUuy0L9tddDRwbyf3VEyg5bA26kIFXc/T6egTA55qo1LtYtXIxk4kQ2fX3WqfMZmtOQL4rd042o9jIsX14inG/BngYLY/LN/VSvf211mL6dCeSSKNBv7cjkRtN9ABGWYmVr1p+8mhNcW4/WfnJN9v+SRTLz6XYuH9x0qVq7tAom1WQrSoYfkppFczJkL6PUywZtSqfO9YW6YjciwBDgT+mmIRr7a2UBXwiCXfMmubaAeL/08p1BkvyfgNB/5A8oDVy60ETzbmySJOxloVtv21PgK+nEEijcWkgPgpxuOyDtTpfu1saNmV25MrVZ5+LMn3u4tDrU3RdmA3WafACqsSbrb//nub+35sf3+w/feH1tZ7zi7u9+x14rRGC+xmbZNDgaOTqHMzrCrUXu153+6iD1qVbWu7Xf8w4GTga0kIE7Lv9yJQnsQ54ychVypHRaIfGOuTMdHlX03x+78Adwa4fvqFlEqlw49O81qpJNIbVqVr+fcm4Eb7/d2s+M8hdXxfiyNgjnU4dPW5htvvz+uCivYmcGQXdtDhmFoIm1Nc5+0uPl+uHYNkEunXaY57b0oksV7ep1Oopgn7XjsNNvd7bxBpjVW1fKsyFXXDCPV6YLjuYN3G8Q4W/z5pXvPKFO/aDJw5QIkkmOTPN1KM42arzvWJt24wJM/tbBfOi5gEtBrSP3T06f5B5SZrv7yf5HcNwE+sSpkObrQqJ0lUvMIBOIce5mzwL1bKt8d661m92m7MjkgZwlrgUmvX9AVeA+qS2INVwBOkX8+tAXMwm2w+xw6wuQtb2/B2zLkZSWzLMuBW+jC8aTAkz6lVPR7t4+dYaZ+lxRZrxLiN13fznTam+F1kAM1dHnAa8Ee2j1ZX4H/Aed3UMpxEShMJTNWbbMNGS/Du2pY7pCDYQMknGgFcjDknSpbysdRKoiqyID5wMEikmB30vsZYPu0Z3GSdH92dt0NSECk6AOZsmLV3khVhUeABzHlf1lSbGgxE+ghz0NpTiFU18jDu8raevBYPWoLWyIAmWoM2vSREqqf75xwnYIKAk0nf6n4+Xy3RCicn0ZiaMB6/C+284ojUuypUT9XfAzGHsgdiirWMs7vm0Db2ToMl7DpgFSY2bzXG/e7x6bwrxQSodgdfAK4i+bnXKqvq9EcIJpKkHHPQ2v79tlmCXU4WJh+6Sj0d43DgR5gzqj26MV4+5nyjke1j4YZZYr5H8tSE9tgDKMWkKoxP8Z2bunitbHUsnIs5Z5Ikm+GlwB3ZagM6IiXHULtgL7WSpLtOGc8ujGS77xmWGAlrL63AHM6+b3fcuH2OnTCBrvvbf0dS2EYPY/Kv+is8Wtu8JMPHZHHIjyNS8gk9D5NPk0lXcqTN9Udg6nB39zC1Fvh5ttkNaWIbxrs6je2TDkdhDqGbrY3kiNQP8C27KFORKI5JzXjO2kFr7E6ZiykCP9aSYjf73935dH5TkNhq1Z2brDTrz1BMQHAlJjayfU3yXYCb7UZ3nyNSdmMMcD7Jz2gSwCuY7Mvn7O7YNttU7MejtdtdCOPhuwKTKduCj+w1JmO8VGFaUxXC9u+k3SJLWMK2dLd7zBrfb2K8WQMBLflg38WEA+3W7ve7Atdj4vL+RRbVl3BE2t65kKqGxGPWplnXwSKgzYJvwZAk4/yMlXwJu1j2tJJrDyvRRloJF7ESsMka3O9iTvNftHbVQEPL5vE8Jvj2drbvcrEHJnbxTExulyNSliGCcXEnizp/H/gd3fOIDU2ys9a1WTTvkzygdTDDtxLnfGA+29c+nICJqD8HE6uYFYZ1tiK3D+43OcXvXrd2UXcwAti73c9W4xoPd4VMD2LywJJJ34lWMh1JFtSK97JkwJKht7u3RUhe0N/HpJB39xBwZ7Zvk9LgiNTltfGQlUzJtIHJ1k481BEpta7f20RqqSmRbDK39mB8j2P7Vo/DcR03uooExov3c5KHen0Wk1Z+yGAnUiq7Y4c+mLBNKcaou9VoRmEOXtvjULavneeQGs3WVroYEyXSHvtbMh3QVxtUNhDpnRQ/37uXn6MRU18u2RhNIf06AB4m+zVZy/uv0FpQxaFriFsHw6/YPgtWMOFWfyJ5Lb1BQaRnU/z88738HE0Yt2uyVOWDMX1tuypFxH7/9BQ75AjgFkwAancwnMHZfCBubaLrSH52Nt2SLX+wEUkx2Y3JDO/jMGWtelNUL8XUwWuPYcA1wEkY7550QKChmAPFm9ss9pYD1bZoqW13uZVaQzGHty2HuS2fsLWxRmJ6tN6KKQDyMsajNdiOMBrsXNxE8ti7IzER5ON786GyYRKWWzIVt/v5ODsg19FaobWtA2ANwUc6r7H3m8z20dqjMOErx2GCQ+sxh6S+JcBwuxPOxBSib7tJrcQcwp5kv9tCurGYqj0XYkpMvYZJhdhkyZeLOUPZBxOB3r7wx/cwLuKPBhmZmq2Kl2PHILfdZnak3cjOwhw1DAqErAqUqixXoyVSnSXdckzVnUcxTZtb0FGl1XQ2jJbI7I7qg3+CKeL4b0zEQzWtRR3bf/cDWos63kDqUsHd+TxJ9xq19de6dskcUreQuoLuVYNN9x1qddt0a2zPa3ONfVMs0tpuSN4IJgu1jtT16Dr7xC3hj2hjW43EuHHX9ZBQCUxi4PRuqr4RTHR7++s2YFrvpIMxmNLKyTaQohT2YWWS72+0G066GIGpUJtsnp4ajF6ZCCb/5x26VjxegXvakfFNti9C/5Me2IKTrE0SpfO64W2L5S+3qsXuKa57JCaCeUUa120h0EqMK3ivHo73KZhzmbbX/9A+W7oaxXVJNoZnSO7pDGHc2O0X/nK676kdjikD3f6aVw9WF6dYFe3XmFir9zqQUv9p5/XygKOsvdWAiV+7ISDv1gHWsL/D2jKraA0m3WzVmBcwZxlnYgJfvS4swIPsdX9vVdXX7bW2WoJ9gqnJ9xKwGHPCf0hADpjRdpzftWP8MiYotzubznj77h/bZ364E0LubjeaNXauqoHje/g+O1sHxFpMibM7MKkXvbZws1U6Dac1IzTZ5G61i85vR6bR9m/jdkAbAhyroZho7lxr6LZtvdJod/htpBf+I/Z6Q+w1WwqrSBsp1GzfYyvBpg7k2Y0mQmu9ie4Wzx9ux96zm8uGTr4/zH4/ZMm3np6HTQ1rYzNuoI+qrjo4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4ODg4OAxgDJRqnyFMYlcj2+fBtPQtGkJrJdU4Jv9mM+m3RBFMHk0OJjFN2/1uCCYvJheTm7OFznNzwOQ6jcTkCIVozbbdiimG0tU8oTAmx2gLPW9CPcI+V9u8r1H2HdfS/dyltohgCs1sIpim2Q49wFRMhupttCYBhjGVia7FlNlajUmOa8TUE1iKSZE+htbKPl1dXHdg+vi0rRW+B6Zd5u322lF7z1s7ud5oTPmuuZhM2HWW3FsxqegPY3oyHdTF55tkx+IGu+C7i1H2Pf/PblItWIDJpg2qwGWRvd733DLue3wNUzzj/2jtNn4jpgZBS5bpartQX7T/31JjYC2m7NfOXbzX7ph0862Yfkpgqt/8h9bi+I2Y4iSPWZKkkmyHA49bydhSxWeFfY/XMKnbLVm4UUxq+PAuEKkOk1V7Nd1LHQ/ZDSCBKTvWtvbCX+wzXUnPO4YMw6SoK6YRs0Mf4+tWfXrBSom77KL8wEqdg2hNE8+z/3+wJdtaq0K9iClImQ6RpmNq0m20at4i4Og26k9uioUs9nur7L3rMAVB9rLPlmf/fiTwReAf9h4xTPmp0Z2oni0N0TZgSoulU2c8TGvB+rV2k2r7Dl9o88y793DepthnfJft6wg69CGRXsGUmWqw6tVhXfjbI62a5lvpMK6LRNqGqXr0Eabs8tFpPO/htBZQqaDz6jkhK/Xetrv3dXRcYkysOtiMKSBzTBqS6GT7TtuAHyQhYZ4ltvLpdp7dwXX2Oj/HNb3LKiJtsAv0ddKr/zwFU4MuAVxGx93MW4iUsKrjK2zfhbsj7Igp7JjAlJDqapUjAU60UnYLppxWRxiCKe2rwDJSt/RsT/B37d9clkJ1Ezvejfa6w7s5Z3tYKb4SU77ZIYuI1FLk8Euk75H8it3BN3ZCwhYiqfU0fTfNe822auFKti9B3BW160b7nEu7oA59htZ6b8+zfT/WtphoiZGwToaOCDIOU0KrkeRta7qCy+173Envd2d06AKR/m5tlHQxEvhbG9WpK0Sq6cReSeYJe4CeFS/Mt86SrlYmzcdUHG2RgMlKHO9m1do4pr7euC5c9yK7aVWRflO43axzZr21AR2yjEjNwHl073zMs7trszWk8zohUszaY+mgAOOJa8Q0FO4u7rJk/G0Xd/MDMF6/GHB9O7tnhJUKMasST+7iM4yzNts60ivuKJiimNsseSNu+WYfkdb0cIebjqnQup7U/ZlaiNRgbZZ0FtDXLQFe6qE6U2av8wRdK6Iv9t0+xHgzL7BkigC/tI6W9+n6WVULrrTPMRfjyu6qjfiglX7Hu6WbnURaRs86tk3AnN98QurOCO3d3+lIvF+2WXg92Yn3sddZiekG0RWEMG7xjfZzGqbtSaPdgL5B+mdOu9m/XcunO4N0tlk1WRsvb6AsQG+AEaqR1M2du4JNlkThLi7QWJrX39P+dzU9Kz38obV5dkmDkC020u+sI+F6TNRH3EqWh7vxTGusWrgTpi9UZyq1YOqX52DaVDY7ImUn4iRv1psOEWN2XIZn4Plamjpv7uF1EhgX+JA057AZ4/W7F3NwvYO1t27txqbQMt5/s4Q6k86L1h9o1bnnMWdvviPSwERLp4v+NDbpOlb2bOdQmETXvHSp8JZ1GuxgVcWOcJ5VMR/CHBTjiJSdiNCzQM08q3b4ZKaTQYsk2qGH1wlhXM7bSC8CezdMO5WDrKPiVUxkxzV0v/3NJxiX/lbrfElFyv2BGZioib/Q884TjkgZRB7dO0Nqq3oNtSrLBxmQdm/b/x/bw7Hfxf79h2moZKMwIU3HYBqyfc/aNe9jDpV/1INN6GErmQowh+HJiH8C5kD4QesUwhEpezGKjk/vu7Jjj6H1LClovG7/ezA9ywX7nP1vfRdtwhxr5J9pVaozMOdKb2IiLT7ExOadSXoBrm1tr5vsJvQNtj+k3sVKqwYrER2yFC3u7zgmGrs7G4RgzmeaMakMQ1N8r637+/Np3qMA4yreRs/a1y+itdlwV3KpLrT3XMP20RAtbvH1dgxLuknyEZgI+gY+3a1PMN3cFRN6FHLLNfuJpJjGwN3R90divFmKSYojA0Qa1cY++HU333UvWg+NT+jC5nCSJdBmTKPlZFHWYUzsW4OVWDO6QSbPElIxzZZDbaTh0xgv4xfcUu0fRPLtYvh6N67xRbtrb8AceGaCSGAOej+xqtXENP82jDnzacTEuHUWtHoErZ3Zb6TjVIUw5qDYtyroft14t/HWgbG1zd9/xd7/ftKLS3ToQyKtxXTHfouupQ20YAomokGBK+haGkV3iTQK4y6OYTJzu+rBE2vIr7KE7yw8aTImhVuBebSeYXWEMW2k8lLS7zIexsQfNmFS7j2rIWwidaSIQxYS6UVrNG/B5Akd2skuHMF0CX8B40Z+gs6zPntKJDCu4NWWTHOtZPE6IFAOcKwlUQITrNrRe40Faq10eZSuZ7KKlZLPtpEi6WauHmTVwzpM+vgHVkqNcsu0/xDpBTvxt9ld8WMrYaZjDh73sJ9J9meX01oXYWkX1ZkgiASmMEudvfd/MZ60QzDxfrtbW2hf4Dhgvn2fbZjQmmGdSLwKS4TX6F7S3GH22XxMGNHQNP9+oVU/W9L4f+CWaP8j0nD7udju+mptkjeAZ+znDUsEtX93YxpqTLLiJ92BWIl5D62FWFoybp+y77LcLkS1C/s8Os798TDBqC3FXmb04PmOpfWc6stp/u2BlvRqbcExbon2TyK1qG1TMCnTr1sybbOfT6wUuMZOejoHkcOBxXZh7xLAs48ECjHBn+9agrY85yYrKc+1kjTcBXIeZzeKr9Czc8IQ5qD2TbpW+6Itcmit6/AjXChavyZS+516R2uAT7E7ZE8mN4fMpEeHrH2zDyaztbuBs0EW/uzOtUZbabqS9Gpn9FsMlsotPubcZX1A18tU+H/CGuc9DU8KMo6tO9c61Tot/sAAC07tSKd2cAgSozChRmuAf5J+SWhHJAcHTAjSeMwZ1lOD5aUdkRyCxGhM0OpQTBBrwhHJwSF97IuJvqjBHAjjiOTgkB4iwOmYw+I/MoDqMQwmIiXavEvCrek+wSjMudNTmBAjHUwvP1ByQzZa/fwhzFmSQ+/DxxwiL8QEDQ8qIv0/i8Zd7ux6lM0AAAAASUVORK5CYII=
  azRules:
  - constraint: (groups=admins)
    scope: filter

You'll want to make the following customizations:

Location Description Example
Application/traefik-dashboard
spec.urls[0].proxyTo The URL inside your cluster for the dashboard, based on the Service created above, example is based on Civo standard deployment "http://traefik-dashboard.kube-system.svc:9000${fullURI}"
spec.urls[0].azRules[0].constraint A group that is allowed to access the dashboard, assuming you don't want everyone to have access (groups=admins)
spec.urls[1].proxyTo The URL inside your cluster for the dashboard, based on the Service created above, example is based on Civo standard deployment "http://traefik-dashboard.kube-system.svc:9000${fullURI}"
spec.urls[1].azRules[0].constraint A group that is allowed to access the dashboard, assuming you don't want everyone to have access (groups=admins)
PortalUrl/traefik-dashboard
spec.azRules[0].constraint A group that is allowed to access the dashboard, assuming you don't want everyone to have access (groups=admins)

If all goes well, when you login with the appropriate permissions you'll see

image
brackend commented 2 years ago

jetstack proxy working! I'll share a couple of comments once I get a moment.